Combofix logComboFix 09-02-05.01 - dag 2009-02-06 9:41:11.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.583 [GMT -5:00]
Running from: c:\documents and settings\dag\Desktop\dag\ComboFix.exe
Command switches used :: c:\documents and settings\dag\Desktop\dag\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.
2009-02-05 18:51 . 2009-02-05 18:51 <DIR> d-------- c:\documents and settings\dag\Application Data\Malwarebytes
2009-02-05 18:51 . 2009-02-05 18:51 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-02-05 18:51 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-05 18:51 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-04 16:24 . 2009-02-04 16:24 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-02-04 16:22 . 2009-02-05 17:39 <DIR> d-------- c:\windows\Internet Logs
2009-02-03 16:48 . 2009-02-03 16:48 <DIR> d-------- C:\Binaries
2009-02-03 01:45 . 2009-02-04 15:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\_comodo_
2009-02-02 22:18 . 2009-02-02 22:24 <DIR> d-------- c:\documents and settings\dag\.housecall6.6
2009-02-02 22:18 . 2009-02-02 22:18 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-19 22:07 . 2009-01-19 22:07 <DIR> d-------- c:\windows\Sun
2009-01-07 20:15 . 2009-01-07 20:15 <DIR> d-------- c:\documents and settings\dag\Application Data\Red Kawa
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 01:44 --------- d-----w c:\program files\Bonjour
2009-01-22 00:35 --------- d-----w c:\documents and settings\dag\Application Data\mIRC
2009-01-14 02:00 --------- d-----w c:\documents and settings\dag\Application Data\ZoomBrowser EX
2009-01-14 02:00 --------- d-----w c:\documents and settings\dag\Application Data\CameraWindowDC
2009-01-07 02:17 --------- d-----w c:\program files\Crimson Editor
2009-01-06 01:27 --------- d-----w c:\documents and settings\dag\Application Data\OpenOffice.org
2009-01-06 01:25 --------- d-----w c:\program files\OpenOffice.org 3
2009-01-06 01:25 --------- d-----w c:\program files\JRE
2009-01-06 01:24 --------- d-----w c:\program files\Java
2009-01-06 01:24 --------- d-----w c:\program files\Common Files\Java
2008-12-27 04:59 --------- d-----w c:\program files\Red Kawa
2008-12-27 04:58 --------- d-----w c:\program files\AviSynth 2.5
2008-12-26 02:44 --------- d-----w c:\documents and settings\dag\Application Data\Apple Computer
2008-12-25 19:04 --------- d-----w c:\program files\iTunes
2008-12-25 19:04 --------- d-----w c:\program files\iPod
2008-12-25 19:04 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-12-25 19:04 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 19:03 --------- d-----w c:\program files\Common Files\Apple
2008-12-12 01:30 --------- d-----w c:\program files\twhirl
2008-12-12 01:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-12 01:30 --------- d-----w c:\documents and settings\dag\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2008-12-11 01:43 --------- d-----w c:\program files\Weiran Zhang
2008-12-09 04:34 --------- d-----w c:\documents and settings\dag\Application Data\CoreFTP
2008-12-09 04:17 --------- d-----w c:\program files\CoreFTP
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} ----
2008-07-04 13:35 54632 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
2008-04-24 08:25 11168 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat
2008-04-17 13:12 319456 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll
2008-04-17 13:12 2761 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf
2008-04-17 13:12 15464 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys
2008-04-17 13:12 107368 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SansaDispatch"="c:\documents and settings\dag\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-11-29 79872]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2007-08-14 48904]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 512000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"openvpn-gui"="d:\work\openVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-15 143360]
"TpShocks"="c:\windows\system32\TpShocks.exe" [2008-06-06 181536]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]
c:\documents and settings\dag\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 14:54 89600 c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 15:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 15:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-08-15 20:37 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\apps\\mIRC\\mirc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Active WebCam\\FTPUploader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-05-14 19496]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2008-10-22 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2008-10-22 4224]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-10-22 4442]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [2008-10-22 94208]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-01 26624]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-14 33752]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-15 27904]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c29bd1b2-74a1-11dd-97fc-00130251f484}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
\Shell\Open\command - f:\resycled\boot.com d:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb658c29-7461-11dd-97ec-cf96f8e50136}]
\Shell\AutoRun\command - F:\start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f89eef88-7630-11dd-97ff-00130251f484}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
\Shell\Open\command - f:\resycled\boot.com d:
.
Contents of the 'Scheduled Tasks' folder
2009-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-02-06 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-09-25 00:47]
.
.
------- Supplementary Scan -------
.
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} -
hxxp://www-307.ibm.com/pc/support/acpir.cabFF - ProfilePath - c:\documents and settings\dag\Application Data\Mozilla\Firefox\Profiles\spclz22x.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.ca/FF - component: c:\documents and settings\dag\Application Data\Mozilla\Firefox\Profiles\spclz22x.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: d:\apps\firefox\plugins\np_gp.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-06 09:51:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1128)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
- - - - - - - > 'lsass.exe'(1184)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\searchindexer.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\windows\system32\notepad.exe
c:\program files\Logitech\QuickCam\LU\LULnchr.exe
c:\program files\Logitech\QuickCam\LU\LogitechUpdate.exe
.
**************************************************************************
.
Completion time: 2009-02-06 9:54:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 14:54:06
ComboFix2.txt 2009-02-05 23:44:59
ComboFix3.txt 2009-02-05 22:32:15
ComboFix4.txt 2009-02-04 20:55:50
Pre-Run: 6,929,256,448 bytes free
Post-Run: 6,978,457,600 bytes free
238 --- E O F --- 2008-12-19 01:01:22
Malwarebytes' Anti-Malware 1.33Database version: 1732
Windows 5.1.2600 Service Pack 3
2/5/2009 10:51:56 PM
mbam-log-2009-02-05 (22-51-56).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 186549
Time elapsed: 1 hour(s), 50 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Kasper:Friday, February 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, February 06, 2009 02:22:27
Records in database: 1757486
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 135833
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 04:17:24
No malware has been detected. The scan area is clean.
The selected area was scanned.