ComboFix 08-09-15.02 - stephensaunders 2008-09-16 19:30:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.726 [GMT -7:00]
Running from: C:\Documents and Settings\stephensaunders\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\stephensaunders\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\stephensaunders\Cookies\stephensaunders@revsci[2].txt
C:\WINDOWS\system32\msjetwo.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSJETWOD
-------\Service_msjetwod
((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))
.
2008-09-14 18:58 . 2008-09-14 18:58 <DIR> d-------- C:\Documents and Settings\stephensaunders\Application Data\GTek
2008-09-14 18:58 . 2008-09-14 18:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-09-14 18:58 . 2008-09-14 18:58 4,372 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-09-07 20:20 . 2008-09-07 20:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-07 20:20 . 2008-09-07 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-04 22:11 . 2008-09-04 22:11 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-04 22:00 . 2008-09-04 22:13 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-04 21:52 . 2008-09-08 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-02 21:47 . 2008-09-02 21:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 10:13 . 2008-08-27 10:13 <DIR> d-------- C:\Program Files\IBM
2008-08-25 15:09 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-24 23:14 . 2008-08-24 23:51 <DIR> d-------- C:\Program Files\Perfect Process
2008-08-18 12:30 . 2008-09-13 19:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 12:30 . 2008-08-18 12:30 <DIR> d-------- C:\Documents and Settings\stephensaunders\Application Data\Malwarebytes
2008-08-18 12:30 . 2008-08-18 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 12:30 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 12:30 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 04:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-16 04:55 --------- d-----w C:\Program Files\Full Tilt Poker
2008-09-14 01:21 --------- d-----w C:\Program Files\MozyHome
2008-08-27 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\PureEdge
2008-08-25 00:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-22 04:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 04:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-18 18:54 --------- d-----w C:\Program Files\Google
2008-08-13 16:55 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-29 20:55 60,744 ----a-w C:\Documents and Settings\stephensaunders\g2mdlhlpx.exe
2008-07-28 03:15 --------- d-----w C:\Documents and Settings\stephensaunders\Application Data\Move Networks
2008-07-19 19:46 --------- d-----w C:\Program Files\Sun
2008-07-19 19:45 --------- d-----w C:\Program Files\Java
2008-07-18 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
.
((((((((((((((((((((((((((((( snapshot@2008-09-15_22.10.38.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-16 03:48:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-16 20:48:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-16 03:48:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-16 20:48:04 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-16 03:48:08 278,528 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-16 20:48:04 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-24 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-24 118784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-24 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"masqform.exe"="C:\Program Files\IBM\Lotus Forms\Viewer\3.0\masqform.exe" [2008-01-17 991232]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 471040]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-09-16 19:35:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-16 19:37:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-17 02:37:16
ComboFix2.txt 2008-09-16 05:11:02
ComboFix3.txt 2008-09-08 04:03:55
Pre-Run: 53,222,658,048 bytes free
Post-Run: 53,321,175,040 bytes free
110 --- E O F --- 2008-05-25 17:59:45
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 19, 2008 01:29:30
Records in database: 1248510
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 45319
Threat name: 18
Infected objects: 18
Suspicious objects: 3
Duration of the scan: 01:18:06
File name / Threat name / Threats count
C:\Documents and Settings\stephensaunders\Desktop\outlook backup\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\stephensaunders\Desktop\outlook backup 9.12.08\totalbackups.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\afisicx.exe.vir Infected: Trojan.Win32.Agent.abat 1
C:\QooBox\Quarantine\C\WINDOWS\system32\atsxyzd.sys.vir Infected: Trojan.Win32.DNSChanger.ipe 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mabidwe.exe.vir Infected: Trojan.Win32.Agent.ackj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\macidwe.exe.vir Infected: Trojan.Win32.Agent.aaxm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Nobicyt.exe.vir Infected: Trojan.Win32.Agent.aaxn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\noxtcyr.exe.vir Infected: Trojan.Win32.Agent.abav 1
C:\QooBox\Quarantine\C\WINDOWS\system32\oduxftw.sys.vir Infected: Trojan-Clicker.Win32.VB.buv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\roxtctm.exe.vir Infected: Trojan.Win32.Agent.abbe 1
C:\QooBox\Quarantine\C\WINDOWS\system32\roytctm.exe.vir Infected: Trojan.Win32.Agent.aclf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sobicyt.exe.vir Infected: Trojan.Win32.Agent.abbh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sotpeca.exe.vir Infected: Trojan.Win32.Agent.actu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdxdowkc.exe.vir Infected: Trojan.Win32.Agent.aaxl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdydowkc.exe.vir Infected: Trojan.Win32.Agent.acid 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tpszxyd.sys.vir Infected: Trojan-Downloader.Win32.Delf.oay 1
C:\QooBox\Quarantine\catchme2008-09-16_193236.45.zip Infected: Trojan.Win32.Slefdel.bcs 1
C:\WINDOWS\system32\fduvfct.sys Infected: Trojan-Clicker.Win32.VB.bts 1
C:\WINDOWS\system32\tmp0_145960332846.bk.old Infected: Trojan.Win32.DNSChanger.ipe 1
C:\WINDOWS\system32\xdufytw.sys Infected: Trojan-Clicker.Win32.VB.byh 1
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:37 PM, on 09/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.nwmls.com/login/index.cfmR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files\IBM\Lotus Forms\Viewer\3.0\PEhelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\IBM\Lotus Forms\Viewer\3.0\masqform.exe -RunOnce"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &AOL Toolbar search -
res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone:
http://*.nwmls.comO15 - Trusted Zone:
http://*.rapmls.comO16 - DPF: PUFLITE -
http://stephensaunders.point2agent.com/ ... UFLITE.CABO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) -
http://www.linkedin.com/cab/LinkedInCon ... ontrol.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windows ... 1928172581O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
http://sdlc-esd.sun.com/ESD44/JSCDL/jdk ... 586-jc.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cbba.net
O17 - HKLM\Software\..\Telephony: DomainName = cbba.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cbba.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cbba.net
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 6855 bytes