ComboFix 08-01-03.3 - HP_Administrator 2008-01-02 18:17:27.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1025 [GMT -5:00] Running from: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OSBC4E6P\ComboFix[1].exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\ehome\ehtray .exe C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe C:\WINDOWS\system32\afypdjgd.dll C:\WINDOWS\system32\ahhtckvo.dll C:\WINDOWS\system32\bmckukgj.dll C:\WINDOWS\system32\ctfmon .exe C:\WINDOWS\system32\ffhkj.ini C:\WINDOWS\system32\ffhkj.ini2 C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\jkhff.dll C:\WINDOWS\system32\jkhff.exe C:\WINDOWS\system32\ovkcthha.ini C:\WINDOWS\system32\RCX19.tmp C:\WINDOWS\system32\RCX3A.tmp E:\Autorun.inf [code] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe" replaces infected copy of "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "C:\Program Files\Alwil Software\Avast4\ashDisp .exe" replaces infected copy of "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched .exe" replaces infected copy of "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" "C:\Program Files\Comodo\Firewall\CPF .exe" replaces infected copy of "C:\Program Files\Comodo\Firewall\CPF.exe" "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" replaces infected copy of "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08 .exe" replaces infected copy of "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" "C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe" replaces infected copy of "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" "C:\Program Files\Picasa2\PicasaMediaDetector .exe" replaces infected copy of "C:\Program Files\Picasa2\PicasaMediaDetector.exe" "C:\Program Files\Windows Defender\MSASCui .exe" replaces infected copy of "C:\Program Files\Windows Defender\MSASCui.exe" "C:\WINDOWS\ehome\ehtray .exe" moved to QooBox "C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe" moved to QooBox "C:\WINDOWS\system32\ctfmon .exe" moved to QooBox "C:\WINDOWS\system32\hkcmd .exe" replaces infected copy of "C:\WINDOWS\system32\hkcmd.exe" "C:\WINDOWS\system32\igfxpers .exe" replaces infected copy of "C:\WINDOWS\system32\igfxpers.exe" [/code] . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE ((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 ))))))))))))))))))))))))))))))) . 2008-01-02 18:15 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-02 16:20 . 2008-01-02 16:20 d-------- C:\VundoFix Backups 2008-01-02 12:32 . 2008-01-02 12:32 d-------- C:\Program Files\Alwil Software 2008-01-02 12:32 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2008-01-02 12:32 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2008-01-02 12:32 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2008-01-02 12:32 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2008-01-02 12:32 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2008-01-02 12:32 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2008-01-02 12:32 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2008-01-02 12:32 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2008-01-01 20:58 . 2008-01-01 21:14 1,031,679 --ahs---- C:\WINDOWS\system32\hwtuhqxr.ini 2007-12-31 06:09 . 2007-12-31 06:55 d-------- C:\Program Files\Yahoo! 2007-12-31 06:08 . 2007-12-31 06:11 d-------- C:\Program Files\OneStepSearch 2007-12-31 06:08 . 2008-01-02 08:47 d-------- C:\Program Files\Free Offers from Freeze.com 2007-12-24 17:15 . 2007-12-24 18:58 d-------- C:\WINDOWS\BDOSCAN8 2007-12-24 12:31 . 2008-01-02 16:54 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe 2007-12-24 12:31 . 2008-01-02 16:54 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe 2007-12-23 19:56 . 2008-01-01 07:57 714 --ahs---- C:\WINDOWS\system32\ttrejmgn.ini 2007-12-23 07:49 . 2007-12-23 07:49 40,448 --a------ C:\WINDOWS\system32\nnnomjk.dll.vir 2007-12-20 13:42 . 2007-12-20 13:42 d-------- C:\Program Files\t@b 2007-12-20 08:51 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll 2007-12-20 08:51 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2007-12-10 13:31 . 2006-09-05 11:03 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-12-10 13:18 . 2007-12-10 13:18 d-------- C:\Documents and Settings\Guest\Application Data\Comodo 2007-12-10 13:17 . 2005-09-17 01:01 d-------- C:\Documents and Settings\Guest\WINDOWS 2007-12-10 13:17 . 2005-09-17 01:21 d-------- C:\Documents and Settings\Guest\Application Data\Symantec 2007-12-10 13:17 . 2005-09-17 01:06 d-------- C:\Documents and Settings\Guest\Application Data\SampleView 2007-12-10 13:17 . 2005-09-17 01:04 d-------- C:\Documents and Settings\Guest\Application Data\Intuit 2007-12-10 13:17 . 2005-09-17 01:01 d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer 2007-12-10 07:37 . 2007-12-10 07:37 d-------- C:\SystemRoot 2007-12-10 07:35 . 2007-12-10 07:35 d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinBatch 2007-12-08 13:27 . 2007-12-08 13:27 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia 2007-12-07 17:16 . 2007-12-07 17:16 d-------- C:\Program Files\Alawar 2007-12-05 17:39 . 2007-12-05 17:41 d-------- C:\Program Files\eMule . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-03 23:22 --------- d-----w C:\Program Files\Windows Defender 2008-01-03 23:22 --------- d-----w C:\Program Files\Picasa2 2008-01-03 23:20 --------- d-----w C:\Program Files\QuickTime 2008-01-02 16:44 --------- d-----w C:\Program Files\ScreenPrint32 v3 2008-01-02 13:47 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Azureus 2008-01-02 13:40 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-01-02 01:39 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2 2008-01-01 17:32 --------- d-----w C:\Program Files\PokerStars 2007-12-31 11:54 --------- d-----w C:\Program Files\Coupons 2007-12-28 10:40 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire 2007-12-24 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-24 17:46 --------- d-----w C:\Program Files\Java 2007-12-16 14:16 --------- d-----w C:\Program Files\Viewpoint 2007-12-16 14:16 --------- d-----w C:\Program Files\AIM6 2007-12-16 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-12-16 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads 2007-12-16 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2007-12-07 22:20 --------- d-----w C:\Program Files\PC Inspector File Recovery 2007-12-07 22:20 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows 2007-12-07 22:20 --------- d-----w C:\Program Files\Nvu 2007-12-07 22:20 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo 2007-12-07 22:20 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5 2007-12-07 22:20 --------- d-----w C:\Program Files\CamStudio 2007-12-02 21:29 --------- d-----w C:\Program Files\allSnap 2007-11-18 12:28 286,720 ------w C:\WINDOWS\Setup1.exe 2007-11-18 12:26 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\GlarySoft 2007-11-18 12:25 --------- d-----w C:\Program Files\Glary Utilities 2007-11-14 18:05 --------- d-----w C:\Program Files\Ultimate Business Software 2007-11-14 16:20 --------- d-----w C:\Program Files\LimeWire 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-12 14:34 --------- d-----w C:\Program Files\BHODemon 2 2007-11-12 14:34 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\FrostWire 2007-11-03 13:26 --------- d-----w C:\Program Files\Loan Calculator 2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 21:04 59392] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 02:07 61952 C:\WINDOWS\system32\HdAShCut.exe] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-02 16:54 77824] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-02 16:54 114688] "HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2008-01-02 16:54 49152] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-02 16:55 866584] "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [ ] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-02 16:54 79224] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-02 15:16 180269] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ hp psc 1000 series.lnk - C:\Program Files\HP\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34] hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10] Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-10 23:00:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" -atboottime "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 00:31] . Contents of the 'Scheduled Tasks' folder "2007-12-18 21:04:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-08-25 16:24:16 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job" - c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0 "2008-01-03 23:26:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2007-12-28 17:56:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2007-08-10 17:56:27 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-03 18:23:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-03 18:27:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-03 23:27:45 . 2007-12-24 22:15:56 --- E O F ---