ComboFix 08-04-22.5 - 2008-04-23 10:06:06.1 - NTFSx86
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\BM4dc634ec.xml
C:\Windows\pskt.ini
C:\Windows\System32\bceeg.ini
C:\Windows\System32\bceeg.ini2
C:\Windows\System32\bwhlhcws.ini
C:\Windows\System32\cdeeg.ini
C:\Windows\System32\cdeeg.ini2
C:\Windows\System32\cfefe.ini
C:\Windows\System32\cfefe.ini2
C:\Windows\System32\duqybeoi.ini
C:\Windows\system32\geecb.dll
C:\Windows\System32\gptfxtku.ini
C:\Windows\System32\ieijkhyk.ini
C:\Windows\System32\jhiqqklq.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\System32\mivombyw.ini
C:\Windows\System32\nphpvukq.ini
C:\Windows\System32\pmflbxqd.ini
C:\Windows\System32\qbpfcyik.ini
C:\Windows\System32\qtvwa.ini
C:\Windows\System32\qtvwa.ini2
C:\Windows\System32\tohsrlqt.ini
C:\Windows\System32\tvycf.ini
C:\Windows\System32\tvycf.ini2
C:\Windows\System32\ycfbnmtp.ini
C:\Windows\System32\ypkeoyqk.ini
.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.
2008-04-23 09:36 . 2008-04-23 09:36 <DIR> d-------- C:\VundoFix Backups
2008-04-23 00:01 . 2008-04-23 09:14 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-22 15:59 . 2008-04-22 21:32 1,540,737 ---hs---- C:\Windows\System32\njihruyr.ini
2008-04-21 11:47 . 2008-04-21 11:47 <DIR> d-------- C:\Users\Jason Mansfield\AppData\Roaming\Nero
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\Users\All Users\Nero
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\ProgramData\Nero
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\Program Files\Nero
2008-04-21 11:41 . 2008-04-21 11:45 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-20 14:19 . 2008-04-20 14:40 294 ---hs---- C:\Windows\System32\djxplkbm.ini
2008-04-19 17:50 . 2007-12-16 18:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-04-19 17:50 . 2007-12-16 05:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-04-19 17:20 . 2008-04-19 17:20 <DIR> d-------- C:\Users\All Users\Windows Genuine Advantage
2008-04-16 19:42 . 2008-04-16 19:42 <DIR> d-------- C:\Program Files\Apple Software Update(228)
2008-04-15 09:49 . 2008-04-15 09:49 294 --ahs---- C:\Windows\System32\qmftlfma.ini
2008-04-13 20:18 . 2008-04-13 20:43 294 --ahs---- C:\Windows\System32\ttamkuet.ini
2008-04-12 14:10 . 2008-04-12 14:14 <DIR> d-------- C:\Program Files\RegCure
2008-04-12 13:22 . 2008-04-12 13:51 414 --ahs---- C:\Windows\System32\hbocmpem.ini
2008-04-12 10:25 . 2008-04-12 11:22 354 --ahs---- C:\Windows\System32\hcyymyfb.ini
2008-04-10 16:53 . 2008-04-10 16:53 294 --ahs---- C:\Windows\System32\bpcgqfub.ini
2008-04-09 12:52 . 2008-04-09 12:52 129 --a------ C:\Windows\System32\MRT.INI
2008-04-09 08:44 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 08:44 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 08:44 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 08:44 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 08:44 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 08:44 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 08:44 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 08:44 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 08:44 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 08:01 . 2008-02-29 00:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-09 07:56 . 2008-02-21 00:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 07:56 . 2007-12-16 07:42 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-09 07:56 . 2007-12-16 07:41 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-08 21:23 . 2008-04-23 09:19 1,267 --a------ C:\Windows\wininit.ini
2008-04-08 20:52 . 2008-04-19 21:35 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-08 20:52 . 2008-04-19 21:35 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-08 20:52 . 2008-04-19 21:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 20:52 . 2008-04-08 21:27 524,288 --ahs---- C:\ntuser.dat{23bb9f4e-05c6-11dd-a19b-001c26f552eb}.TMContainer00000000000000000002.regtrans-ms
2008-04-08 20:52 . 2008-04-08 21:27 524,288 --ahs---- C:\ntuser.dat{23bb9f4e-05c6-11dd-a19b-001c26f552eb}.TMContainer00000000000000000001.regtrans-ms
2008-04-08 20:52 . 2008-04-08 21:27 65,536 --ahs---- C:\ntuser.dat{23bb9f4e-05c6-11dd-a19b-001c26f552eb}.TM.blf
2008-04-08 08:16 . 2008-04-11 08:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-05 15:33 . 2008-04-05 15:33 1,158 --a------ C:\Windows\mozver.dat
2008-04-05 14:29 . 2007-08-01 16:47 102,664 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-04-05 14:22 . 2008-04-05 19:42 <DIR> d-------- C:\Users\Jason Mansfield\AppData\Roaming\HouseCall 6.6
2008-04-05 13:40 . 2008-04-23 09:01 262,144 --a------ C:\ntuser.dat
2008-04-05 13:40 . 2008-04-23 09:01 5,120 --ah----- C:\ntuser.dat.LOG1
2008-04-05 13:40 . 2008-04-08 20:52 0 --ah----- C:\ntuser.dat.LOG2
2008-04-04 21:34 . 2008-04-04 21:34 <DIR> d-------- C:\Users\Jason Mansfield\.dwa_store
2008-04-04 11:44 . 2008-04-04 11:45 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-04 11:44 . 2008-04-04 11:45 <DIR> d-------- C:\Program Files\AVSMedia
2008-04-03 13:50 . 2008-04-03 13:50 0 --a------ C:\Windows\nsreg.dat
2008-04-03 09:35 . 2008-04-03 09:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 11:05 . 2007-03-06 22:51 543,232 --a------ C:\Windows\System32\FWPUCLNT.DLL
2008-04-02 11:05 . 2007-03-06 22:51 416,768 --a------ C:\Windows\System32\IKEEXT.DLL
2008-04-02 11:05 . 2007-03-06 22:51 317,440 --a------ C:\Windows\System32\BFE.DLL
2008-04-02 11:05 . 2007-03-06 22:08 84,992 --a------ C:\Windows\System32\drivers\FWPKCLNT.SYS
2008-04-02 10:15 . 2008-04-19 21:35 <DIR> d-------- C:\Users\Jason Mansfield\.housecall6.6
2008-04-01 12:57 . 2008-04-01 12:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 12:56 . 2008-04-13 14:46 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-01 12:56 . 2008-04-13 14:46 <DIR> d-------- C:\ProgramData\Lavasoft
2008-03-31 09:35 . 2008-04-02 10:51 <DIR> d-------- C:\Program Files\Power Video Converter
2008-03-31 09:35 . 2008-03-31 09:35 <DIR> d-------- C:\movies
2008-03-31 09:35 . 2008-03-31 09:35 66 --a------ C:\Windows\Power Video Converter.INI
2008-03-31 09:30 . 2006-11-07 11:22 719,872 --a------ C:\Windows\System32\devil.dll
2008-03-31 09:30 . 2007-05-17 23:30 318,976 --a------ C:\Windows\System32\avisynth.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 03:29 --------- d-----w C:\Users\Jason Mansfield\AppData\Roaming\Zoom Player
2008-04-23 01:53 --------- d-----w C:\Program Files\ReGetDx
2008-04-21 00:32 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 01:35 --------- d-----w C:\Users\Jason Mansfield\AppData\Roaming\Winamp
2008-04-20 01:35 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-20 01:35 --------- d-----w C:\ProgramData\FLEXnet
2008-04-20 01:35 --------- d-----w C:\Program Files\Microsoft Works
2008-04-20 01:35 --------- d-----w C:\Program Files\GetDiz
2008-04-19 21:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-31 13:30 --------- d-----w C:\Program Files\Amadis Software
2008-03-21 04:07 188,135 ----a-w C:\Users\Jason Mansfield\AppData\Roaming\nvModes.dat
2008-03-06 22:55 --------- d-----w C:\Program Files\Intelore
2008-02-29 23:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-03 20:27 174 --sha-w C:\Program Files\desktop.ini
2008-02-03 20:07 2,923,520 ----a-w C:\Windows\explorer.exe
2008-01-29 04:16 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-29 04:16 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-29 04:16 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-29 04:16 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-29 00:15 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-08-30 16:54 76 --sha-r C:\Windows\CT4CET.bin
2007-11-19 00:02 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-19 00:02 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-19 00:02 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F66DF53-CB1D-4A40-923B-34D2BA7A8488}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A66ED71B-3E07-427F-85B0-BB8132D872C2}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 03:01 1232896]
"DELL Webcam Manager"="C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" [2007-06-07 12:14 118784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-05-11 02:57 159744]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-27 06:17 405504]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-30 12:52 77824]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-03-21 15:33 1548288]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 17:10 184320]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 17:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 06:34 134808]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"bacstray"="C:\Program Files\Broadcom\BACS\BacsTray.exe" [2007-01-14 12:42 124488]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-30 20:34 1006264]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4dc634ec]
C:\Windows\system32\wyqyqsel.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-40607026-3291105624-1167355563-1001]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7FE41D3B-2131-4089-B5FC-868C18F3E4D0}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{1A88CDDC-500B-4CD5-B59A-756EBBB6E8FE}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{E4F4B7EA-C727-4889-B564-A1C1B1BF68E9}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{CC0C2EE7-DC23-4A23-BE48-7D83599AF712}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{A5FD891F-9904-43D6-9619-33FB4E3AA2C9}"= TCP:10421:SingleClick Discovery Protocol
"{4181A74C-9EA8-4103-8006-B9B1EE27D566}"= UDP:139:NetBIOS File/Printer Sharing
"{C4C44A5D-9AF4-4BEF-8444-85BB33FF5BAE}"= TCP:10426:SingleClick ICC
"{BADA4872-A6CB-4512-BB1B-72CAA4753D1D}"= UDP:445:Microsoft Directory Services
"{CCB3AAC9-D04C-46B1-843C-E7CE4EDF31D0}"= TCP:138:NetBIOS Datagram Service
"{1DD6585B-8618-411E-ABB3-42DBB9EE493F}"= TCP:137:NetBIOS Name Service
"{E6789448-3068-40E0-98D3-66F829EA1539}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{2CBD1202-BD6D-4FB3-9D80-A2D673FEFF29}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{627BBABE-7F8A-4A45-8ECC-23922C8B2ECD}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{A689DABE-B1D5-4F41-B5AD-4FA98DA75B84}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{94E55BB9-25F3-4183-8E87-52C21966EE17}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4C18457E-B9A4-4416-A1C2-CF6C8D04ABE0}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B521C8FD-0751-42DA-B2C6-CCDD17388872}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{EE64065F-51AD-438F-9A91-14E33848F3C4}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5C0B85DD-C35B-4042-889C-AF646B769C03}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B2A59812-E3C7-44D9-8C34-91E5907631A9}"= TCP:10421:SingleClick Discovery Protocol
"{48BB4D93-FADD-4E2D-BE45-82CFC3684692}"= UDP:139:NetBIOS File/Printer Sharing
"{E9CD84E0-A768-4FD3-B73C-26A1A9A583C6}"= TCP:10426:SingleClick ICC
"{88131F75-C549-4EC3-9B35-317B8041DEEC}"= UDP:445:Microsoft Directory Services
"{F540B393-3A65-48B5-AA77-4A9FFEF281AA}"= TCP:138:NetBIOS Datagram Service
"{07AD91C0-027A-4AC2-99AB-C6AE4AB78B5B}"= TCP:137:NetBIOS Name Service
"TCP Query User{401BD53F-55B9-49EA-AAB6-5EB05B5522FA}C:\\program files\\cain\\cain.exe"= UDP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
"UDP Query User{69D7C617-39CC-4516-B784-C7C950AD88A6}C:\\program files\\cain\\cain.exe"= TCP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
"{74CCE313-9368-4D06-89DE-09567B722B77}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5F5E2C11-DB71-47A3-9800-B41F6B97F958}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{AB718675-DA16-4B99-A107-D3861555404D}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{4EA98336-4E84-4BB6-A206-2EF2BD2027DF}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"{D9AAC2BC-E06D-46B0-8FA0-5BC04555BE56}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6EFEC5F1-6E7D-4506-A0E8-E8B7DCD9066D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{27B28D25-DDAB-44F2-BE9D-9DAB0ACA1F77}C:\\program files\\aim6\\aim6.exe"= UDP:C:\program files\aim6\aim6.exe:AIM
"UDP Query User{1E3A6628-303C-42BE-8E02-AA8C3224F1F3}C:\\program files\\aim6\\aim6.exe"= TCP:C:\program files\aim6\aim6.exe:AIM
"{584D9298-B006-404D-ADBE-1CD521BF4700}"= UDP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{E4E84484-EDDC-4DAC-92F2-41A54A73A205}"= TCP:C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"TCP Query User{F0B3D1D8-81C8-4CC7-9804-FB6BED257B0C}C:\\program files\\cain\\cain.exe"= UDP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
"UDP Query User{2880B2CA-DDDB-424C-8182-5701CFCF6191}C:\\program files\\cain\\cain.exe"= TCP:C:\program files\cain\cain.exe:Cain - Password Recovery Utility
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17d066a3-fa73-11dc-8dfd-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4903a799-d0bc-11dc-9432-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4903a7ae-d0bc-11dc-9432-001c26f552eb}]
\shell\AutoRun\command - MntDrCore.exe
\shell\Open\command - MntDrCore.exe
\shell\Open With...\command - MntDrCore.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b5fbbe2-f107-11dc-9644-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d0e7422-d685-11dc-b5f6-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{973c19eb-ed23-11dc-901f-001c26f552eb}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\UFO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eee2b3b-d643-11dc-8c50-001c26f552eb}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\UFO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b73f6673-dcaa-11dc-bc2a-001c26f552eb}]
\shell\Auto\command - UFO.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{105F2209-BFB8-3496-CB4D-D83134A3E5A3}]
C:\Windows\system32:wupdate.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:12:44 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-12 18:29:38 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 10:13:01
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\DellTPad\hidfind.exe
C:\Program Files\DellTPad\ApntEx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DELL\QuickSet\quickset.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\stacsv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\System32\taskmgr.exe
C:\Windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-04-23 10:18:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 14:18:08
Pre-Run: 60,020,125,696 bytes free
Post-Run: 59,530,272,768 bytes free
296 --- E O F --- 2008-04-22 19:30:02
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:23 AM, on 4/23/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DELL\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DELL\QuickSet\quickset.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DELL Webcam Manager] "C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-40607026-3291105624-1167355563-1001\..\Run: [Aim6] (User '?')
O4 - HKUS\S-1-5-21-40607026-3291105624-1167355563-1001\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-40607026-3291105624-1167355563-1001\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 (User '?')
O4 - S-1-5-21-40607026-3291105624-1167355563-1001 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onec...s/wlscctrl2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 11735 bytes