ComboFix 09-02-19.01 - Ankore 2009-02-21 15:08:49.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262.544 [GMT -8:00] Running from: c:\documents and settings\Ankore\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ankore\Desktop\CFscript.txt AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) * Created a new restore point FILE :: c:\windows\system32\drivers\e9a9d1fe.sys c:\windows\system32\drivers\Lbd.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\Lbd.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_LBD -------\Service_e9a9d1fe -------\Service_Lbd ((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 ))))))))))))))))))))))))))))))) . 2009-02-19 10:26 . 2009-02-19 11:29 d-------- c:\documents and settings\Ankore\Application Data\InfraRecorder 2009-02-19 10:25 . 2009-02-19 10:25 d-------- c:\program files\InfraRecorder 2009-02-18 15:36 . 2009-02-18 15:17 15,688 --a------ c:\windows\system32\lsdelete.exe 2009-02-18 15:17 . 2009-02-18 15:17 d----c--- c:\windows\system32\DRVSTORE 2009-02-18 15:14 . 2009-02-18 15:14 d-------- c:\program files\Lavasoft 2009-02-18 15:14 . 2009-02-18 15:17 d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-02-18 15:14 . 2009-02-18 15:14 d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} 2009-02-18 13:57 . 2009-02-18 13:57 d-------- c:\documents and settings\All Users\Application Data\EPSON 2009-02-16 13:02 . 2009-02-16 13:01 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-02-15 23:29 . 2009-02-15 23:29 d-------- c:\program files\Avira 2009-02-15 23:29 . 2009-02-15 23:29 d-------- c:\documents and settings\All Users\Application Data\Avira 2009-02-15 18:27 . 2009-02-15 18:27 d-------- c:\program files\Trend Micro 2009-02-15 15:12 . 2009-02-15 15:12 d-------- c:\program files\CONEXANT 2009-02-15 09:54 . 2009-02-15 09:54 d-------- c:\program files\SUPERAntiSpyware 2009-02-15 09:54 . 2009-02-15 09:54 d-------- c:\program files\Common Files\Wise Installation Wizard 2009-02-15 09:54 . 2009-02-15 09:54 d-------- c:\documents and settings\Ankore\Application Data\SUPERAntiSpyware.com 2009-02-15 09:54 . 2009-02-15 09:54 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-14 19:02 . 2005-09-20 09:31 135,168 --a------ c:\windows\system32\igfxres.dll 2009-02-14 17:00 . 2009-02-14 18:58 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-14 16:51 . 2009-02-14 16:51 d-------- c:\documents and settings\Ankore\Application Data\Malwarebytes 2009-02-14 15:52 . 2009-02-14 15:52 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-02-14 15:25 . 2009-02-14 15:52 d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-14 15:25 . 2009-02-14 15:25 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-14 15:25 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-14 15:25 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-14 15:13 . 2009-02-14 15:13 d-------- c:\documents and settings\Administrator\Application Data\Intel 2009-02-14 15:13 . 2009-02-14 15:13 d-------- c:\documents and settings\Administrator 2009-02-14 14:21 . 2009-02-14 14:21 d-------- c:\program files\LanqiEngine 2009-02-14 14:21 . 2009-02-14 14:21 735,232 --a------ c:\windows\system32\AdvOcr.dll 2009-02-14 14:21 . 2009-02-14 14:21 94,208 --a------ c:\windows\system32\TRSOCR.dll 2009-02-14 14:21 . 2009-02-14 14:21 94,208 --a------ c:\windows\system32\TOCRdll.dll 2009-02-14 14:21 . 2009-02-14 14:21 95 --a------ c:\windows\TOCR.ini 2009-02-14 14:21 . 2009-02-14 14:21 95 --a------ c:\windows\system32\TRSOCR.ini 2009-02-14 14:20 . 2009-02-14 14:21 32,137,216 --a------ c:\windows\system32\TRSOCR.dat 2009-02-14 14:19 . 2009-02-15 17:11 d-------- c:\program files\Symantec 2009-02-14 14:07 . 2009-02-14 14:07 10,240 --a------ c:\windows\system32\Packer.dll 2009-02-14 14:07 . 2009-02-14 14:07 1,536 --a------ c:\windows\system32\AUTMGR.EXE 2009-02-14 14:00 . 2009-02-15 15:01 d-------- c:\windows\system32\inf 2009-02-14 14:00 . 2009-02-14 14:00 2 --a------ C:\1212443256 2009-02-11 21:01 . 2009-02-11 21:01 d-------- c:\program files\Market Samurai 2009-02-11 21:01 . 2009-02-11 21:01 d-------- c:\documents and settings\Ankore\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1 2009-02-11 19:46 . 2009-02-11 19:47 d-------- c:\documents and settings\Ankore\Application Data\Good Keywords v2 2009-02-10 20:37 . 2009-02-10 20:37 d-------- c:\program files\Common Files\Adobe AIR 2009-02-05 11:16 . 2009-02-20 23:10 d-------- c:\program files\Mozilla Thunderbird 2009-02-05 11:16 . 2009-02-05 11:16 d-------- c:\documents and settings\Ankore\Application Data\Thunderbird 2009-01-27 19:46 . 2009-01-27 19:49 d-------- c:\program files\JL_Cmder 2009-01-27 17:26 . 2009-01-27 17:48 d-------- c:\documents and settings\Ankore\Application Data\Canon 2009-01-27 17:25 . 2005-09-20 21:00 140,288 --a------ c:\windows\system32\CNMLM7Q.DLL 2009-01-27 17:25 . 2008-04-13 10:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys 2009-01-27 17:25 . 2008-04-13 10:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys 2009-01-27 17:25 . 2005-09-20 21:00 8,704 --a------ c:\windows\system32\CNMVS7Q.DLL 2009-01-27 17:00 . 2008-04-13 10:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys 2009-01-27 17:00 . 2008-04-13 10:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys 2009-01-26 18:06 . 2009-01-26 18:06 d-------- c:\documents and settings\Ankore\Application Data\GlobalSCAPE 2009-01-26 18:06 . 2009-01-26 18:06 d-------- c:\documents and settings\All Users\Application Data\GlobalSCAPE 2009-01-26 18:04 . 2009-01-26 18:04 d-------- c:\program files\GlobalSCAPE 2009-01-25 11:55 . 2009-01-25 11:55 d--h----- c:\windows\PIF 2009-01-25 11:48 . 2009-01-25 11:48 1,409 --a------ c:\windows\system32\tmp913D9.FOT 2009-01-24 12:45 . 2009-01-24 12:47 d-------- C:\wamp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-20 09:41 --------- d-----w c:\documents and settings\Ankore\Application Data\Skype 2009-02-20 08:00 --------- d-----w c:\documents and settings\Ankore\Application Data\skypePM 2009-02-19 04:13 --------- d-----w c:\documents and settings\Ankore\Application Data\Azureus 2009-02-16 08:29 --------- d-----w c:\program files\SEO Elite 4 2009-02-16 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\Nero 2009-02-16 00:40 5 ----a-w c:\windows\system32\drivers\DELL_INS_700m.MRK 2009-02-16 00:40 5 ----a-w c:\windows\system32\drivers\1028_DELL_INS_700m.MRK 2009-02-14 22:47 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-02-14 21:34 --------- d-----w c:\documents and settings\Ankore\Application Data\LimeWire 2009-02-11 00:36 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-01-28 03:48 256 ----a-w c:\documents and settings\Ankore\pool.bin 2009-01-27 16:47 --------- d-----w c:\program files\Vuze 2009-01-27 02:04 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-15 06:31 --------- d-----w c:\program files\QuickTime 2009-01-15 06:30 --------- d-----w c:\program files\Common Files\Apple 2009-01-15 06:30 --------- d-----w c:\program files\Apple Software Update 2009-01-15 06:30 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2009-01-15 06:30 --------- d-----w c:\documents and settings\All Users\Application Data\Apple 2009-01-15 02:15 --------- d-----w c:\program files\GRETECH 2009-01-15 02:15 --------- d-----w c:\documents and settings\Ankore\Application Data\GRETECH 2009-01-15 01:24 --------- d-----w c:\program files\SEO Studio 2009-01-13 03:26 --------- d-----w c:\documents and settings\All Users\Application Data\Norton 2009-01-12 08:42 4 ----a-w C:\results.bin 2009-01-11 10:31 --------- d-----w c:\program files\Keyword Elite 2009-01-11 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\PCSettings 2009-01-11 01:24 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller 2009-01-09 05:16 --------- d-----w c:\program files\TRELLIAN 2009-01-08 04:40 --------- d-----w c:\program files\MSECache 2009-01-08 04:37 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2009-01-04 05:55 --------- d-----w c:\documents and settings\Ankore\Application Data\Roxio 2008-12-26 02:28 --------- d-----w c:\documents and settings\Ankore\Application Data\Thinstall 2008-12-25 08:24 --------- d-----w c:\program files\NicheFinder 2008-12-24 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\RoboForm 2008-12-24 17:04 --------- d-----w c:\program files\Siber Systems 2008-12-24 05:12 --------- d-----w c:\documents and settings\Ankore\Application Data\DivX 2008-12-23 00:13 --------- d-----w c:\documents and settings\Ankore\Application Data\Windows Search . ------- Sigcheck ------- 2004-08-04 02:00 983552 888190e31455fad793312f8d087146eb c:\windows\$NtServicePackUninstall$\kernel32.dll 2008-04-13 16:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll 2009-02-14 14:07 989696 ddfc75dcdd80736ce40b5538b46821d1 c:\windows\system32\kernel32.dll . ((((((((((((((((((((((((((((( SnapShot_2009-02-20_20.36.22.28 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-21 23:13:46 16,384 ----atw c:\windows\temp\Perflib_Perfdata_120.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128] "\\DUNKY\EPSON Stylus NX400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE" [2007-12-16 188928] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-18 509784] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2008-12-10 98304] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] 2006-12-12 17:16 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.divxa32"= msaud32_divx.acm [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe] "Debugger"=c:\windows\system32\alg.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe] "Debugger"=c:\windows\system32\alg.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe] "Debugger"=c:\windows\system32\alg.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe] "Debugger"=c:\windows\system32\alg.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe] "Debugger"=c:\windows\system32\alg.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Ankore^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Ankore\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2009-02-16 13:01 148888 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "liveupdate"=3 (0x3) "ccsetmgr"=2 (0x2) "Roxio Upnp Server 9"=2 (0x2) "Roxio UPnP Renderer 9"=3 (0x3) "RoxWatch9"=2 (0x2) "RoxMediaDB9"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Vuze\\Azureus.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096] S4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?] . Contents of the 'Scheduled Tasks' folder 2009-02-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-18 15:16] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Ankore\Application Data\Mozilla\Firefox\Profiles\56tqk1p3.default\ FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\documents and settings\Ankore\Application Data\Mozilla\Firefox\Profiles\56tqk1p3.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdrmv2.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdsplay.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-21 15:16:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(712) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\program files\Intel\Wireless\Bin\LgNotify.dll c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\system32\searchindexer.exe c:\progra~1\Intel\Wireless\Bin\1XConfig.exe c:\windows\system32\igfxsrvc.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-02-21 15:19:03 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-21 23:19:00 ComboFix2.txt 2009-02-15 23:09:37 Pre-Run: 34,825,768,960 bytes free Post-Run: 34,871,975,936 bytes free Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 276 --- E O F --- 2009-02-11 00:38:54