ComboFix 08-01-03.3 - HP_Administrator 2008-01-02 18:17:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1025 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OSBC4E6P\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\afypdjgd.dll
C:\WINDOWS\system32\ahhtckvo.dll
C:\WINDOWS\system32\bmckukgj.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkhff.exe
C:\WINDOWS\system32\ovkcthha.ini
C:\WINDOWS\system32\RCX19.tmp
C:\WINDOWS\system32\RCX3A.tmp
E:\Autorun.inf
[code]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe" replaces infected copy of "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"C:\Program Files\Alwil Software\Avast4\ashDisp .exe" replaces infected copy of "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
"C:\Program Files\Common Files\Real\Update_OB\realsched .exe" replaces infected copy of "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
"C:\Program Files\Comodo\Firewall\CPF .exe" replaces infected copy of "C:\Program Files\Comodo\Firewall\CPF.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
"C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08 .exe" replaces infected copy of "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe" replaces infected copy of "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"C:\Program Files\Picasa2\PicasaMediaDetector .exe" replaces infected copy of "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
"C:\Program Files\Windows Defender\MSASCui .exe" replaces infected copy of "C:\Program Files\Windows Defender\MSASCui.exe"
"C:\WINDOWS\ehome\ehtray .exe" moved to QooBox
"C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe" moved to QooBox
"C:\WINDOWS\system32\ctfmon .exe" moved to QooBox
"C:\WINDOWS\system32\hkcmd .exe" replaces infected copy of "C:\WINDOWS\system32\hkcmd.exe"
"C:\WINDOWS\system32\igfxpers .exe" replaces infected copy of "C:\WINDOWS\system32\igfxpers.exe"
[/code]
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.
2008-01-02 18:15 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 16:20 . 2008-01-02 16:20
d-------- C:\VundoFix Backups
2008-01-02 12:32 . 2008-01-02 12:32 d-------- C:\Program Files\Alwil Software
2008-01-02 12:32 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-02 12:32 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-02 12:32 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-02 12:32 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-02 12:32 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-02 12:32 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-02 12:32 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-02 12:32 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-01 20:58 . 2008-01-01 21:14 1,031,679 --ahs---- C:\WINDOWS\system32\hwtuhqxr.ini
2007-12-31 06:09 . 2007-12-31 06:55 d-------- C:\Program Files\Yahoo!
2007-12-31 06:08 . 2007-12-31 06:11 d-------- C:\Program Files\OneStepSearch
2007-12-31 06:08 . 2008-01-02 08:47 d-------- C:\Program Files\Free Offers from Freeze.com
2007-12-24 17:15 . 2007-12-24 18:58 d-------- C:\WINDOWS\BDOSCAN8
2007-12-24 12:31 . 2008-01-02 16:54 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2007-12-24 12:31 . 2008-01-02 16:54 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-23 19:56 . 2008-01-01 07:57 714 --ahs---- C:\WINDOWS\system32\ttrejmgn.ini
2007-12-23 07:49 . 2007-12-23 07:49 40,448 --a------ C:\WINDOWS\system32\nnnomjk.dll.vir
2007-12-20 13:42 . 2007-12-20 13:42 d-------- C:\Program Files\t@b
2007-12-20 08:51 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-20 08:51 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-10 13:31 . 2006-09-05 11:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-10 13:18 . 2007-12-10 13:18 d-------- C:\Documents and Settings\Guest\Application Data\Comodo
2007-12-10 13:17 . 2005-09-17 01:01 d-------- C:\Documents and Settings\Guest\WINDOWS
2007-12-10 13:17 . 2005-09-17 01:21 d-------- C:\Documents and Settings\Guest\Application Data\Symantec
2007-12-10 13:17 . 2005-09-17 01:06 d-------- C:\Documents and Settings\Guest\Application Data\SampleView
2007-12-10 13:17 . 2005-09-17 01:04 d-------- C:\Documents and Settings\Guest\Application Data\Intuit
2007-12-10 13:17 . 2005-09-17 01:01 d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer
2007-12-10 07:37 . 2007-12-10 07:37 d-------- C:\SystemRoot
2007-12-10 07:35 . 2007-12-10 07:35 d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch
2007-12-08 13:27 . 2007-12-08 13:27 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-07 17:16 . 2007-12-07 17:16 d-------- C:\Program Files\Alawar
2007-12-05 17:39 . 2007-12-05 17:41 d-------- C:\Program Files\eMule
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 23:22 --------- d-----w C:\Program Files\Windows Defender
2008-01-03 23:22 --------- d-----w C:\Program Files\Picasa2
2008-01-03 23:20 --------- d-----w C:\Program Files\QuickTime
2008-01-02 16:44 --------- d-----w C:\Program Files\ScreenPrint32 v3
2008-01-02 13:47 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Azureus
2008-01-02 13:40 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-02 01:39 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2
2008-01-01 17:32 --------- d-----w C:\Program Files\PokerStars
2007-12-31 11:54 --------- d-----w C:\Program Files\Coupons
2007-12-28 10:40 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2007-12-24 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 17:46 --------- d-----w C:\Program Files\Java
2007-12-16 14:16 --------- d-----w C:\Program Files\Viewpoint
2007-12-16 14:16 --------- d-----w C:\Program Files\AIM6
2007-12-16 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-16 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-16 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-07 22:20 --------- d-----w C:\Program Files\PC Inspector File Recovery
2007-12-07 22:20 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows
2007-12-07 22:20 --------- d-----w C:\Program Files\Nvu
2007-12-07 22:20 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2007-12-07 22:20 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-07 22:20 --------- d-----w C:\Program Files\CamStudio
2007-12-02 21:29 --------- d-----w C:\Program Files\allSnap
2007-11-18 12:28 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-18 12:26 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\GlarySoft
2007-11-18 12:25 --------- d-----w C:\Program Files\Glary Utilities
2007-11-14 18:05 --------- d-----w C:\Program Files\Ultimate Business Software
2007-11-14 16:20 --------- d-----w C:\Program Files\LimeWire
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 14:34 --------- d-----w C:\Program Files\BHODemon 2
2007-11-12 14:34 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\FrostWire
2007-11-03 13:26 --------- d-----w C:\Program Files\Loan Calculator
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 21:04 59392]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 02:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-02 16:54 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-02 16:54 114688]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2008-01-02 16:54 49152]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-02 16:55 866584]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-02 16:54 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-02 15:16 180269]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\HP\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-10 23:00:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 00:31]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 21:04:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-25 16:24:16 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2008-01-03 23:26:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-12-28 17:56:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-10 17:56:27 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 18:23:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-03 18:27:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 23:27:45
.
2007-12-24 22:15:56 --- E O F ---