ComboFix 09-04-29.01 - Owner 04/29/2009 18:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.1016 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\IE4 Error Log.txt
c:\windows\wiaserviv.log
D:\Autorun.inf
Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_$SYS$ARIES
-------\Legacy_$SYS$DRMSERVER
-------\Legacy_CD_PROXY
-------\Legacy_SFC
-------\Service_sfc
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 11:21 . 2009-04-29 23:45 192512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-04-29 11:21 . 2009-04-29 23:45 77824 ----a-w c:\windows\system32\kdfapi.dll
2009-04-29 11:21 . 2009-04-29 23:37 53248 ----a-w c:\windows\system32\Kdfhok.dll
2009-04-29 11:21 . 2009-04-29 23:45 387288 ----a-w c:\windows\system32\kdfmgr.exe
2009-04-29 11:21 . 2009-04-29 11:21 -------- d-----w c:\windows\kdefense
2009-04-29 11:21 . 2009-04-29 11:21 475872 ----a-w c:\windows\system32\kdfinj.dll
2009-04-29 05:14 . 2009-04-29 05:14 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Trend Micro
2009-04-29 05:12 . 2009-04-29 05:12 -------- d-----w c:\windows\LocalSSL
2009-04-29 05:12 . 2009-04-29 05:12 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-04-29 05:10 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-29 05:10 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-29 05:10 . 2009-04-29 05:19 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-29 05:07 . 2009-04-29 05:07 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-29 05:07 . 2009-04-29 05:07 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-29 05:07 . 2009-04-29 05:07 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-29 05:07 . 2009-04-29 05:07 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-29 05:07 . 2009-04-29 05:07 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-29 02:13 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-26 03:52 . 2009-04-26 03:52 -------- d-----w c:\documents and settings\Owner\Application Data\xjoejqoi
2009-04-26 03:52 . 2009-04-26 03:52 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\xjoejqoi
2009-04-24 18:38 . 2009-04-24 19:47 -------- d-----w c:\documents and settings\Owner\Application Data\Download Manager
2009-04-17 03:30 . 2009-04-26 01:56 287952 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-16 19:30 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 19:30 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 19:29 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 19:29 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 19:29 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 19:29 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 19:29 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 19:29 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 19:29 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 19:29 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 19:29 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 02:55 . 2009-04-14 02:55 -------- d-----w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 02:55 . 2009-04-14 05:13 -------- d-----w c:\program files\ZAR
2009-04-14 02:08 . 2001-08-18 03:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-14 02:08 . 2008-04-14 00:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-13 03:13 . 2009-04-13 03:13 -------- d-----w c:\documents and settings\Owner\Application Data\National Instruments
2009-04-13 01:40 . 2009-04-13 01:40 -------- d-----w c:\documents and settings\All Users\Application Data\Seagate
2009-04-13 01:40 . 2009-04-13 01:40 -------- d-----w c:\program files\Seagate
2009-04-02 10:44 . 2009-04-02 13:04 -------- d-----w c:\documents and settings\Owner\.housecall6.6
2009-03-31 23:15 . 2009-03-31 23:16 -------- d-----w C:\6eda8e8d461ae6bfa115f5871aa75f
2009-03-31 23:14 . 2009-03-31 23:28 -------- d-----w c:\windows\SxsCaPendDel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 05:11 . 2009-03-24 04:25 -------- d-----w c:\program files\trend micro
2009-04-27 16:43 . 2007-11-16 01:49 -------- d-----w c:\program files\Coupons
2009-04-26 07:38 . 2009-03-23 19:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 03:47 . 2004-08-26 16:12 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-04-26 01:59 . 2008-04-04 17:35 127088 -c--a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-24 19:22 . 2005-06-08 15:23 -------- d-----w c:\program files\Common Files\Adobe
2009-04-24 19:13 . 2006-11-21 17:53 129784 ------w c:\windows\system32\PxAFS.DLL
2009-04-22 03:58 . 2008-05-14 16:19 -------- d-----w c:\program files\Napster
2009-04-17 11:48 . 2005-03-24 23:51 -------- d-----w c:\program files\Java
2009-04-13 01:41 . 2005-03-24 23:41 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-06 20:32 . 2009-03-23 19:30 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-23 19:30 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-24 01:50 . 2005-06-13 19:00 2266 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-03-19 01:55 . 2009-03-19 01:55 -------- d-----w c:\program files\activePDF
2009-03-13 00:34 . 2009-03-13 00:33 -------- d-----w c:\program files\PICC
2009-03-09 10:19 . 2008-11-26 15:31 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-26 16:12 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 22:42 . 2008-08-16 13:45 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-03 00:18 . 2004-08-26 16:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-26 16:11 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-26 16:11 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-26 16:12 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-26 16:12 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-26 16:11 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-26 16:12 1846784 ------w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-04 05:59 2066048 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-26 16:12 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-26 16:12 2189056 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-26 16:12 35328 ------w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-26 16:12 56832 ----a-w c:\windows\system32\secur32.dll
2005-08-10 02:02 . 2005-08-10 02:02 3 -c--a-w c:\program files\sFile32sys.ico
2007-02-08 16:48 . 2007-02-08 16:48 133920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-25 00:03 . 2007-07-25 00:03 118784 ----a-w c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2004-09-01 18:48 . 2004-09-01 18:48 278528 ----a-w c:\program files\internet explorer\plugins\PanoViewer.dll
2004-09-01 18:48 . 2004-09-01 18:48 143360 ----a-w c:\program files\internet explorer\plugins\UPjpeg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-29 492808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"NI Background Service"="c:\program files\National Instruments\Shared\Update Service\BackgroundService.exe" [2008-04-03 77824]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-08-13 49152]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2004-08-13 143360]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-29 492808]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Event Planner Reminder 2008.lnk - c:\windows\Installer\{747A6A10-DA58-48C2-A1F0-C15514419C8A}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe [2008-9-2 1718]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DropBox\\DropBox\\DropBox.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
R2 FmeyPvoazr;FmeyPvoazr;c:\windows\System32\svchost.exe [2008-04-14 14336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
R3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver; [x]
S0 ohpzkmqi;ohpzkmqi;c:\windows\system32\drivers\ohpzkmqi.sys [2004-08-04 23424]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-02-12 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-04-29 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-04-29 335376]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qllowwhb
FmeyPvoazr
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7062274-a193-11da-bfdf-806d6172696f}]
\Shell\AutoRun\command - E:\splash.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-29 c:\windows\Tasks\User_Feed_Synchronization-{05EBE2E0-1674-4565-B9E7-4EA59DAAC8AB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 19:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3864)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\trend micro\BM\TMBMSRV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\trend micro\Internet Security\SfCtlCom.exe
c:\program files\trend micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\program files\trend micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2009-04-29 19:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 00:05
Pre-Run: 24,513,720,320 bytes free
Post-Run: 24,421,081,088 bytes free
222 --- E O F --- 2009-04-29 23:11