*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
DCY278C1\Administrators
Allowed Read This Key Only
No Auditing set
Owner: Administrators (DCY278C1\Administrators)
Here's my combofix log.
ComboFix 09-04-04.01 - Blake 2009-04-11 12:49:01.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.459 [GMT -4:00]
Running from: c:\documents and settings\Blake\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Blake\Desktop\CFScript.txt
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Extreme Security Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_boaqi
-------\Service_boaqi
((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.
2009-04-05 16:55 . 2009-04-05 16:55 410,984 --a------ c:\windows\system32\deploytk.dll
2009-04-05 16:55 . 2009-04-05 16:55 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-04-04 16:31 . 2009-04-04 16:31 <DIR> d-------- C:\_OTListIt
2009-04-04 11:55 . 2009-04-05 19:36 <DIR> d-------- C:\Lop SD
2009-03-29 03:55 . 2009-03-29 13:48 <DIR> d--h----- c:\documents and settings\Blake\Application Data\GTek
2009-03-29 03:27 . 2009-03-29 13:39 <DIR> d-------- c:\program files\backups
2009-03-29 01:58 . 2009-03-29 01:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-29 01:58 . 2009-03-29 01:58 <DIR> d-------- c:\documents and settings\Blake\Application Data\SUPERAntiSpyware.com
2009-03-29 01:58 . 2009-03-29 01:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-29 01:57 . 2009-03-29 01:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-29 01:54 . 2009-03-29 01:54 <DIR> d-------- c:\program files\Panda Security
2009-03-29 01:50 . 2009-03-29 01:50 396,288 --a------ c:\program files\HijackThis.exe
2009-03-28 22:41 . 2009-04-05 19:33 <DIR> d-------- C:\Rooter$
2009-03-28 19:32 . 2009-04-05 19:22 2,870 --a------ C:\rollback.ini
2009-03-28 19:16 . 2009-03-28 19:16 <DIR> d-------- c:\documents and settings\Blake\Application Data\MailFrontier
2009-03-28 19:16 . 2009-03-28 19:16 <DIR> d-------- c:\documents and settings\Blake\Application Data\CheckPoint
2009-03-28 19:16 . 2009-04-06 18:32 <DIR> d-------- c:\documents and settings\Blake\Application Data\#ISW.FS#
2009-03-28 19:14 . 2009-04-11 12:56 114,650,656 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-28 19:14 . 2009-04-11 12:51 1,535,900 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-28 19:09 . 2009-03-28 19:09 <DIR> d-------- c:\program files\CheckPoint
2009-03-28 19:09 . 2009-04-11 12:56 144 --a------ c:\windows\system32\pdfl.dat
2009-03-28 19:09 . 2009-03-28 19:09 144 --a------ c:\windows\system32\lkfl.dat
2009-03-28 19:09 . 2009-03-28 19:09 80 --a------ c:\windows\system32\ibfl.dat
2009-03-28 19:08 . 2009-03-28 19:08 <DIR> d-------- c:\program files\Zone Labs
2009-03-27 13:46 . 2009-03-27 13:47 <DIR> d-------- c:\program files\iTunes
2009-03-27 13:46 . 2009-03-27 13:46 <DIR> d-------- c:\program files\iPod
2009-03-27 13:46 . 2009-03-27 13:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-27 13:44 . 2009-03-27 13:45 <DIR> d-------- c:\program files\QuickTime
2009-03-27 13:42 . 2009-03-27 13:42 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-27 13:32 . 2009-03-27 13:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-19 17:55 . 2008-04-13 14:36 8,832 --a------ c:\windows\system32\drivers\wmiacpi.sys
2009-03-19 17:55 . 2008-04-13 14:36 8,832 --a------ c:\windows\system32\dllcache\wmiacpi.sys
2009-03-19 17:35 . 2006-10-11 21:26 3,107,788 --a------ c:\windows\system32\ativvaxx.dat
2009-03-19 17:35 . 2006-08-23 17:26 2,096 --a------ c:\windows\system32\drivers\ativdkxx.vp
2009-03-19 17:33 . 2009-03-19 17:33 <DIR> d-------- c:\program files\Broadcom
2009-03-19 17:32 . 2009-03-19 17:32 <DIR> d-------- c:\program files\DIFX
2009-03-19 17:31 . 2006-09-13 18:41 3,456 --a------ c:\windows\system32\drivers\atiide.sys
2009-03-19 17:26 . 2009-03-28 16:09 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-19 17:21 . 2009-03-19 17:21 <DIR> d-------- c:\program files\AVG
2009-03-19 17:20 . 2009-03-28 19:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-19 16:09 . 2008-04-14 06:42 26,112 --a------ c:\windows\system32\userinit.exe
2009-03-19 16:06 . 2009-03-19 16:06 <DIR> d--hs---- C:\$RECYCLE.BIN
2009-03-18 20:07 . 2009-03-18 20:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-18 20:07 . 2009-03-18 20:07 <DIR> d-------- c:\documents and settings\Blake\Application Data\Malwarebytes
2009-03-18 20:07 . 2009-03-18 20:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-18 20:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-18 20:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-18 20:04 . 2009-03-18 20:04 4,128 --a------ C:\INFCACHE.1
2009-03-14 20:35 . 2009-03-14 20:35 <DIR> d--h----- c:\windows\system32\GroupPolicy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 23:18 5,602 ----a-w c:\program files\hijackthis.log
2009-04-05 22:25 --------- d-----w c:\program files\Full Tilt Poker
2009-04-05 21:00 --------- d-----w c:\program files\PokerStars
2009-04-05 20:55 --------- d-----w c:\program files\Java
2009-03-29 04:42 --------- d-----w c:\documents and settings\Blake\Application Data\Ruckus Network
2009-03-28 19:13 --------- d-----w c:\program files\Common Files\AOL
2009-03-28 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-28 19:12 --------- d-----w c:\program files\AIM
2009-03-28 19:12 --------- d-----w c:\documents and settings\Blake\Application Data\Aim
2009-03-28 19:04 --------- d-----w c:\program files\Yahoo!
2009-03-28 19:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 19:00 --------- d-----w c:\program files\Dell
2009-03-27 17:48 --------- d-----w c:\program files\Apple Software Update
2009-03-27 17:45 --------- d-----w c:\program files\Bonjour
2009-03-27 17:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-19 21:41 --------- d-----w c:\program files\ATI Technologies
2009-03-11 03:37 --------- d-----w c:\documents and settings\Blake\Application Data\Corel
2009-02-27 18:07 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-16 03:10 72,584 ----a-w c:\windows\zllsputility.exe
2008-02-20 05:27 682 -c--a-w c:\documents and settings\Blake\Application Data\wklnhst.dat
2008-09-02 22:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-03-29_13.49.19.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-10 17:27:06 49,248 -c--a-w c:\windows\system32\java.exe
+ 2009-04-05 20:55:29 144,792 ----a-w c:\windows\system32\java.exe
- 2005-11-10 17:27:16 49,250 -c--a-w c:\windows\system32\javaw.exe
+ 2009-04-05 20:55:29 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-11-10 19:03:54 127,078 -c--a-w c:\windows\system32\javaws.exe
+ 2009-04-05 20:55:29 148,888 ----a-w c:\windows\system32\javaws.exe
- 2009-03-28 23:11:17 4,212 ---ha-w c:\windows\system32\zllictbl.dat
+ 2009-04-04 15:42:29 4,212 ---ha-w c:\windows\system32\zllictbl.dat
- 2009-03-29 17:40:09 69,452 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-04-11 16:56:26 564,128 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-03-28 23:33:28 11,588,231 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2009-04-04 15:49:16 11,650,327 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2009-04-11 16:52:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_168.dat
+ 2009-04-11 16:52:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_88.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"LxrAutorun"="c:\documents and settings\Blake\Local Settings\Application Data\Lexar Media\LxrAutorun.exe" [2007-03-07 24576]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"syntplpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-08 82011]
"syntpenh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-14 236544]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"aticcc"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-05 148888]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 c:\windows\stsystra.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\icmpsettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2009-03-19 3456]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 iswkl;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2009-02-12 21136]
R2 iswsvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [2009-02-12 390536]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2009-02-25 72672]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2009-02-12 54928]
.
Contents of the 'Scheduled Tasks' folder
2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061213
FF - ProfilePath - c:\documents and settings\Blake\Application Data\Mozilla\Firefox\Profiles\wpuafikj.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-11 12:56:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\ehome\ehrec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-04-11 13:00:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-11 17:00:04
ComboFix2.txt 2009-04-11 14:47:42
ComboFix3.txt 2009-03-29 17:50:37
Pre-Run: 92,234,190,848 bytes free
Post-Run: 92,210,139,136 bytes free
216 --- E O F --- 2009-03-11 05:16:58
Let me know what you think.