COMBOFIX:
ComboFix 09-04-25.A3 - Mikey 04/25/2009 16:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.927 [GMT -4:00]
Running from: c:\documents and settings\Mikey\Desktop\Combo-fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\Install.txt
c:\windows\system32\_003671_.tmp.dll
c:\windows\system32\_003672_.tmp.dll
c:\windows\system32\_003673_.tmp.dll
c:\windows\system32\_003674_.tmp.dll
c:\windows\system32\_003682_.tmp.dll
c:\windows\system32\_003683_.tmp.dll
c:\windows\system32\_003684_.tmp.dll
c:\windows\system32\_003686_.tmp.dll
c:\windows\system32\_003687_.tmp.dll
c:\windows\system32\_003690_.tmp.dll
c:\windows\system32\_003691_.tmp.dll
c:\windows\system32\_003693_.tmp.dll
c:\windows\system32\_003694_.tmp.dll
c:\windows\system32\_003695_.tmp.dll
c:\windows\system32\_003697_.tmp.dll
c:\windows\system32\_003700_.tmp.dll
c:\windows\system32\_003701_.tmp.dll
c:\windows\system32\_003705_.tmp.dll
c:\windows\system32\_003706_.tmp.dll
c:\windows\system32\_003708_.tmp.dll
c:\windows\system32\_003711_.tmp.dll
c:\windows\system32\_003713_.tmp.dll
c:\windows\system32\_003714_.tmp.dll
c:\windows\system32\_003715_.tmp.dll
c:\windows\system32\_003716_.tmp.dll
c:\windows\system32\_003717_.tmp.dll
c:\windows\system32\_003720_.tmp.dll
c:\windows\system32\_003721_.tmp.dll
c:\windows\system32\_003722_.tmp.dll
c:\windows\system32\_003723_.tmp.dll
c:\windows\system32\_003724_.tmp.dll
c:\windows\system32\_003729_.tmp.dll
c:\windows\system32\_003731_.tmp.dll
c:\windows\system32\drmgs.sys
c:\windows\system32\ebayamom.ini
c:\windows\system32\enilajeb.ini
c:\windows\system32\gewotuzo.dll
c:\windows\system32\gigopero.dll
c:\windows\system32\Install.txt
c:\windows\system32\itirozar.ini
c:\windows\system32\izudirov.ini
c:\windows\system32\joyabihu.dll
c:\windows\system32\juvamonu.exe
c:\windows\system32\lahozunu.dll
c:\windows\system32\lihitove.dll
c:\windows\system32\lufuwalo.dll
c:\windows\system32\nazuroko.dll
c:\windows\system32\ohawovir.ini
c:\windows\system32\opugotut.ini
c:\windows\system32\rivowaho.dll
c:\windows\system32\tijezaze.dll
c:\windows\system32\uhibayoj.ini
c:\windows\system32\vifiride.dll
----- BITS: Possible infected sites -----
hxxp://83.149.105.228
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_360TAY
-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_SOPIDKC
-------\Legacy_SOXPECA
-------\Legacy_WINDOWS
-------\Service_sopidkc
-------\Service_windows
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-24 21:05 . 2009-04-24 21:05 -------- d-----w c:\program files\Trend Micro
2009-04-24 02:05 . 2009-04-24 02:06 -------- d-----w C:\Rooter$
2009-04-23 21:48 . 2009-04-23 21:48 19 ----a-w c:\windows\wp.ini
2009-04-23 21:35 . 2009-04-23 21:47 2059 ----a-w c:\windows\wp2.ini
2009-04-23 20:31 . 2009-04-23 20:31 9216 ----a-w c:\windows\instsp2.exe
2009-04-17 22:42 . 2009-04-17 22:42 -------- d-sh--w c:\documents and settings\LocalService\UserData
2009-04-17 22:08 . 2009-04-17 22:04 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-17 22:03 . 2009-04-17 22:12 -------- d-----w c:\documents and settings\Mikey\.housecall6.6
2009-04-17 01:07 . 2009-04-17 01:07 -------- d-----w c:\documents and settings\backup\Local Settings\Application Data\Mozilla
2009-04-16 23:29 . 2009-04-16 23:29 -------- d-----w c:\documents and settings\backup\Local Settings\Application Data\Apple Computer
2009-04-16 23:29 . 2009-04-16 23:29 -------- d-----w c:\documents and settings\backup\Local Settings\Application Data\{A4EEE4BE-6403-4B33-BB74-FC2BECDEAC7A}
2009-04-16 00:41 . 2009-04-18 04:02 0 ----a-w c:\windows\Fvalevuqadiruvu.bin
2009-04-16 00:41 . 2009-04-16 00:41 -------- d-----w c:\documents and settings\Mikey\Local Settings\Application Data\{27DD1B7A-F32D-4468-9ED9-26F5367F5330}
2009-04-16 00:41 . 2009-04-16 20:27 408 ----a-w c:\windows\Sligi.dat
2009-04-16 00:26 . 2009-04-16 00:26 155136 ----a-w c:\windows\iyolamufoyemuyos.dll
2009-04-06 23:05 . 2009-04-06 23:05 -------- d-----w c:\program files\iPod
2009-04-06 23:05 . 2009-04-06 23:06 -------- d-----w c:\program files\iTunes
2009-04-06 23:05 . 2009-04-06 23:06 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 20:54 . 2009-02-28 15:04 5212192 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-25 20:51 . 2005-11-22 03:16 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-25 20:47 . 2009-03-01 15:08 8837 ----a-w C:\aaw7boot.log
2009-04-25 20:46 . 2009-02-28 15:04 62036 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-25 00:21 . 2009-01-25 00:21 47104 --sha-w c:\windows\system32\fipezuvo.exe
2009-04-24 11:39 . 2009-01-24 11:39 46592 --sha-w c:\windows\system32\yatevipi.exe
2009-04-24 02:06 . 2009-04-24 02:06 3401 ----a-w C:\Rooter.txt
2009-04-23 20:31 . 2009-01-23 20:31 47616 --sha-w c:\windows\system32\wonasuli.exe
2009-04-22 20:49 . 2009-01-22 20:49 89088 --sha-w c:\windows\system32\waritili.dll.vir
2009-04-22 20:49 . 2009-01-22 20:49 46592 --sha-w c:\windows\system32\pajafare.exe
2009-04-21 21:00 . 2009-01-21 21:00 47616 --sha-w c:\windows\system32\meyoreho.exe
2009-04-20 23:24 . 2009-04-20 23:25 121856 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-04-20 20:10 . 2009-01-20 20:10 47104 --sha-w c:\windows\system32\viduhepi.exe
2009-04-20 20:10 . 2009-01-20 20:10 89088 --sha-w c:\windows\system32\yijefaze.dll.vir
2009-04-20 00:10 . 2009-01-20 00:10 89088 --sha-w c:\windows\system32\mokehohi.dll.vir
2009-04-20 00:10 . 2009-01-20 00:10 47104 --sha-w c:\windows\system32\bametusi.exe
2009-04-19 12:12 . 2009-01-19 12:12 47104 --sha-w c:\windows\system32\zobudome.exe
2009-04-18 23:32 . 2009-01-18 23:32 47104 --sha-w c:\windows\system32\jumayiya.exe
2009-04-18 12:30 . 2009-03-14 12:13 3233234 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-04-18 11:18 . 2009-01-18 11:18 47104 --sha-w c:\windows\system32\kekurapu.exe
2009-04-17 21:16 . 2009-01-17 21:16 47104 --sha-w c:\windows\system32\nuyepuno.exe
2009-04-16 23:19 . 2009-04-16 23:23 374272 ----a-w c:\windows\Internet Logs\xDB24.tmp
2009-04-16 23:19 . 2009-04-16 23:23 1427456 ----a-w c:\windows\Internet Logs\xDB51.tmp
2009-04-15 23:59 . 2009-01-15 23:58 107520 --sha-w c:\windows\system32\varareto.dll.vir
2009-04-10 23:56 . 2008-11-25 23:05 1439 ----a-w C:\cmdline.txt
2009-04-08 11:39 . 2009-04-08 12:15 3027456 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-06 23:05 . 2008-08-19 00:12 -------- d-----w c:\program files\Common Files\Apple
2009-03-30 01:14 . 2008-07-16 15:01 -------- d--h--w c:\documents and settings\Mikey\Application Data\IJJIGame
2009-03-22 11:18 . 2009-03-22 11:18 -------- d-----w c:\documents and settings\Mikey\Application Data\Safer Networking
2009-03-22 11:13 . 2009-03-22 11:13 -------- d-----w c:\program files\Safer Networking
2009-03-22 00:57 . 2005-11-22 03:09 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-22 00:57 . 2005-11-22 03:09 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 22:52 . 2009-03-16 22:51 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 22:49 . 2009-03-16 22:49 -------- d-----w c:\program files\Bonjour
2009-03-16 22:49 . 2009-03-16 22:48 -------- d-----w c:\program files\QuickTime
2009-03-16 22:46 . 2009-03-16 22:45 -------- d-----w c:\program files\Apple Software Update
2009-03-08 15:38 . 2009-03-08 18:48 2798592 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-03-08 13:14 . 2009-03-01 15:02 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-08 13:13 . 2009-03-01 14:12 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-02 22:27 . 2009-03-02 22:32 1246208 -c--a-w c:\windows\Internet Logs\xDB2.tmp
2009-03-01 14:00 . 2009-03-01 14:00 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-01 12:34 . 2009-03-01 12:35 1362432 -c--a-w c:\windows\Internet Logs\xDB1.tmp
2009-02-28 15:02 . 2009-02-28 03:57 4212 ---h--w c:\windows\system32\zllictbl.dat
2009-02-28 15:02 . 2009-02-28 15:02 -------- d-----w c:\program files\ZoneAlarmSB
2009-02-28 14:57 . 2009-02-28 14:57 -------- d-----w c:\documents and settings\All Users\Application Data\MailFrontier
2009-02-28 14:42 . 2009-02-28 14:42 -------- d-----w c:\program files\Zone Labs
2009-02-28 04:11 . 2008-08-12 13:30 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-14 09:23 . 2008-07-16 14:59 69040 -c--a-w c:\documents and settings\Mikey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 11:13 . 2008-11-28 19:48 1846784 ----a-w c:\windows\system32\win32k.sys
2008-12-26 22:35 . 2008-12-26 22:35 128 -c--a-w c:\documents and settings\Mikey\Local Settings\Application Data\fusioncache.dat
2007-12-11 21:59 . 2008-07-16 15:00 22328 -c--a-w c:\documents and settings\Mikey\Application Data\PnkBstrK.sys
2005-11-22 03:04 . 2005-11-22 03:02 2339 -c--a-w c:\program files\setuplog.txt
2003-10-01 12:07 . 2005-10-17 20:32 8305 -c--a-w c:\program files\What's New - Word Templates.txt
2009-01-15 23:07 . 2009-01-15 23:07 69120 --sha-w c:\windows\system32\dalusulo.dll.tmp
2009-01-15 23:07 . 2009-01-15 23:07 69120 --sha-w c:\windows\system32\dararudi.dll.tmp
2009-01-15 23:07 . 2009-01-15 23:07 69120 --sha-w c:\windows\system32\tohapuva.dll.tmp
2008-11-29 00:48 . 2008-11-29 00:48 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112820081129\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-08 515416]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QCWLIcon"="c:\progra~1\ThinkPad\CONNEC~1\QCWLIcon.exe" [2005-09-06 86016]
"TrackPointSrv"="tp4serv.exe" - c:\windows\system32\tp4serv.exe [2003-11-13 94208]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-08-23 86016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-16 24576]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)
"Fast ID Maker"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-09-06 15:08 262144 ----a-w c:\windows\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 03:45 28672 ----a-w c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 02:23 24576 ----a-w c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^Mikey^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Mikey\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"QCWLICON"=c:\progra~1\ThinkPad\CONNEC~1\QCWLIcon.exe
"TP4EX"=tp4ex.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\TpScrLk.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"=
R2 Windows Storage Service v2.0;Windows Storage Service v2.0; [x]
R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-07-24 22821]
R3 bcgbus;Nostromo USB Device Driver; [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-19 951632]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2794234]
R3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.SYS [2005-09-06 12288]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2003-11-13 13904]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-08 64160]
S0 Shockprf;Shockprf; [x]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-09-06 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-09-06 2432]
S1 ShockMgr;ShockMgr; [x]
S1 TPPWR;TPPWR;c:\windows\system32\drivers\Tppwr.sys [2005-04-20 16384]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-06-24 124608]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrv10910
*Deregistered* - EraserUtilRebootDrv
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ASP.NET REG_MULTI_SZ ASP.NET
mqxihz REG_MULTI_SZ mqxihz
.
Contents of the 'Scheduled Tasks' folder
2009-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:12]
2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2008-07-16 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2008-07-16 06:38]
2009-04-17 c:\windows\Tasks\Update Spybot-S&D.job
- c:\progra~1\SPYBOT~1\SDUpdate.exe [2009-03-22 19:31]
.
- - - - ORPHANS REMOVED - - - -
BHO-{8cadeda2-f573-4622-ad81-ca8745050a50} - c:\windows\system32\gewotuzo.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-zesidalejo - c:\windows\system32\misohusa.dll
Notify-ckpNotify - (no file)
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mikey\Application Data\Mozilla\Firefox\Profiles\q9gg4he0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npnul32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-25 16:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]
"ServiceDll"="%SystemRoot%\System32\dntnac.fsl"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
- - - - - - - > 'explorer.exe'(380)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\icollect\icserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\icollect\wake_up.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\MapleStory\npkcmsvc.exe
c:\windows\system32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-25 17:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 21:06
Pre-Run: 3,880,894,464 bytes free
Post-Run: 3,796,422,656 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,5
367 --- E O F --- 2009-03-15 12:41
HIJACK THIS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:38 PM, on 4/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20978)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\icollect\icserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\icollect\wake_up.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
http://go.microsoft....k/?LinkId=54843R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1227920430125O23 - Service: Altiris Client Service (AClient) - Unknown owner - C:\Altiris\AClient\AClient.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - c:\icollect\icserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Storage Service v2.0 - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe (file missing)
--
End of file - 10266 bytes
thanks again