John,
Did everything that you said... Only one thing, there was no checkbox for resident tea-timer to uncheck, so I didn't do that. Spybot popped up after Combofix was done saying that it detected changes in the registry. I allowed all except the first two which seemed to be changing my default search page. Also, when I restarted, IE was my default browser and I had to reset it to be firefox. Why this change?
Here is my fresh hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:39 AM, on 1/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Luke\My Documents\Unzipped\TwoFingerScroll_1_0_5\TwoFingerScroll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TwoFingerScroll] C:\Documents and Settings\Luke\My Documents\Unzipped\TwoFingerScroll_1_0_5\TwoFingerScroll.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windows ... 1769704819O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
--
End of file - 5636 bytes
and my combofix log
ComboFix 09-01-21.04 - Luke 2009-01-27 7:52:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1142.751 [GMT -5:00]
Running from: c:\documents and settings\Luke\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\_006018_.tmp.dll
c:\windows\system32\_006019_.tmp.dll
c:\windows\system32\_006020_.tmp.dll
c:\windows\system32\_006021_.tmp.dll
c:\windows\system32\_006028_.tmp.dll
c:\windows\system32\_006029_.tmp.dll
c:\windows\system32\_006030_.tmp.dll
c:\windows\system32\_006031_.tmp.dll
c:\windows\system32\_006033_.tmp.dll
c:\windows\system32\_006034_.tmp.dll
c:\windows\system32\_006037_.tmp.dll
c:\windows\system32\_006038_.tmp.dll
c:\windows\system32\_006041_.tmp.dll
c:\windows\system32\_006042_.tmp.dll
c:\windows\system32\_006044_.tmp.dll
c:\windows\system32\_006047_.tmp.dll
c:\windows\system32\_006048_.tmp.dll
c:\windows\system32\_006053_.tmp.dll
c:\windows\system32\_006055_.tmp.dll
c:\windows\system32\_006058_.tmp.dll
c:\windows\system32\_006060_.tmp.dll
c:\windows\system32\_006061_.tmp.dll
c:\windows\system32\_006062_.tmp.dll
c:\windows\system32\_006063_.tmp.dll
c:\windows\system32\_006064_.tmp.dll
c:\windows\system32\_006067_.tmp.dll
c:\windows\system32\_006068_.tmp.dll
c:\windows\system32\_006069_.tmp.dll
c:\windows\system32\_006070_.tmp.dll
c:\windows\system32\_006071_.tmp.dll
c:\windows\system32\_006076_.tmp.dll
c:\windows\system32\_006078_.tmp.dll
c:\windows\system32\_006079_.tmp.dll
c:\windows\system32\w70n5msg.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.
2009-01-27 07:15 . 2009-01-27 07:15 <DIR> d-------- c:\program files\Roxio
2009-01-27 07:14 . 2009-01-27 07:15 <DIR> d-------- c:\program files\Common Files\Adaptec Shared
2009-01-27 07:04 . 2009-01-27 07:04 57,344 --a------ c:\windows\uneng.exe
2009-01-23 18:51 . 2009-01-24 13:18 <DIR> d-------- c:\documents and settings\Luke\Application Data\Move Networks
2009-01-23 14:32 . 2009-01-23 14:32 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-23 14:31 . 2009-01-23 14:32 <DIR> d-------- c:\documents and settings\Luke\Application Data\SystemRequirementsLab
2009-01-23 09:45 . 2009-01-23 09:45 <DIR> d-------- c:\documents and settings\Luke\Application Data\InterVideo
2009-01-23 09:44 . 2009-01-23 09:44 <DIR> d-------- c:\program files\InterVideo
2009-01-16 10:28 . 2009-01-16 10:28 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-16 10:28 . 2009-01-16 10:28 45,056 --a------ c:\windows\NCUNINST.EXE
2009-01-16 00:18 . 2001-08-17 13:47 12,928 --a------ c:\windows\system32\drivers\Dot4Prt.sys
2009-01-16 00:18 . 2001-08-17 13:47 12,928 --a--c--- c:\windows\system32\dllcache\dot4prt.sys
2009-01-16 00:17 . 2008-04-13 13:39 206,976 --a------ c:\windows\system32\drivers\Dot4.sys
2009-01-16 00:17 . 2008-04-13 13:39 206,976 --a--c--- c:\windows\system32\dllcache\dot4.sys
2009-01-16 00:17 . 2001-08-17 13:47 23,808 --a------ c:\windows\system32\drivers\Dot4usb.sys
2009-01-16 00:17 . 2001-08-17 13:47 23,808 --a--c--- c:\windows\system32\dllcache\dot4usb.sys
2009-01-16 00:15 . 2009-01-16 00:15 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-01-16 00:15 . 2009-01-16 00:18 245,691 --a------ c:\windows\hplj1010.his
2009-01-16 00:15 . 2009-01-16 00:18 17,542 --a------ c:\windows\hplj1010.ini
2009-01-16 00:11 . 2009-01-16 00:11 <DIR> d-------- C:\lj1010seriesprintsys
2009-01-15 14:15 . 2009-01-15 14:15 <DIR> d-------- c:\program files\SecureW2
2009-01-15 14:15 . 2009-01-15 14:15 <DIR> d-------- c:\program files\Penn Netapps 2007
2009-01-14 22:50 . 2009-01-14 22:50 <DIR> d-------- c:\program files\Synaptics
2009-01-14 22:50 . 2008-10-16 16:19 231,808 --a------ c:\windows\system32\drivers\SynTP.sys
2009-01-14 22:50 . 2008-10-16 16:23 200,704 --a------ c:\windows\system32\SynCtrl.dll
2009-01-14 22:50 . 2008-10-16 16:22 163,840 --a------ c:\windows\system32\SynCOM.dll
2009-01-14 22:50 . 2008-10-16 16:38 155,648 --a------ c:\windows\system32\SynTPAPI.dll
2009-01-14 22:50 . 2008-10-16 16:57 114,688 --a------ c:\windows\system32\SynTPCo4.dll
2009-01-14 11:41 . 2009-01-14 11:41 <DIR> d-------- c:\windows\Sun
2009-01-14 11:24 . 2009-01-14 11:24 <DIR> d-------- c:\program files\Softi Software
2009-01-14 11:24 . 2009-01-14 11:24 <DIR> d-------- c:\documents and settings\Luke\Application Data\Softi Software
2009-01-14 10:55 . 2009-01-14 11:01 <DIR> d-------- C:\UniScan
2009-01-14 10:55 . 2007-01-17 02:19 438,272 -ra------ c:\windows\system32\hp2436co.dll
2009-01-14 10:55 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-14 10:55 . 2008-04-13 13:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-14 10:53 . 2009-01-14 10:53 <DIR> d-------- c:\documents and settings\Luke\Application Data\HP
2009-01-14 10:52 . 2009-01-14 10:52 <DIR> d-------- c:\program files\Common Files\HP
2009-01-14 10:51 . 2009-01-14 10:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-14 10:51 . 2009-01-14 10:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-01-14 10:50 . 2009-01-14 10:51 <DIR> d-------- c:\program files\HP
2009-01-14 10:50 . 2009-01-16 00:17 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-14 10:50 . 2009-01-14 10:50 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-14 10:47 . 2009-01-14 10:53 127,736 --a------ c:\windows\hpgins24.dat
2009-01-14 10:47 . 2007-04-23 12:04 308 --------- c:\windows\hpgmdl24.dat
2009-01-13 22:04 . 2009-01-26 12:33 4,197,414 --a------ c:\windows\pfirewall.log.old
2009-01-13 15:36 . 2009-01-13 15:36 <DIR> d-------- c:\program files\AskBarDis
2009-01-13 15:35 . 2009-01-13 15:35 <DIR> d-------- c:\documents and settings\Luke\Application Data\Foxit
2009-01-13 08:09 . 2009-01-13 08:09 <DIR> d-------- c:\documents and settings\Luke\Application Data\OpenOffice.org
2009-01-13 07:59 . 2009-01-13 07:59 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-13 07:59 . 2009-01-13 07:59 <DIR> d-------- c:\program files\JRE
2009-01-13 07:58 . 2009-01-13 07:58 <DIR> d-------- c:\program files\Common Files\Java
2009-01-12 18:40 . 2009-01-12 18:40 <DIR> d-------- c:\program files\CCleaner
2009-01-12 18:27 . 2009-01-12 18:28 <DIR> d-------- c:\program files\Symantec
2009-01-12 18:27 . 2007-03-21 20:33 503,808 --a------ c:\windows\system32\MSVCP71.DLL
2009-01-12 18:27 . 2007-03-21 20:33 348,160 --a------ c:\windows\system32\MSVCR71.DLL
2009-01-12 18:27 . 2009-01-12 18:28 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-12 18:27 . 2009-01-12 18:28 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2009-01-12 18:27 . 2009-01-12 18:28 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-12 18:27 . 2009-01-12 18:28 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-01-12 18:26 . 2009-01-12 18:32 <DIR> d-------- c:\program files\Symantec Endpoint Protection
2009-01-12 15:35 . 2009-01-12 16:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-12 15:35 . 2009-01-12 16:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-12 15:13 . 2009-01-12 15:13 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 13:42 . 2009-01-12 14:45 <DIR> d-------- c:\program files\Foxit Software
2009-01-12 12:53 . 2009-01-12 14:47 <DIR> d-------- c:\documents and settings\Luke\Application Data\.purple
2009-01-12 12:52 . 2009-01-24 15:47 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-12 12:52 . 2009-01-12 14:47 <DIR> d-------- c:\program files\Pidgin
2009-01-12 12:51 . 2009-01-12 12:51 <DIR> d-------- c:\program files\Common Files\GTK
2009-01-12 12:48 . 2009-01-12 12:50 <DIR> d-------- c:\program files\Common Files\Real
2009-01-12 12:47 . 2008-10-15 20:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-01-12 12:47 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-12 12:47 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-12 12:47 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2009-01-12 12:46 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-12 12:46 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-12 12:46 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-12 12:46 . 2008-10-15 20:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-01-12 12:46 . 2008-10-15 20:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-01-12 12:45 . 2008-12-12 12:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-01-12 12:45 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-12 12:45 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-12 12:45 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-12 12:45 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-12 12:45 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-12 12:45 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-01-12 12:44 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-12 12:44 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-01-12 12:42 . 2008-04-13 19:12 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-12 12:38 . 2009-01-12 13:18 <DIR> d-------- c:\program files\Rhapsody
2009-01-12 12:34 . 2009-01-12 12:34 <DIR> d-------- c:\documents and settings\Luke\Application Data\Scientific Software
2009-01-12 12:33 . 2009-01-12 12:33 <DIR> d-------- c:\program files\Scientific Software
2009-01-12 12:33 . 2009-01-12 12:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Scientific Software
2009-01-12 12:29 . 2009-01-12 12:29 <DIR> d-------- c:\windows\system32\scripting
2009-01-12 12:29 . 2009-01-12 12:29 <DIR> d-------- c:\windows\system32\en
2009-01-12 12:29 . 2009-01-12 12:29 <DIR> d-------- c:\windows\l2schemas
2009-01-12 11:56 . 2008-09-09 20:14 1,307,648 --------- c:\windows\system32\msxml6.dll
2009-01-12 11:55 . 2006-10-18 21:47 991,744 -----c--- c:\windows\system32\dllcache\drmv2clt.dll
2009-01-12 11:20 . 2009-01-21 10:59 <DIR> d-------- c:\documents and settings\Luke\.freemind
2009-01-12 11:18 . 2009-01-12 11:18 <DIR> d-------- c:\program files\FreeMind
2009-01-12 11:10 . 2009-01-13 07:59 <DIR> d-------- c:\program files\Java
2009-01-12 11:10 . 2009-01-12 11:10 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-12 11:10 . 2009-01-12 11:10 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-12 10:53 . 2009-01-27 07:33 <DIR> d-------- c:\program files\Mozilla Thunderbird
2009-01-12 10:53 . 2009-01-12 10:53 <DIR> d-------- c:\documents and settings\Luke\Application Data\Thunderbird
2009-01-12 10:53 . 2009-01-12 10:53 <DIR> d-------- c:\documents and settings\Luke\Application Data\Talkback
2009-01-12 10:47 . 2009-01-12 10:47 0 --a------ c:\windows\nsreg.dat
2009-01-12 10:25 . 2009-01-24 15:47 316,640 --a------ c:\windows\WMSysPr9.prx
2009-01-12 10:24 . 2009-01-12 10:24 <DIR> d-------- c:\windows\provisioning
2009-01-12 10:24 . 2009-01-12 12:29 <DIR> d-------- c:\windows\peernet
2009-01-12 10:21 . 2009-01-12 12:31 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-12 10:13 . 2009-01-12 12:10 <DIR> d-------- c:\windows\EHome
2009-01-12 10:01 . 2002-04-15 21:11 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2009-01-12 10:01 . 2008-04-14 05:42 11,264 --------- c:\windows\system32\spnpinst.exe
2009-01-12 10:01 . 2004-08-02 14:20 7,208 --------- c:\windows\system32\secupd.sig
2009-01-12 10:01 . 2004-08-02 14:20 4,569 --------- c:\windows\system32\secupd.dat
2009-01-12 09:43 . 2009-01-12 18:30 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-12 09:43 . 2009-01-12 18:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-12 09:43 . 2007-03-21 20:39 1,060,864 --a------ c:\windows\system32\MFC71.DLL
2009-01-12 09:38 . 2009-01-23 00:39 <DIR> d-------- c:\windows\Internet Logs
2009-01-12 09:38 . 2009-01-12 09:38 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2009-01-12 09:38 . 2009-01-12 09:38 <DIR> d-------- c:\program files\Cisco Systems
2009-01-12 09:38 . 2007-01-31 13:45 127,376 --a------ c:\windows\system32\drivers\dne2000.sys
2009-01-12 09:38 . 2007-01-31 13:45 101,904 --a------ c:\windows\system32\dneinobj.dll
2009-01-12 09:38 . 2009-01-12 09:38 1,593 --a------ c:\windows\VPNInstall.MIF
2009-01-12 09:34 . 2009-01-12 09:34 <DIR> d-ah----- c:\program files\Penn Netapps 2008
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 12:15 30,630 ----a-w c:\windows\system32\drivers\Mmc_2k.sys
2009-01-27 12:15 25,898 ----a-w c:\windows\system32\drivers\Dvd_2k.sys
2009-01-27 12:15 206,464 ----a-w c:\windows\system32\drivers\udfreadr_xp.sys
2009-01-27 12:15 143,834 ----a-w c:\windows\system32\drivers\pwd_2K.sys
2009-01-23 14:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-12 17:28 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-12 14:09 --------- d-----w c:\program files\SigmaTel
2009-01-12 14:00 --------- d-----w c:\program files\Intel
2009-01-12 13:59 --------- d-----w c:\program files\Broadcom
2009-01-12 13:58 --------- d-----w c:\program files\CONEXANT
2009-01-12 13:44 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"TwoFingerScroll"="c:\documents and settings\Luke\My Documents\Unzipped\TwoFingerScroll_1_0_5\TwoFingerScroll.exe" [2008-10-23 305664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 90169]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-16 1347584]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-13 208896]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 c:\windows\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-02-25 16:38 118784 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-02-25 16:42 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
--a------ 2002-12-16 16:51 36864 c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-12 11:10 136600 c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
--a------ 2003-03-31 19:28 155648 c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-12 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-12-18 23888]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-Symantec Antvirus
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\lqsz8882.default\
FF - plugin: c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\lqsz8882.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-27 07:54:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1332)
c:\windows\System32\LgNotify.dll
.
Completion time: 2009-01-27 7:56:25
ComboFix-quarantined-files.txt 2009-01-27 12:56:09
Pre-Run: 24,459,042,816 bytes free
Post-Run: 24,844,783,616 bytes free
274 --- E O F --- 2009-01-27 12:39:10
thanks
Luke