ComboFix 08-12-30.02 - JGill 2008-12-31 13:43:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.590 [GMT -6:00]
Running from: c:\documents and settings\jgill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jgill\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\awtUnOfe.dll
c:\windows\system32\bkwkmpsx.ini
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaqpoxjcga.sys
c:\windows\system32\dvlnoa.dll
c:\windows\system32\evopqcgl.dll
c:\windows\system32\geBqNgff.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\QprAayay.ini
c:\windows\system32\QprAayay.ini2
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaftabrrul.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekaltoyutow.dll
c:\windows\system32\senekayvkvjgfu.dll
c:\windows\system32\xspmkwkb.dll
c:\windows\system32\yayaArpQ.dll
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SENEKA
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.
2008-12-31 12:37 . 2008-12-31 12:37 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 02:43 . 2008-12-31 02:43 1,024 --a------ c:\windows\system32\drivers\69DF7DA5-19CC-4B32-9AAE-1FE318EC2978.cxv
2008-12-31 02:42 . 2008-12-31 02:42 <DIR> d-------- c:\program files\STOPzilla!
2008-12-31 02:42 . 2008-12-31 02:42 <DIR> d-------- c:\program files\Common Files\iS3
2008-12-31 02:42 . 2008-12-31 13:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-31 02:23 . 2008-12-31 02:23 <DIR> d-------- c:\windows\trlrm
2008-12-31 02:23 . 2008-12-31 05:55 <DIR> d-------- c:\program files\SpyWall
2008-12-31 02:23 . 2008-12-31 02:23 186,880 --a------ c:\windows\system32\drivers\trlkprot.sys
2008-12-31 02:23 . 2008-12-31 02:34 36 -r-h----- c:\windows\sued.dat
2008-12-31 01:12 . 2008-12-31 01:12 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-31 01:12 . 2008-12-31 01:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-31 01:03 . 2008-12-31 01:05 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-31 01:03 . 2008-12-31 01:03 <DIR> d-------- c:\documents and settings\jgill\Application Data\PC Tools
2008-12-31 01:03 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-31 01:03 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-31 01:03 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-31 01:03 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-30 22:08 . 2008-12-30 22:08 72,192 --a------ c:\windows\system32\fccdaBqr.dll
2008-12-25 18:24 . 2008-12-25 18:24 <DIR> d-------- c:\documents and settings\jgill\Application Data\Red Kawa
2008-12-25 18:23 . 2008-12-25 18:23 <DIR> d-------- C:\OpenCandy
2008-12-13 16:55 . 2008-12-13 16:55 <DIR> d-------- c:\program files\iTunes
2008-12-13 16:55 . 2008-12-13 16:55 <DIR> d-------- c:\program files\iPod
2008-12-13 16:55 . 2008-12-13 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 16:51 . 2008-12-13 16:51 <DIR> d-------- c:\program files\QuickTime
2008-12-11 14:14 . 2008-12-11 14:14 <DIR> d-------- C:\1a18f42789a4915f82796e
2008-12-11 08:51 . 2008-10-23 06:36 286,720 -----c--- c:\windows\system32\dllcache\gdi32.dll
2008-11-19 12:20 . 2008-11-19 12:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-14 08:24 . 2008-11-14 08:24 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2008-11-14 08:23 . 2008-11-14 08:23 <DIR> d--h----- c:\windows\system32\CanonIJ Uninstaller Information
2008-11-14 08:23 . 2008-11-14 08:23 <DIR> d--h----- c:\program files\CanonBJ
2008-11-14 08:23 . 2007-03-23 16:30 1,400,832 --a------ c:\windows\system32\CNC210C.DLL
2008-11-14 08:23 . 2008-02-06 05:00 216,064 --a------ c:\windows\system32\CNMLM8S.DLL
2008-11-14 08:23 . 2007-03-19 10:16 200,704 --a------ c:\windows\system32\CNC210L.DLL
2008-11-14 08:23 . 2007-03-15 14:12 188,416 --a------ c:\windows\system32\CNC210O.DLL
2008-11-14 08:23 . 2007-03-23 16:29 98,304 --a------ c:\windows\system32\CNC210I.DLL
2008-11-13 21:17 . 2008-11-13 21:17 <DIR> d-------- c:\program files\Canon
2008-11-12 14:10 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 14:09 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-04 18:17 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-11-04 18:15 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-11-03 11:16 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys
2008-11-03 11:15 . 2008-11-03 11:15 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Sunbelt
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 19:56 --------- d-----w c:\documents and settings\jgill\Application Data\Skype
2008-12-31 19:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-31 08:55 --------- d-----w c:\documents and settings\jgill\Application Data\skypePM
2008-12-26 00:24 --------- d-----w c:\program files\Red Kawa
2008-12-21 02:36 --------- d-----w c:\documents and settings\jgill\Application Data\DVD Flick
2008-12-16 17:35 2,401 ----a-w c:\windows\system32\drivers\AlKernel.sys
2008-12-14 18:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-13 22:55 --------- d-----w c:\program files\Common Files\Apple
2008-12-06 23:46 --------- d-----w c:\documents and settings\jgill\Application Data\U3
2008-11-19 18:20 --------- d-----w c:\program files\AIM6
2008-11-19 18:20 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-19 18:19 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-05 11:00 497 ----a-w c:\program files\Altir
2008-11-05 11:00 240 ----a-w c:\program files\Altira
2008-10-28 22:28 65,320 ----a-w c:\windows\system32\sbbd.exe
2008-10-25 13:18 1,846,912 ----a-w c:\windows\system32\win32k.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 02:10 41 ----a-w C:\AClient.dat
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-03-15 03:36 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-11-15 20:32 3,638 ----a-r c:\program files\Common Files\Altiris_Icon.ico
2008-04-09 05:10 88 --sha-r c:\windows\system32\739E81C5EA.sys
2008-04-09 05:11 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-03 19:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080320080804\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-06 21898024]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATSwpNav"="c:\program files\Fingerprint Sensor\ATSwpNav -run" [X]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-13 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-13 271872]
"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2008-12-31 184320]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2007-03-27 143360]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2006-03-30 20480]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-09-09 81920]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2005-11-21 1847296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-14 185632]
"V0400Mon.exe"="c:\windows\V0400Mon.exe" [2007-08-23 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2008-10-28 664872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-16 c:\windows\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
c:\documents and settings\jgill\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"enablesecureuiapaths"= 0 (0x0)
"promptonsecuredesktop"= 0 (0x0)
"DefaultLogonDomain"= stlcop.local
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoPropertiesMyComputer"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-13 18:11 47104 c:\program files\Common Files\Microsoft Shared\INK\loginkey.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 02:41 11776 c:\windows\system32\tabbtnwl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-13 18:12 32256 c:\windows\system32\tpgwlnot.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AMINIT.DLL dvlnoa.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.voxacm150"= vct32150.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\
0\
0]
"Script"=bootup.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\
0\1]
"Script"=pushprinterconnections.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-23580\Scripts\Logon\
0\
0]
"Script"=Unified Logon rev6.vbe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-23580\Scripts\Logon\
0\1]
"Script"=pushprinterconnections.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-30909\Scripts\Logon\
0\
0]
"Script"=Unified Logon rev6.vbe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-30909\Scripts\Logon\
0\1]
"Script"=pushprinterconnections.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-4280\Scripts\Logoff\
0\
0]
"Script"=LogOff.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-4280\Scripts\Logon\
0\
0]
"Script"=Unified Logon rev3.vbe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-4280\Scripts\Logon\1\
0]
"Script"=TechLogon.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1162508061-1999852495-692992123-7611\Scripts\Logon\
0\
0]
"Script"=Unified Logon rev3.vbe
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MoRUN.net\\Sticker Lite\\sticker.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\trlrm\\RMHSvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8834:TCP"= 8834:TCP:BitComet 8834 TCP
"8834:UDP"= 8834:UDP:BitComet 8834 UDP
R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2006-02-21 36352]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2005-09-23 28544]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-03-07 9216]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-11-04 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-11-03 202928]
R1 trlkprot;Trlokom Application scan driver;c:\windows\system32\Drivers\trlkprot.sys [2008-12-31 186880]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]
R2 SBAMSvc;CounterSpy Enterprise Agent;"c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe" [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-11-04 69168]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-29 24652]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\DRIVERS\FjBtnDrv.sys [2006-03-29 17920]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\DRIVERS\FUJ02E3.sys [2004-01-17 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\DRIVERS\hidpen.sys [2004-08-02 31104]
S3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\DRIVERS\MSTabBtn.sys [2003-10-09 9344]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-09-20 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s125mdfl.sys [2007-10-21 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s125mdm.sys [2007-10-21 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s125mgmt.sys [2007-10-21 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s125obex.sys [2007-10-21 98696]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys [2008-10-23 92464]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-31 356920]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\Drivers\V0400Afx.sys [2008-04-24 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\DRIVERS\V0400VFx.sys [2008-04-24 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\DRIVERS\V0400Vid.sys [2008-04-24 166720]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [2006-06-16 14208]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2075e72b-8b45-11dd-b2d7-00130260747d}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{497c3b70-a2c6-11dc-b209-00130260747d}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83916990-17a2-11dd-b272-00130260747d}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94a82682-d59a-11dc-b22f-00130260747d}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-12-31 c:\windows\Tasks\xhaplsdi.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -
BHO-{3270BEEE-61C1-4A62-B434-BF43ADA13473} - (no file)
BHO-{90E8BC1C-6CBD-4324-BB64-F27B41F9C34B} - (no file)
BHO-{9238bcd0-5ea0-4770-bbbf-d39bf1b5f58e} - c:\windows\system32\dvlnoa.dll
BHO-{B3F37293-2861-490C-9057-DF7FF30620E4} - (no file)
BHO-{E30FF91D-B3BC-47E4-B9AD-C80440825C9E} - c:\windows\system32\yayaArpQ.dll
Toolbar-SITEguard - (no file)
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-e480bd72 - c:\windows\system32\xspmkwkb.dll
HKLM-Run-<NO NAME> - (no file)
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.stlcop.edu/
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\jgill\Application Data\Mozilla\Firefox\Profiles\8q8iqqug.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\jgill\Application Data\Mozilla\Firefox\Profiles\8q8iqqug.default\extensions\
[email protected]\components\coolirisstub.dll
FF - plugin: c:\documents and settings\jgill\Application Data\Mozilla\Firefox\Profiles\8q8iqqug.default\extensions\
[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-31 13:55:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-1162508061-1999852495-692992123-23580
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\S-1-5-21-1162508061-1999852495-692992123-23580\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\S-1-5-21-1162508061-1999852495-692992123-23580\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\S-1-5-21-1162508061-1999852495-692992123-23580\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CC24401-FC12-72A2-87BF-BEDD778F83AB}*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-1162508061-1999852495-692992123-23580
@Allowed: (Full) (S-1-5-21-1162508061-1999852495-692992123-23580)
@Allowed: (Full) (S-1-5-21-1162508061-1999852495-692992123-23580)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"oaacddabkpnidfgeiekdnkihgmdkjo"=hex:64,61,61,65,64,6e,66,6a,00,80
"oamodfkgeammaipdnhmoolhndjhfpa"=hex:6b,61,62,65,66,6e,64,63,64,64,6f,70,66,6e,\
6c,62,61,61,61,6c,6c,6b,00,00
"naobnaoiojmdepnmdaehgajjdkjb"=hex:6a,61,61,65,65,6e,61,70,68,70,6a,70,6c,69,\
6e,6e,6c,66,68,63,00,fd
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NUL
L*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{2851123E-5786-41BE-A3F1-A9B21E499EEB}]
@Owner=Administrators
@Denied: (A C D 1) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)
"DisplayIcon"="c:\\Program Files\\Common Files\\Altiris_Icon.ico,0"
"AuthorizedCDFPrefix"=""
"Comments"="This product contains Altiris Task Synchronization Agent"
"Contact"="customer support Department"
"DisplayVersion"="6.1.1030.0"
"HelpLink"=expand:"
http://www.altiris.com""HelpTelephone"="1-801-226-8500"
"InstallDate"="20070621"
"InstallLocation"=""
"InstallSource"="c:\\WINDOWS\\TEMP\\apt4\\"
"ModifyPath"=expand:"MsiExec.exe /X{2851123E-5786-41BE-A3F1-A9B21E499EEB}"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Altiris Inc."
"Readme"=""
"Size"=""
"EstimatedSize"=dword:00000156
"UninstallString"=expand:"MsiExec.exe /X{2851123E-5786-41BE-A3F1-A9B21E499EEB}"
"URLInfoAbout"="
http://www.altiris.com""URLUpdateInfo"=""
"VersionMajor"=dword:00000006
"VersionMinor"=dword:00000001
"WindowsInstaller"=dword:00000001
"Version"=dword:06010406
"Language"=dword:00000409
"DisplayName"="Altiris Task Synchronization Agent"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{92F2A534-C3E4-4B18-BEBD-329F5E848C8B}]
@Owner=Administrators
@Denied: (A C D 1) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)
"DisplayVersion"="6.0.0.2386"
"UninstallString"="c:\\Program Files\\Altiris\\Altiris Agent\\AeXNSAgent.exe /uninstall"
"Publisher"="Altiris Inc."
"HelpLink"="
http://www.altiris.com/support"[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{9B25F628-D16E-4AC2-9FD8-88B98F5B8E89}]
@Owner=Administrator
@Denied: (A C D 1) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)
@SACL=
"UninstallString"="RunDll32 c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\engine\\6\\INTEL3~1\\Ctor.dll,LaunchSetup \"c:\\Program Files\\InstallShield Installation Information\\{9B25F628-D16E-4AC2-9FD8-88B98F5B8E89}\\Setup.exe\" -l0x9 "
"DisplayName"="Altiris Application Metering Agent"
"LogFile"="c:\\Program Files\\InstallShield Installation Information\\{9B25F628-D16E-4AC2-9FD8-88B98F5B8E89}\\setup.ilg"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\{A0A1EB01-A6FD-423A-8480-364055A7C961}]
@Owner=Administrators
@Denied: (A C D 1) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)
"DisplayIcon"="c:\\Program Files\\Altiris\\Altiris Agent\\AeXSWDAppInv.exe,0"
"AuthorizedCDFPrefix"=""
"Comments"="This product contains Altiris Software Delivery Solution Agent"
"Contact"="customer support Department"
"DisplayVersion"="6.1.1016.0"
"HelpLink"=expand:"
http://www.altiris.com""HelpTelephone"="1-801-226-8500"
"InstallDate"="20070621"
"InstallLocation"=""
"InstallSource"="c:\\WINDOWS\\TEMP\\apt3\\"
"ModifyPath"=expand:"MsiExec.exe /X{A0A1EB01-A6FD-423A-8480-364055A7C961}"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Altiris Inc."
"Readme"=""
"Size"=""
"EstimatedSize"=dword:0000037b
"UninstallString"=expand:"MsiExec.exe /X{A0A1EB01-A6FD-423A-8480-364055A7C961}"
"URLInfoAbout"="
http://www.altiris.com""URLUpdateInfo"=""
"VersionMajor"=dword:00000006
"VersionMinor"=dword:00000001
"WindowsInstaller"=dword:00000001
"Version"=dword:060103f8
"Language"=dword:00000409
"DisplayName"="Altiris Software Delivery Solution Agent"
[HKEY_LOCAL_MACHINE\software\Sigmatel\GlobalState]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=Administrators
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\ComputerName]
@Owner=Administrators
@Denied: (A C D 2) (S-1-5-21-1162508061-1999852495-692992123-15641)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Owner)
@Allowed: (Full) (LocalSystem)
@Allowed: (Read) (Users)
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\ComputerName\$%&'()*+,-./0123$%&]
@Owner=S-1-5-21-1162508061-1999852495-692992123-23580
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\ComputerName\ComputerName]
@Owner=Administrators
"ComputerName"="S067060"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(896)
c:\program files\Softex\OmniPass\ginastub.dll
c:\program files\Softex\OmniPass\ssplogon.dll
c:\program files\Softex\OmniPass\cryptodll.dll
c:\program files\Softex\OmniPass\storeng.dll
c:\program files\Softex\OmniPass\autheng.dll
c:\program files\Softex\OmniPass\userdata.dll
c:\program files\Softex\OmniPass\hdddrv.dll
c:\program files\Softex\OmniPass\ldapdrv.dll
c:\program files\Softex\OmniPass\cachedrv.dll
c:\program files\Softex\OmniPass\sftxtgp.dll
c:\program files\Softex\OmniPass\mstrpwd.dll
c:\program files\Softex\OmniPass\authntec.dll
c:\windows\system32\atsc63.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Softex\OmniPass\OmniServ.exe
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\windows\system32\scardsvr.exe
c:\program files\Altiris\AClient\ACLIENT.EXE
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CCSRVC.exe
c:\program files\Altiris\Carbon Copy\ShellKer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\windows\trlrm\RMHSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Microsoft Shared\INK\keyboardsurrogate.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\progra~1\Altiris\CARBON~1\Client.exe
c:\program files\Common Files\Microsoft Shared\INK\tcserver.exe
c:\program files\Fingerprint Sensor\ATSwpNav.exe
c:\program files\Fujitsu\Utils\FjDspMon.exe
c:\program files\Fujitsu\Utils\FjEvents.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\STOPzilla!\STOPzilla.exe
.
**************************************************************************
.
Completion time: 2008-12-31 14:03:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 20:02:34
Pre-Run: 13,061,054,464 bytes free
Post-Run: 13,111,775,232 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
515 --- E O F --- 2008-12-18 18:33:15