Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1563 [GMT -4:00]
Running from: f:\my docs\Downloads\Music\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1335 [VPS 090418-0] *On-access scanning disabled* (Updated)
FW: Online Armor Firewall *disabled*
* Created a new restore point
FILE ::
c:\windows\system32\hujenufo.dll
c:\windows\system32\kakeyuwu.dll
c:\windows\system32\mewivadi.dll.tmp
c:\windows\system32\savubemi.dll.tmp
c:\windows\system32\vokoluwo.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Matt\LOCALS~1\Temp\catchme.dll
.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.
2009-04-14 02:43 . 2009-04-18 04:45 -------- d-----w c:\documents and settings\Matt\Application Data\OnlineArmor
2009-04-14 02:43 . 2009-04-14 02:43 -------- d-----w c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-14 02:42 . 2008-12-13 06:26 30920 ----a-w c:\windows\system32\drivers\OAmon.sys
2009-04-14 02:42 . 2008-12-13 06:26 28872 ----a-w c:\windows\system32\drivers\OAnet.sys
2009-04-14 02:42 . 2008-12-13 06:26 178376 ----a-w c:\windows\system32\drivers\OADriver.sys
2009-04-08 11:33 . 2009-04-08 11:33 -------- d-----w c:\documents and settings\Matt\Application Data\Blackberry Desktop
2009-04-08 04:26 . 2009-04-08 04:26 -------- d-----w c:\documents and settings\Matt\Application Data\Research In Motion
2009-03-29 15:27 . 2009-03-29 15:27 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\HPAppData
2009-03-24 21:48 . 2009-03-25 03:09 -------- d-----w c:\documents and settings\Matt\Application Data\vlc
2009-03-24 21:42 . 2009-03-24 21:42 -------- d-----w c:\documents and settings\Matt\Local Settings\Application Data\WinZip
2009-03-24 21:42 . 2009-03-24 21:42 -------- d-----w c:\documents and settings\All Users\Application Data\WinZip
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 02:38 . 2009-04-06 23:15 -------- d-----w c:\program files\Common Files\Agnitum Shared
2009-04-09 02:25 . 2008-08-16 03:04 -------- d-----w c:\documents and settings\Matt\Application Data\Move Networks
2009-04-08 04:43 . 2009-02-03 03:10 -------- d-----w c:\program files\Common Files\Research In Motion
2009-04-08 04:41 . 2009-04-08 04:41 -------- d-----w c:\program files\Research In Motion
2009-03-29 01:24 . 2007-04-22 21:36 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-23 14:16 . 2008-09-24 12:52 -------- d-----w c:\documents and settings\Matt\Application Data\MSN6
2009-03-05 02:19 . 2009-03-05 02:19 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-17 13:11 . 2007-05-23 01:09 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-01-28 02:16 . 2007-04-22 19:59 66720 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-28 19:35 . 2007-04-22 20:48 169248 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-12-08 18:59 . 2008-12-08 18:59 60744 ----a-w c:\documents and settings\Matt\g2mdlhlpx.exe
2008-12-28 19:20 . 2008-12-28 19:20 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122820081229\index.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-04-15_15.35.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 23:00 . 2009-04-17 23:00 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat
+ 2009-04-17 23:00 . 2009-04-17 23:00 16384 c:\windows\Temp\Perflib_Perfdata_910.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="f:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="f:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-26 615696]
"@OnlineArmor GUI"="f:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-3-25 1545488]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Matt^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Matt\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\update.exe"=
"c:\\Program Files\\Gigabyte\\@BIOS\\gwflash.exe"=
"f:\\Program Files\\World of Warcraft\\Repair.exe"=
"f:\program files\Microsoft ActiveSync\rapimgr.exe"= f:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"f:\program files\Microsoft ActiveSync\wcescomm.exe"= f:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"f:\program files\Microsoft ActiveSync\WCESMgr.exe"= f:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"f:\\Program Files\\World of Warcraft\\Launcher.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 SvcOnlineArmor;Online Armor;f:\program files\Tall Emu\Online Armor\oasrv.exe [2008-12-13 3321032]
S1 aswSP;avast! Self Protection; [x]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2008-12-13 178376]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2008-12-13 30920]
S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2008-12-13 28872]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 OAcat;Online Armor Helper Service;f:\program files\Tall Emu\Online Armor\oacat.exe [2008-12-13 1402568]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-08-25 466880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\9hszsaj5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\9hszsaj5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: f:\program files\QuickTime\Plugins\npqtplugin7.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 23:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-04-19 0:00
ComboFix-quarantined-files.txt 2009-04-19 04:00
ComboFix2.txt 2009-04-15 16:31
ComboFix3.txt 2009-04-15 15:36
ComboFix4.txt 2009-04-05 02:18
Pre-Run: 107,057,315,840 bytes free
Post-Run: 107,110,850,560 bytes free
162