ComboFix 09-02-03.01 - Vasilias 2009-02-04 11:57:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -5:00]
Running from: f:\documents and settings\Vasilias\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
f:\documents and settings\Vasilias\Application Data\inst.exe
f:\windows\system32\dpejghkc.dll
f:\windows\system32\FhghPqru.ini
f:\windows\system32\FhghPqru.ini2
f:\windows\system32\girmyitr.dll
f:\windows\system32\iihutbpn.dll
f:\windows\system32\ksopreqv.dll
f:\windows\system32\lapfwu.dll
f:\windows\system32\qfagtalq.dll
f:\windows\system32\qmldwpla.dll
f:\windows\system32\qtyrhj.dll
f:\windows\system32\tuqbmkqw.ini
f:\windows\system32\urqPhghF.dll
f:\windows\system32\xxywUKeB.dll
f:\windows\system32\zqkzib.dll
.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.
2009-02-04 11:44 . 2009-02-04 11:44 <DIR> d-------- f:\program files\Trend Micro
2009-02-03 12:24 . 2009-02-04 10:58 153 --a------ f:\windows\wininit.ini
2009-01-17 13:53 . 2009-01-17 13:53 410,984 --a------ f:\windows\system32\deploytk.dll
2009-01-16 12:43 . 2009-01-16 12:43 <DIR> d-------- f:\program files\Microsoft Office Outlook Connector
2009-01-12 17:44 . 2009-01-12 17:44 <DIR> d-------- f:\program files\iPod
2009-01-12 17:44 . 2009-01-12 17:44 <DIR> d-------- f:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-12 17:42 . 2009-01-12 17:42 <DIR> d-------- f:\program files\QuickTime
2009-01-12 17:40 . 2009-01-12 17:40 <DIR> d-------- f:\program files\Apple Software Update
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 17:25 --------- d-----w f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 16:54 --------- d-----w f:\program files\Spybot - Search & Destroy
2009-02-01 02:58 --------- d-----w f:\documents and settings\Vasilias\Application Data\Azureus
2009-02-01 01:28 --------- d-----w f:\program files\Azureus
2009-01-28 06:47 --------- d-----w f:\program files\World of Warcraft
2009-01-17 18:53 --------- d-----w f:\program files\Java
2009-01-12 22:44 --------- d-----w f:\program files\iTunes
2009-01-12 22:43 --------- d-----w f:\program files\Bonjour
2008-12-17 22:36 --------- d-----w f:\program files\MobMapUpdater
2008-12-17 22:36 --------- d-----w f:\documents and settings\Vasilias\Application Data\MobMapUpdater
2008-12-10 05:05 --------- d-----w f:\program files\Ventrilo
2008-12-10 05:05 --------- d-----w f:\program files\Common Files\Wise Installation Wizard
2008-12-10 05:05 --------- d-----w f:\documents and settings\Vasilias\Application Data\Ventrilo
2008-01-17 04:34 47,360 -c--a-w f:\documents and settings\Vasilias\Application Data\pcouffin.sys
2007-12-07 23:28 32 -c--a-w f:\documents and settings\All Users\Application Data\ezsid.dat
2006-12-29 19:15 626,688 -c--a-w f:\program files\Common Files\sapconsaccess.dll
2006-12-29 19:15 40,960 -c--a-w f:\program files\Common Files\DigitalSignature.ocx
2006-12-29 19:15 3,100,672 -c--a-w f:\program files\Common Files\sapxlhelper.dll
2006-12-29 19:15 192,512 -c--a-w f:\program files\Common Files\sapconsr3.dll
2006-12-07 14:26 1,129,984 -c--a-w f:\program files\Common Files\SAPActiveXL.xlt
2006-12-07 14:26 1,124,864 -c--a-w f:\program files\Common Files\SAPActiveXL_nosig.xlt
1995-07-17 20:04 60,388 -c--a-w f:\documents and settings\Vasilias\PATCH.EXE
2008-05-23 01:10 32,768 -csha-w f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052220080523\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="f:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="f:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"CTSysVol"="f:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="f:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="f:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-01-17 136600]
"Launch LCDMon"="f:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="f:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"GrooveMonitor"="f:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"AppleSyncNotifier"="f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2008-10-07 f:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2007-04-09 f:\windows\system32\CtHelper.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 f:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 f:\windows\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 f:\windows\system32\narrator.exe]
f:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - f:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-21 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 f:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zqkzib.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= f:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"f:\\Program Files\\Minilyrics\\MLSetup.exe"=
"f:\\Program Files\\Minilyrics\\MLStart.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Azureus\\Azureus.exe"=
"f:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"f:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.EXE"=
"f:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"f:\\Program Files\\AIM6\\aim6.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"f:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"f:\\WINDOWS\\system32\\LEXPPS.EXE"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"f:\\Program Files\\MSN Messenger\\livecall.exe"=
"f:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"<NO NAME>"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;f:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-03 24652]
S4 PRISMSVC;PRISMSVC;f:\windows\system32\PRISMSVC.exe [2007-09-13 57344]
.
- - - - ORPHANS REMOVED - - - -
BHO-{ba31978a-1517-42c3-b95f-2c256bc498c7} - f:\windows\system32\zqkzib.dll
BHO-{eebadb64-03e5-40d4-99f9-dccd67de337b} - f:\windows\system32\iihutbpn.dll
BHO-{F1C02436-7C80-4FC6-A2EA-86018558BD9A} - f:\windows\system32\urqPhghF.dll
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bus.ucf.edu/video/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\Vasilias\Application Data\Mozilla\Firefox\Profiles\ruwhns3j.default\
FF - component: f:\documents and settings\Vasilias\Application Data\Mozilla\Firefox\Profiles\ruwhns3j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: f:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 12:00:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1390067357-1336601894-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:79,f4,00,ce,e9,50,ea,04,a9,fd,31,c2,98,0e,3b,a9,06,56,04,3b,f5,84,ce,
69,75,ba,41,fa,e1,57,d0,06,30,3f,35,2c,99,44,1f,2a,01,55,a2,b4,7a,0f,21,eb,\
"??"=hex:98,92,76,c1,aa,88,4f,41,49,86,ff,73,28,c6,e6,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(724)
f:\program files\common files\logitech\bluetooth\LBTWlgn.dll
f:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\system32\LEXBCES.EXE
f:\windows\system32\LEXPPS.EXE
f:\windows\system32\PRISMSVR.exe
f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
f:\program files\Bonjour\mDNSResponder.exe
f:\windows\system32\CTSVCCDA.EXE
f:\program files\Java\jre6\bin\jqs.exe
f:\windows\system32\nvsvc32.exe
f:\program files\Windows Media Player\wmpnetwk.exe
f:\windows\system32\rundll32.exe
f:\windows\system32\rundll32.exe
f:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
f:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
f:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
f:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-04 12:11:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 17:10:58
Pre-Run: 85,652,926,464 bytes free
Post-Run: 85,927,727,104 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
206 --- E O F --- 2007-09-14 04:41:55