Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1251 [GMT -7:00]
Running from: c:\documents and settings\Bob Tan\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.
2009-10-27 20:10 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 20:10 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 20:10 . 2009-10-27 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 19:05 . 2009-10-27 19:05 -------- d-----w- C:\_OTL
2009-10-26 14:33 . 2009-10-26 14:33 77312 ----a-w- C:\mbr.exe
2009-10-25 16:13 . 2009-10-25 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1
2009-10-16 04:14 . 2009-10-16 04:14 -------- d-----w- c:\documents and settings\Bob Tan\Application Data\Verizon Wireless
2009-10-15 17:42 . 2009-10-15 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2009-10-15 17:41 . 2009-10-15 17:41 -------- d-----w- c:\program files\Verizon Wireless
2009-10-01 02:48 . 2009-10-01 02:48 -------- d-----w- c:\program files\Microsoft
2009-10-01 02:48 . 2009-10-01 02:48 -------- d-----w- c:\program files\Windows Live SkyDrive
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 19:13 . 2009-08-13 19:22 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-26 19:27 . 2006-08-19 03:02 -------- d-----w- c:\program files\Common Files\AOL
2009-10-26 03:27 . 2007-09-15 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-19 16:13 . 2009-09-12 06:27 -------- d-----w- c:\program files\The Greek Poker
2009-10-15 02:05 . 2006-08-19 01:16 -------- d-----w- c:\program files\Microsoft Works
2009-09-30 16:49 . 2009-07-23 00:46 -------- d-----w- c:\documents and settings\Bob Tan\Application Data\Vso
2009-09-30 16:49 . 2009-07-23 00:46 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-09-30 16:49 . 2009-07-23 00:46 47360 ----a-w- c:\documents and settings\Bob Tan\Application Data\pcouffin.sys
2009-09-30 16:49 . 2009-07-23 03:55 -------- d-----w- c:\program files\DVDFab 6
2009-09-16 23:08 . 2006-08-19 02:16 59168 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 05:51 . 2008-02-18 01:07 -------- d-----w- c:\documents and settings\Bob Tan\Application Data\U3
2009-09-16 05:13 . 2009-09-11 06:08 137568 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-16 04:50 . 2009-09-11 05:00 -------- d-----w- c:\program files\Linksys
2009-09-16 03:38 . 2009-09-11 06:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 14:18 . 2006-08-18 23:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 06:06 . 2009-09-11 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Linksys
2009-09-11 05:04 . 2009-09-11 05:04 -------- d-----w- c:\program files\WebEx
2009-09-11 05:03 . 2006-08-19 02:20 -------- d-----w- c:\program files\Java
2009-09-09 18:27 . 2006-08-19 01:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 06:31 . 2009-09-08 05:46 1376 ----a-w- c:\windows\checkip.dat
2009-09-04 21:03 . 2006-08-18 23:47 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-08-18 23:48 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-08-18 23:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-08-18 23:47 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-08-18 23:49 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 22:09 . 2009-08-20 22:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-11 17:02 . 2009-08-11 17:02 61224 ----a-w- c:\documents and settings\Bob Tan\GoToAssistDownloadHelper.exe
2009-08-05 09:01 . 2006-08-18 23:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2006-08-18 23:48 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-27_17.13.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-28 19:15 . 2009-10-28 19:15 16384 c:\windows\temp\Perflib_Perfdata_350.dat
+ 2006-08-19 00:36 . 2009-10-27 22:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-08-19 00:36 . 2009-10-26 03:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-08-19 00:36 . 2009-10-27 22:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-08-19 00:36 . 2009-10-26 03:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-27 22:18 . 2009-10-27 22:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-09-08 03:43 . 2009-10-28 19:13 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2007-09-08 03:43 . 2009-04-21 00:47 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl]
@="{ba930330-a721-11d3-a7b9-00500464ee16}"
[HKEY_CLASSES_ROOT\CLSID\{ba930330-a721-11d3-a7b9-00500464ee16}]
2006-04-13 00:31 77824 ----a-w- c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl2]
@="{2030D939-54A7-4fea-9B06-49EA77EFC87F}"
[HKEY_CLASSES_ROOT\CLSID\{2030D939-54A7-4fea-9B06-49EA77EFC87F}]
2006-04-13 00:31 77824 ----a-w- c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2006-04-13 24576]
"EdWizard"="c:\program files\Utimaco\SafeGuard Easy\EdWizard.exe" [2006-04-13 245760]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2006-04-25 110592]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-04-25 315392]
"NDSTray.exe"="NDSTray.exe" [BU]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Principia Online Update.lnk - c:\program files\Morningstar\Principia\schedupd.exe [2007-9-10 20543]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-18 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
2002-01-22 23:28 110592 ----a-w- c:\windows\system32\SGLogEx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
2005-03-31 19:27 69632 ----a-w- c:\windows\system32\SGLogNotification.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Principia Online Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk
backup=c:\windows\pss\Principia Online Update.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\WINDOWS\\system32\\SgLogPlayer.exe"=
"c:\\WINDOWS\\system32\\ThpSrv.exe"=
"c:\\WINDOWS\\system32\\TPSODDCtl.exe"=
"c:\\Program Files\\Apoint2K\\ApntEx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [4/12/2006 5:32 PM 18464]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [4/12/2006 5:34 PM 61466]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [12/27/2004 11:31 PM 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [8/18/2006 7:17 PM 6144]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 6:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 5:59 PM 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 5:33 PM 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 11:50 AM 98816]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 8:02 PM 102448]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\DRIVERS\PTDCWWAN.sys --> c:\windows\system32\DRIVERS\PTDCWWAN.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 1:27 PM 169200]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 7:03 PM 32408]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [12/2/2007 6:55 PM 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [12/2/2007 6:55 PM 44928]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://desktop.google.com/uninstall-feedback.html?hl=en
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: mcafee.com
Handler: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - c:\progra~1\NETEXC~1.0\FlowHook.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 12:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\SGGINA.DLL
c:\windows\system32\vrlogon.dll
c:\windows\system32\SGEGINA.DLL
c:\program files\Utimaco\SafeGuard Easy\CMFCAPI.DLL
c:\program files\Utimaco\SafeGuard Easy\FLTAPI.dll
c:\program files\Utimaco\SafeGuard Easy\SGE_INFO0409.DLL
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\LogMsgApp.Dll
c:\windows\system32\LogData.dll
c:\windows\system32\SGLogEx.dll
c:\windows\system32\SGLogNotification.dll
c:\windows\system32\GetUserSid.dll
- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
- - - - - - - > 'Explorer.exe'(1332)
c:\windows\system32\WININET.dll
c:\program files\Utimaco\SafeGuard Easy\SgMsgBhk.dll
c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll
c:\program files\Utimaco\SafeGuard Easy\SgeUtil.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Utimaco\SafeGuard Easy\SgeClient.exe
c:\program files\Utimaco\SafeGuard Easy\SgeCtl.exe
c:\windows\system32\SgLogPlayer.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\combofix\CF14130.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\thpsrv.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\Apntex.exe
c:\windows\system32\wscntfy.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 12:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 19:21
ComboFix2.txt 2009-10-27 17:24
Pre-Run: 55,662,968,832 bytes free
Post-Run: 55,639,769,088 bytes free
- - End Of File - - 2CD61BA4BC815324161A029648DF1C65