ComboFix 09-05-03.6 - Wendy C. Shook 05/04/2009 13:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.400 [GMT -4:00]
Running from: c:\documents and settings\Wendy C. Shook\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wendy C. Shook\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090504-0] *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\ctfmon.exe --> c:\windows\system32\ctfmon.exe
c:\windows\ServicePackFiles\i386\spoolsv.exe --> c:\windows\system32\spoolsv.exe
c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.
2009-05-04 15:10 . 2009-05-04 15:10 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-19 21:38 . 2009-04-19 21:38 -------- d-----w c:\documents and settings\Wendy C. Shook\DoctorWeb
2009-04-14 22:00 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 22:00 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-14 22:00 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 22:00 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 22:00 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 22:00 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 22:00 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 22:00 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 22:00 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 22:00 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 21:59 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 21:59 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 15:24 . 2009-04-11 15:23 410984 ----a-w c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 14:31 . 2004-12-18 18:07 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-20 01:19 . 2002-08-29 11:00 433664 ----a-w c:\windows\system32\wiaacmgr.exe
2009-04-20 01:18 . 2002-08-29 11:00 77312 ----a-w c:\windows\system32\sdbinst.exe
2009-04-20 01:17 . 2002-08-29 11:00 76800 ----a-w c:\windows\system32\nslookup.exe
2009-04-20 01:17 . 2002-08-29 11:00 36864 ----a-w c:\windows\system32\netstat.exe
2009-04-20 01:17 . 2003-06-30 20:33 86016 ----a-w c:\windows\system32\netsh.exe
2009-04-20 01:17 . 2002-08-29 11:00 331776 ----a-w c:\windows\system32\netsetup.exe
2009-04-20 01:17 . 2002-08-29 11:00 124928 ----a-w c:\windows\system32\net1.exe
2009-04-20 01:17 . 2002-08-29 11:00 42496 ----a-w c:\windows\system32\net.exe
2009-04-20 01:17 . 2002-08-29 11:00 4096 ----a-w c:\windows\system32\nddeapir.exe
2009-04-20 01:17 . 2002-08-29 11:00 20480 ----a-w c:\windows\system32\NBTSTAT.EXE
2009-04-20 01:17 . 2002-11-20 16:50 53760 ----a-w c:\windows\system32\narrator.exe
2009-04-20 01:17 . 2008-06-22 00:40 176640 ----a-w c:\windows\system32\napstat.exe
2009-04-20 01:17 . 2002-08-29 11:00 677888 ----a-w c:\windows\system32\mstsc.exe
2009-04-20 01:17 . 2004-07-15 10:31 12288 ----a-w c:\windows\system32\mstinit.exe
2009-04-20 01:17 . 2002-08-29 11:00 6656 ----a-w c:\windows\system32\MSSWCHX.EXE
2009-04-20 01:15 . 2002-08-29 11:00 9728 ----a-w c:\windows\system32\LABEL.EXE
2009-04-20 01:15 . 2003-04-12 10:36 172032 ----a-w c:\windows\system32\jview.exe
2009-04-20 01:15 . 2003-04-12 10:35 14848 ----a-w c:\windows\system32\jdbgmgr.exe
2009-04-20 01:15 . 2000-04-26 19:34 39424 ----a-w c:\windows\system32\JETCOMP.exe
2009-04-20 01:15 . 2002-08-29 11:00 23552 ----a-w c:\windows\system32\ipxroute.exe
2009-04-20 01:15 . 2003-06-30 20:30 53248 ----a-w c:\windows\system32\ipv6.exe
2009-04-20 01:15 . 2002-08-29 11:00 44032 ----a-w c:\windows\system32\IPSEC6.EXE
2009-04-20 01:15 . 2002-08-29 11:00 55808 ----a-w c:\windows\system32\ipconfig.exe
2009-04-20 01:15 . 2005-10-19 12:59 114688 ----a-w c:\windows\system32\igfxzoom.exe
2009-04-20 01:15 . 1980-01-01 06:00 155648 ----a-w c:\windows\system32\igfxtray.exe
2009-04-20 01:15 . 2002-08-29 11:00 114688 ----a-w c:\windows\system32\iexpress.exe
2009-04-20 01:13 . 2003-09-01 19:46 17920 ----a-w c:\windows\system32\dpnsvr.exe
2009-04-20 01:12 . 2002-08-29 11:00 5120 ----a-w c:\windows\system32\BOOTVRFY.EXE
2009-04-20 01:12 . 2004-08-04 07:56 71680 ----a-w c:\windows\system32\blastcln.exe
2009-04-20 01:12 . 2002-08-29 11:00 4608 ----a-w c:\windows\system32\BOOTOK.EXE
2009-04-20 01:12 . 2002-09-10 23:34 98304 ----a-w c:\windows\system32\BacsTray.exe
2009-04-20 01:12 . 2004-08-04 07:56 14336 ----a-w c:\windows\system32\auditusr.exe
2009-04-20 01:12 . 2002-08-29 11:00 12288 ----a-w c:\windows\system32\attrib.exe
2009-04-20 01:12 . 2002-08-29 11:00 11264 ----a-w c:\windows\system32\atmadm.exe
2009-04-20 01:12 . 2002-08-29 11:00 25088 ----a-w c:\windows\system32\at.exe
2009-04-20 01:12 . 2002-08-29 11:00 19456 ----a-w c:\windows\system32\ARP.EXE
2009-04-20 01:12 . 2002-08-29 11:00 98304 ----a-w c:\windows\system32\ahui.exe
2009-04-20 01:12 . 2002-08-29 11:00 4096 ----a-w c:\windows\system32\actmovie.exe
2009-04-20 00:55 . 2002-08-29 11:00 744448 ----a-w c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2009-04-20 00:35 . 2002-12-14 06:50 1077248 ----a-w c:\windows\Help\SBSI\Training\orun32.exe
2009-04-19 21:41 . 2002-08-29 11:00 289792 ----a-w c:\windows\system32\vssvc.exe
2009-04-19 21:40 . 2002-08-29 11:00 224768 ----a-w c:\windows\system32\dmadmin.exe
2009-04-19 21:40 . 2002-08-29 11:00 33280 ----a-w c:\windows\system32\clipsrv.exe
2009-04-19 21:40 . 2002-08-29 11:00 25600 ----a-w c:\windows\system32\cisvc.exe
2009-04-19 21:40 . 2002-08-29 11:00 64512 ----a-w c:\windows\system32\alg.exe
2009-04-18 21:02 . 2002-12-14 06:54 -------- d-----w c:\program files\Classic PhoneTools
2009-04-18 21:02 . 2004-08-10 00:22 -------- d-----w c:\program files\Audiovox USB Drivers
2009-04-18 16:30 . 2003-09-02 13:27 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 23:57 . 2005-02-19 03:02 -------- d-----w c:\program files\Startup Inspector for Windows
2009-04-16 23:57 . 2002-12-14 07:00 -------- d-----w c:\program files\QuickTime
2009-04-11 15:28 . 2007-07-21 16:59 -------- d-----w c:\program files\CCleaner
2009-04-11 15:23 . 2002-12-21 20:25 -------- d-----w c:\program files\Java
2009-03-06 14:22 . 2002-08-29 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2002-08-29 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-04-16 20:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2002-08-29 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 1980-01-01 06:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 1980-01-01 06:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-03 19:59 . 2002-08-29 11:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-16 23:03 . 2009-01-16 23:03 69632 --sha-w c:\windows\SYSTEM32\yenojuje.dll.vir
.
((((((((((((((((((((((((((((( SnapShot@2009-05-04_15.41.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-08-29 11:00 . 2008-04-14 00:12 26112 c:\windows\SYSTEM32\DLLCACHE\userinit.exe
+ 2002-08-29 11:00 . 2008-04-14 00:12 57856 c:\windows\SYSTEM32\DLLCACHE\spoolsv.exe
+ 2002-08-29 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\DLLCACHE\ctfmon.exe
+ 2002-08-29 11:00 . 2008-04-14 00:12 347136 c:\windows\SYSTEM32\tourstart.exe
- 2002-08-29 11:00 . 2009-04-20 01:19 347136 c:\windows\SYSTEM32\tourstart.exe
+ 2002-08-29 11:00 . 2008-04-14 00:12 347136 c:\windows\SYSTEM32\DLLCACHE\tourstrt.exe
+ 2003-05-12 01:12 . 2008-04-14 00:12 1033728 c:\windows\SYSTEM32\DLLCACHE\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\progra~1\AWS\WEATHE~1\Weather.exe" [2009-04-19 1613824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
Contents of the 'Scheduled Tasks' folder
2009-05-04 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-04-01 21:40]
2002-12-21 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 21:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.espn.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = 127.0.0.1;hxxp://localhost;
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Wendy C. Shook\Application Data\Mozilla\Firefox\Profiles\mv0e142o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/outlook/health/c ... centsearch
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 13:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3992)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2009-05-04 13:45
ComboFix-quarantined-files.txt 2009-05-04 17:45
ComboFix2.txt 2009-05-04 15:44
Pre-Run: 16,893,829,120 bytes free
Post-Run: 16,876,240,896 bytes free
176 --- E O F --- 2009-04-15 00:52