ComboFix Results:
ComboFix 10-07-24.01 - Toby Blue 07/24/2010 20:52:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.707 [GMT -5:00]
Running from: c:\documents and settings\Toby Blue\Desktop\zzz.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\popcaploader.inf
.
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.
2010-07-24 19:43 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-20 18:18 . 2002-01-16 16:51 8 ------w- C:\url.bat
2010-07-20 17:06 . 2008-02-20 19:56 86016 ----a-w- c:\windows\uninstalllucentclient.exe
2010-07-20 17:06 . 2008-02-20 19:55 320768 ----a-w- c:\windows\system32\drivers\luipsec.sys
2010-07-20 17:06 . 2007-11-05 21:13 38968 ----a-w- c:\windows\system32\luinst.dll
2010-07-20 16:28 . 2010-07-20 17:08 -------- d-----w- c:\program files\IPSec Client
2010-07-18 04:02 . 2010-07-18 04:02 -------- d-----w- C:\rsit
2010-07-18 03:53 . 2010-07-18 03:53 -------- d-----w- c:\program files\Common Files\Java
2010-07-18 03:53 . 2010-07-18 03:53 503808 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-428751b4-n\msvcp71.dll
2010-07-18 03:53 . 2010-07-18 03:53 499712 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-428751b4-n\jmc.dll
2010-07-18 03:53 . 2010-07-18 03:53 348160 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-428751b4-n\msvcr71.dll
2010-07-18 03:53 . 2010-07-18 03:53 61440 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7abb8a3b-n\decora-sse.dll
2010-07-18 03:53 . 2010-07-18 03:53 12800 ----a-w- c:\documents and settings\Toby Blue\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7abb8a3b-n\decora-d3d.dll
2010-07-18 03:53 . 2010-07-18 03:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-18 02:00 . 2010-07-22 07:32 -------- d-----w- c:\windows\system32\NtmsData
2010-07-18 01:57 . 2010-07-18 01:57 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\Avira
2010-07-18 01:51 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-07-18 01:51 . 2010-02-16 19:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-18 01:51 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-07-18 01:51 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-07-18 01:51 . 2010-07-18 01:51 -------- d-----w- c:\program files\Avira
2010-07-18 01:51 . 2010-07-18 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-07-16 02:56 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-16 02:56 . 2010-07-16 02:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-16 02:56 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-16 02:24 . 2010-07-16 02:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-13 01:17 . 2010-07-18 04:28 -------- d-----w- c:\program files\Trend Micro
2010-07-13 01:17 . 2010-07-13 01:17 388096 ----a-r- c:\documents and settings\Toby Blue\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-12 20:02 . 2010-07-22 10:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-12 05:19 . 2010-07-12 05:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-08 08:12 . 2010-07-08 08:12 -------- d-----w- C:\VundoFix Backups
2010-07-06 16:11 . 2010-07-06 17:10 -------- d-----w- c:\documents and settings\Toby Blue\Local Settings\Application Data\hatvdwocx
2010-07-06 01:42 . 2010-07-06 01:42 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\Malwarebytes
2010-07-06 01:42 . 2010-07-06 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-30 22:16 . 2010-07-16 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-30 08:46 . 2010-06-30 08:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-29 21:41 . 2010-06-29 21:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 01:26 . 2009-03-02 01:07 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-24 14:26 . 2001-08-23 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-07-20 18:36 . 2009-01-30 15:40 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\VMware
2010-07-20 18:18 . 2009-01-28 17:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 18:17 . 2009-01-29 18:48 -------- d-----w- c:\program files\AR System
2010-07-20 17:42 . 2009-01-28 22:20 51592 ----a-w- c:\documents and settings\Toby Blue\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-20 15:35 . 2009-01-29 04:26 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\Skype
2010-07-20 15:33 . 2009-01-29 04:28 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\skypePM
2010-07-18 03:44 . 2009-01-29 02:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-18 01:39 . 2009-01-28 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-18 01:34 . 2009-02-03 22:03 -------- d-----w- c:\program files\Java
2010-07-12 00:05 . 2010-06-11 16:57 -------- d-----w- c:\program files\Lx_cats
2010-06-14 14:31 . 2009-01-28 05:10 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-11 17:02 . 2010-06-11 17:02 423464 ----a-w- c:\documents and settings\Toby Blue\Application Data\E-centives\BSTIEPrintCtl1.dll
2010-06-11 17:02 . 2010-06-11 17:02 -------- d-----w- c:\documents and settings\Toby Blue\Application Data\E-centives
2010-06-05 14:28 . 2009-09-30 18:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 00:54 . 2010-06-01 00:54 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-01 00:53 . 2009-07-25 10:09 -------- d-----w- c:\program files\Essentials Codec Pack
2010-06-01 00:52 . 2009-01-31 11:26 -------- d-----w- c:\program files\DivX
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\System32\WLTRAY" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-05 3900936]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
IPSecClient Icon.lnk - c:\program files\IPSec Client\trayicon.exe [2010-7-20 675840]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AR System\\HOME\\ALPrograms\\wget.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [11/21/2008 3:37 AM 64480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/17/2010 8:51 PM 135336]
R3 LuIPSec;Alcatel-Lucent VPN Miniport;c:\windows\system32\drivers\luipsec.sys [7/20/2010 12:06 PM 320768]
S2 LucentIKE;LucentIKE;c:\program files\IPSec Client\lucentikesvc.exe [7/20/2010 12:06 PM 147456]
S3 B-Service;B-Service;c:\documents and settings\Toby Blue\Application Data\Mikogo\B-Service.exe [1/14/2010 4:43 PM 185640]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Office Communicator 2005]
2008-01-10 17:11 516608 ----a-w- c:\windows\Installer\Microsoft Office Communicator 2005\AFTER.EXE
.
Contents of the 'Scheduled Tasks' folder
2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: hrsaccount.com\www
TCP: {989F1E28-47E8-497E-A3A3-31F0D5FAC1B5} = 208.67.220.220,208.67.222.222
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} -
hxxp://support.dell.com/systemprofiler/ ... emLite.CAB.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-07-24 20:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1212)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-24 21:00:25
ComboFix-quarantined-files.txt 2010-07-25 02:00
Pre-Run: 23,127,429,120 bytes free
Post-Run: 23,695,376,384 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - C2BD2CE7A29137EEB1B2C6C44578F2CC