ComboFix 10-05-04.04 - Melinda 05/04/2010 22:00:10.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.182 [GMT -5:00]
Running from: c:\documents and settings\Melinda\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melinda\Desktop\CFScript.txt
* Created a new restore point
FILE ::
"c:\windows\Sjugodamape.bin"
file zipped: c:\documents and settings\NetworkService\Application Data\capmfe.dat
file zipped: c:\documents and settings\NetworkService\Application Data\glchvt.dat
file zipped: c:\windows\Ijuwu.dat
file zipped: c:\windows\system32\drivers\oxcjtk.sys
file zipped: c:\windows\system32\drivers\yohfpzum.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\NetworkService\Application Data\capmfe.dat
c:\documents and settings\NetworkService\Application Data\glchvt.dat
c:\program files\WindowsUpdate
c:\windows\Ijuwu.dat
c:\windows\Sjugodamape.bin
.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.
2010-04-30 01:30 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 01:30 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 22:49 . 2004-08-10 11:00 1677824 ----a-w- c:\windows\system32\dllcache\chsbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 838144 ----a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2010-04-28 22:49 . 2004-08-10 11:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2010-04-28 22:49 . 2004-08-10 11:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-04-28 22:49 . 2004-08-10 11:00 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-04-28 22:47 . 2004-08-10 11:00 57398 ----a-w- c:\windows\system32\dllcache\imjpdadm.exe
2010-04-17 23:51 . 2010-04-17 23:51 96512 ----a-w- c:\windows\system32\drivers\yohfpzum.sys
2010-04-17 20:49 . 2010-04-17 23:51 -------- d-----w- c:\windows\system32\MpEngineStore
2010-04-15 23:32 . 2010-04-15 23:34 -------- d-----w- c:\documents and settings\Melinda\Application Data\U3
2010-04-15 02:05 . 2010-01-06 05:51 307672 ----a-w- c:\documents and settings\Melinda\Application Data\Yahoo!\Mail\attach\firefox[4].exe
2010-04-15 01:37 . 2010-01-06 05:51 307672 ----a-w- c:\documents and settings\Melinda\Application Data\Yahoo!\Mail\attach\firefox[1].exe
2010-04-15 01:37 . 2010-01-06 05:51 307672 ----a-w- c:\documents and settings\Melinda\Application Data\Yahoo!\Mail\attach\firefox[0].exe
2010-04-15 01:36 . 2010-01-06 05:51 307672 ----a-w- c:\documents and settings\Melinda\Application Data\Yahoo!\Mail\attach\firefox.exe
2010-04-13 22:20 . 2010-04-30 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-04-13 22:20 . 2010-04-13 22:20 -------- d-----w- c:\program files\BitDefender
2010-04-13 22:15 . 2010-04-30 01:20 -------- d-----w- c:\program files\Common Files\BitDefender
2010-04-13 03:07 . 2010-04-28 22:13 -------- d-----w- c:\documents and settings\Melinda\Local Settings\Application Data\Temp
2010-04-13 03:06 . 2010-04-13 03:07 -------- d-----w- c:\documents and settings\Melinda\Local Settings\Application Data\Deployment
2010-04-11 06:28 . 2010-04-11 06:28 -------- d-----w- c:\documents and settings\Melinda\Application Data\Yahoo!
2010-04-10 21:41 . 2010-04-10 21:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-10 19:47 . 2010-04-10 19:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-10 19:44 . 2010-04-10 19:44 -------- d-----w- c:\program files\ESPNMotion
2010-04-10 19:44 . 2010-04-10 19:44 -------- d-----w- c:\program files\DIGStream
2010-04-10 19:44 . 2010-04-10 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2010-04-10 19:43 . 2010-04-10 19:44 -------- d-----w- c:\program files\Picasa2
2010-04-10 19:43 . 2010-04-10 19:43 -------- d-----w- c:\program files\Sketchpad
2010-04-10 19:42 . 2010-04-10 19:42 -------- d-----w- c:\documents and settings\Melinda\Application Data\Grisoft
2010-04-10 19:42 . 2010-04-10 19:42 -------- d-----w- c:\program files\Dr.STIKA PLUS
2010-04-10 19:39 . 2010-04-10 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-06 14:47 . 2010-04-06 14:47 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 14:47 . 2010-04-28 02:25 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 09:10 . 2010-04-10 19:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 01:30 . 2010-03-06 22:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 01:11 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-17 18:00 . 2005-11-15 16:10 -------- d-----w- c:\program files\Intel
2010-04-13 03:06 . 2005-12-28 03:34 158040 ----a-w- c:\documents and settings\Melinda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 19:46 . 2005-11-15 16:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-10 19:44 . 2008-04-25 20:09 -------- d-----w- c:\program files\MathMagic Personal Edition
2010-04-10 19:44 . 2005-11-28 03:41 -------- d-----w- c:\documents and settings\Melinda\Application Data\Aim
2010-04-10 19:44 . 2005-11-19 19:48 -------- d-----w- c:\program files\AIM
2010-04-10 19:44 . 2006-01-14 21:08 -------- d-----w- c:\program files\iLuminaStarter
2010-04-10 19:43 . 2005-11-19 20:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-10 19:24 . 2005-11-19 19:49 -------- d-----w- c:\program files\Yahoo!
2010-04-10 16:15 . 2005-11-15 16:07 -------- d-----w- c:\program files\Common Files\Java
2010-04-10 16:11 . 2005-11-15 16:07 -------- d-----w- c:\program files\Java
2010-03-10 04:33 . 2005-08-16 10:18 1509888 ----a-w- c:\windows\system32\shdocvw(2)(2).dll
2010-03-09 11:09 . 2005-08-16 10:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 23:16 . 2010-03-06 23:16 -------- d-----w- c:\documents and settings\Melinda\Application Data\Malwarebytes
2010-03-06 22:41 . 2010-03-06 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 02:55 . 2010-03-04 02:41 792064 ----a-w- c:\windows\system32\drivers\oxcjtk.sys
2010-02-26 05:43 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet(2)(2).dll
2010-02-26 05:43 . 2005-08-16 10:18 627712 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2010-02-26 05:43 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2005-11-15 15:49 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-08-16 10:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-08-16 10:18 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-08-16 10:18 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-07-13 15:36 . 2005-12-26 19:00 104 --sh--r- c:\windows\system32\2642E71EC2.sys
2009-07-13 15:36 . 2006-01-27 00:50 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-20 3084288]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SmileboxTray"="c:\documents and settings\Melinda\Application Data\Smilebox\SmileboxTray.exe" [2009-12-07 266888]
"Google Update"="c:\documents and settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-13 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-10-04 327769]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-30 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-10-30 136768]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-3-10 757760]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2005-11-15 917611]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [9/11/2006 10:06 PM 72672]
S3 FZPGQOWYV;FZPGQOWYV;c:\docume~1\Melinda\LOCALS~1\Temp\FZPGQOWYV.exe --> c:\docume~1\Melinda\LOCALS~1\Temp\FZPGQOWYV.exe [?]
S3 STGXZAXWU;STGXZAXWU;c:\docume~1\Melinda\LOCALS~1\Temp\STGXZAXWU.exe --> c:\docume~1\Melinda\LOCALS~1\Temp\STGXZAXWU.exe [?]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [11/15/2005 11:08 AM 57344]
.
Contents of the 'Scheduled Tasks' folder
2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1112748904-2215562131-1854604127-1006Core.job
- c:\documents and settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 03:07]
2010-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1112748904-2215562131-1854604127-1006UA.job
- c:\documents and settings\Melinda\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 03:07]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.att.net/mStart Page =
hxxp://www.dell4me.com/mywayuInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Melinda\Application Data\Mozilla\Firefox\Profiles\kyw9vy6g.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.startup.homepage -
hxxps://login.yahoo.com/config/login_ve ... yahoo.com/FF - prefs.js: keyword.URL -
hxxp://search.myheritage.com/?orig=ds&q=FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-05-04 22:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-05-04 22:13:28
ComboFix-quarantined-files.txt 2010-05-05 03:13
ComboFix2.txt 2010-04-28 03:04
Pre-Run: 48,775,815,168 bytes free
Post-Run: 48,738,119,680 bytes free
- - End Of File - - 6EABBC6DD82E886A3F0992229FB99826
Upload was successful