ComboFix 08-05-29.1 - glazier 2008-05-31 10:50:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.34 [GMT -4:00]
Running from: C:\Documents and Settings\glazier\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\glazier\Application Data\inst.exe
C:\Program Files\msupdate
C:\Program Files\winsupdater
C:\WINDOWS\2.exe
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\WServing.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFINDING
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_perfmons
-------\Service_Routing
-------\Service_WServing
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.
2008-05-29 23:53 . 2008-05-29 23:53 <DIR> d-------- C:\Program Files\CandleWorks
2008-05-27 20:03 . 2008-05-27 20:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-27 20:03 . 2008-05-27 20:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-27 18:43 . 2008-05-27 18:43 <DIR> d-------- C:\Program Files\Ashampoo
2008-05-27 09:49 . 2008-05-27 09:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-27 09:49 . 2008-05-27 09:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-19 18:09 . 2008-05-19 18:09 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-17 16:55 . 2008-05-17 16:51 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-17 16:55 . 2008-05-17 16:55 2,552 --a------ C:\WINDOWS\unins000.dat
2008-05-14 19:35 . 2008-05-14 19:35 <DIR> d-------- C:\Documents and Settings\glazier\Application Data\Sauce
2008-05-14 19:19 . 2008-05-14 19:19 <DIR> d-------- C:\Program Files\Disney
2008-04-25 22:36 . 2008-04-25 22:54 <DIR> d-------- C:\Program Files\CachemanXP
2008-04-22 22:31 . 2008-04-22 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-04-09 12:54 . 2008-04-09 12:54 148 --a------ C:\WINDOWS\system32\1.tsk
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 14:45 --------- d-----w C:\Documents and Settings\glazier\Application Data\Azureus
2008-05-31 12:20 --------- d-----w C:\Documents and Settings\glazier\Application Data\Vso
2008-05-27 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 22:18 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-05-25 19:01 2,516 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-20 15:29 --------- d-----w C:\Program Files\Trojan Remover
2008-05-20 15:26 --------- d-----w C:\Program Files\Canon
2008-05-19 22:53 --------- d-----w C:\Documents and Settings\glazier\Application Data\MSN6
2008-05-19 22:14 313,856 ----a-w C:\WINDOWS\system32\ndt2.sys
2008-05-19 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 22:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-19 22:10 --------- d-----w C:\Program Files\MagicDVDRipper
2008-05-19 22:10 --------- d-----w C:\Program Files\CyberLink
2008-05-19 22:09 --------- d-----w C:\Documents and Settings\glazier\Application Data\Move Networks
2008-05-14 10:27 880,432 -c--a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-05-14 10:27 108,368 -c--a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-12 18:12 --------- d-----w C:\Documents and Settings\glazier\Application Data\dvdcss
2008-04-23 00:21 --------- d-----w C:\Documents and Settings\glazier\Application Data\LimeWire
2008-04-19 00:08 --------- d-----w C:\Program Files\Azureus
2008-04-17 00:11 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-04-17 00:11 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-04-17 00:11 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-04-17 00:11 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-04-17 00:11 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-04-06 18:56 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-29 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-27 08:12 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-20 14:43 50,248 -c--a-w C:\Documents and Settings\glazier\Application Data\GDIPFONTCACHEV1.DAT
2007-06-09 00:20 47,360 -c--a-w C:\Documents and Settings\glazier\Application Data\pcouffin.sys
2007-05-31 02:42 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2008-01-22 03:54 88 -csh--r C:\WINDOWS\system32\EA4A8AEED1.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" [2005-03-17 11:10 536576]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-25 13:37 181512]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 06:43 57344]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-04-16 20:11 234760]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 1 (0x1)
"NoStrCmpLogical"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoStrCmpLogical"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dllhost.exe]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
backup=C:\WINDOWS\pss\Live Menu.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
H:\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2005-12-20 21:54 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
-----c--- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Fix It]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a--c--- 2005-10-24 16:53 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a--c--- 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"AnyDVD"=C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:56]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 01:29]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 02:01]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 08:48]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-12 19:43]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E888}]
C:\Documents and Settings\glazier\My Documents\Azureus Downloads\SlySoft AnyDVD-AnyDVD HD 6.3.10(NEW-UPDATED)\SlySoft AnyDVD-AnyDVD HD 6.3.10\AnyDVD_leftover_killer\anydvd_leftover_killer13.exe -M
.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 21:18:37 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-05-31 15:08:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-31 11:06:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
.
**************************************************************************
.
Completion time: 2008-05-31 11:18:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 15:18:10
Pre-Run: 8,010,166,272 bytes free
Post-Run: 7,989,530,624 bytes free
214 --- E O F --- 2008-05-29 23:10:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:10 AM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://my.att.net/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partne ... nicode.cabO16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) -
https://ediagnostics.lexmark.com/serval.cabO23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 4808 bytes