ComboFix 08-12-24.01 - Administrator 2008-12-25 18:23:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1124 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.
2008-12-24 21:05 . 2008-12-24 21:05 <DIR> d-------- c:\program files\GPL MPEG Decoder
2008-12-24 21:00 . 2007-04-22 22:11 1,216,512 --a------ c:\windows\system32\xvidcore.dll
2008-12-24 21:00 . 2007-04-22 22:09 921,600 --a------ c:\windows\system32\vorbisenc.dll
2008-12-24 21:00 . 2006-10-28 11:11 516,096 --a------ c:\windows\system32\ac3filter.ax
2008-12-24 21:00 . 2004-09-23 19:20 290,304 --a------ c:\windows\system32\divxdec.ax
2008-12-24 21:00 . 2004-01-10 18:02 258,048 --a------ c:\windows\system32\GplMpgDec.ax
2008-12-24 21:00 . 2007-04-22 22:11 237,568 --a------ c:\windows\system32\xvidvfw.dll
2008-12-24 21:00 . 2007-04-22 22:10 237,568 --a------ c:\windows\system32\OggDS.dll
2008-12-24 21:00 . 2007-04-22 22:09 188,416 --a------ c:\windows\system32\vorbis.dll
2008-12-24 21:00 . 2004-03-26 16:32 116,224 --a------ c:\windows\system32\rmalt.ax
2008-12-24 21:00 . 2007-04-22 22:11 61,440 --a------ c:\windows\system32\xvid.ax
2008-12-24 21:00 . 2007-04-22 22:09 45,056 --a------ c:\windows\system32\ogg.dll
2008-12-24 21:00 . 2004-04-30 21:46 28,672 --a------ c:\windows\system32\qtalt.ax
2008-12-20 12:26 . 2008-12-20 12:26 <DIR> d-------- c:\program files\uTorrent
2008-12-17 21:36 . 2008-12-17 21:36 <DIR> d-------- c:\program files\AskBarDis
2008-12-17 21:36 . 2008-12-17 21:36 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Foxit
2008-12-17 19:12 . 2008-12-17 19:11 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-17 18:15 . 2008-12-17 18:15 <DIR> d-------- C:\New Folder
2008-12-17 17:31 . 2008-12-25 17:53 69 --a------ c:\windows\NeroDigital.ini
2008-12-17 15:40 . 2008-12-19 18:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Ahead
2008-12-17 15:37 . 2008-12-17 15:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-12-16 19:32 . 2008-12-16 19:32 <DIR> d-------- C:\rsit
2008-12-09 19:09 . 2008-12-09 19:09 6,144 --ahs---- c:\windows\Thumbs.db
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 23:05 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2008-12-25 02:31 --------- d-----w c:\program files\dvdSanta
2008-12-24 21:02 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-18 00:11 --------- d-----w c:\program files\Java
2008-12-17 22:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-17 20:39 --------- d-----w c:\program files\Common Files\Ahead
2008-12-17 00:32 --------- d-----w c:\program files\Trend Micro
2008-12-09 06:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 06:14 --------- d-----w c:\program files\Google
2008-12-09 06:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-01 22:16 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2008-12-01 21:59 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2008-11-30 01:53 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-27 15:54 --------- d-----w c:\program files\WinISO
2008-11-27 15:54 --------- d-----w c:\program files\SMARTSOUND_10
2008-11-27 15:54 --------- d-----w c:\program files\Quicken
2008-11-27 15:54 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-27 15:54 --------- d-----w c:\program files\bin
2008-11-27 15:54 --------- d-----w c:\program files\Barcode Maker 5
2008-11-27 15:54 --------- d-----w c:\documents and settings\Administrator\Application Data\YouSendIt
2008-11-27 15:54 --------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2008-11-27 15:54 --------- d-----w c:\documents and settings\Administrator\Application Data\iolo
2008-11-25 06:25 --------- d-----w c:\documents and settings\Administrator\Application Data\IObit
2008-11-25 01:21 --------- d-----w c:\program files\IObit
2008-11-24 15:33 --------- d-----w c:\documents and settings\Administrator\Application Data\MSNInstaller
2008-11-24 15:32 --------- d-----w c:\program files\Citrix
2008-11-22 23:32 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-22 18:23 --------- d-----w c:\program files\RogueRemover FREE
2008-11-21 21:13 --------- d-----w c:\program files\Picasa2
2008-11-20 02:21 --------- d-----w c:\documents and settings\Administrator\Application Data\ArcSoft
2008-11-13 00:08 --------- d-----w c:\program files\CCleaner
2008-11-07 14:11 --------- d-----w c:\program files\AT&W Technologies
2008-11-03 17:08 --------- d-----w c:\program files\Trojan Remover
2008-11-03 01:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-02 18:13 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-03-23 15:33 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2008-02-05 08:03 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2003-10-06 22:03 44,544 ----a-w c:\windows\inf\i386\CR100\CR100WIA.dll
2003-10-06 22:03 139,264 ----a-w c:\windows\inf\i386\CR100\A8_cr100.dll
2001-08-03 22:29 13,824 ----a-w c:\windows\inf\i386\CR100\Usbscan.sys
.
((((((((((((((((((((((((((((( snapshot@2008-12-17_17.59.44.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-25 03:30:28 135,168 ------w c:\windows\system32\java.exe
+ 2008-12-18 00:11:48 144,792 ----a-w c:\windows\system32\java.exe
- 2007-09-25 03:30:30 135,168 ------w c:\windows\system32\javaw.exe
+ 2008-12-18 00:11:48 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-09-25 04:31:42 139,264 ------w c:\windows\system32\javaws.exe
+ 2008-12-18 00:11:48 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-25 23:06:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_684.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-30 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-11-26 2235920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-02-20 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-10-14 21:38 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 05:43 69632 c:\windows\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-04 06:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-30 11:06 133104 c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 15:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 03:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--------- 2006-10-31 01:35 7634944 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2006-10-31 01:35 1622016 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF4 Registry Controller]
--a------ 2006-08-22 18:09 40960 c:\program files\ScanSoft\PDF Professional 4.0\RegistryController.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-07-05 03:08 16380416 c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-01-17 18:10 21686568 c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
--a------ 2008-05-06 15:36 764776 c:\program files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-09-29 23:14 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-02-07 566120]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-02-07 566120]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" []
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe []
S2 SessionLauncher;SessionLauncher; []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0519fa17-d50a-11dc-bbcb-001d7d2a7b89}]
\Shell\AutoRun\command - setuppro.EXE /AUTORUN
\Shell\configure\command - setuppro.EXE
\Shell\install\command - setuppro.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8dda5d8-0c0a-11dd-bc07-001d7d2a7b89}]
\Shell\AutoRun\command - H:\setuppro.EXE /AUTORUN
\Shell\configure\command - H:\setuppro.EXE
\Shell\install\command - H:\setuppro.EXE
.
Contents of the 'Scheduled Tasks' folder
2008-12-25 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-30 11:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
IE: Advanced Email Extractor - c:\program%20files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
IE: Scan link with AEE - c:\program%20files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/link.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\su2zsw8w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
pref(dom.disable_open_during_load, true);.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 18:24:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-25 18:25:34
ComboFix-quarantined-files.txt 2008-12-25 23:25:00
ComboFix2.txt 2008-12-17 23:00:17
Pre-Run: 9,839,325,184 bytes free
Post-Run: 9,823,715,328 bytes free
236