Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.576 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFixnew.exe
AV: PC Tools AntiVirus 5.0.1.1 *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\SpamBlocker
c:\documents and settings\Owner\Application Data\SpamBlockerUtility_Icons
c:\documents and settings\Owner\Application Data\SpamBlockerUtility_Icons\RegistryDefender_2.ico
c:\documents and settings\Owner\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
c:\documents and settings\Owner\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\index.dat
c:\windows\lsass32.exe
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\FTPx.dll
c:\windows\system32\MabryObj.dll
c:\windows\system32\SOCKETX.DLL
c:\windows\system32\SOCKETX.OCX
c:\windows\winlogin.exe
C:\x.exe
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.
2009-02-06 15:05 . 2009-02-06 16:29 <DIR> d-------- c:\program files\PC Tools AntiVirus
2009-02-06 15:05 . 2009-02-06 15:05 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-02-06 15:05 . 2009-02-06 15:05 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-02-06 15:05 . 2009-02-06 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-06 15:05 . 2007-12-06 16:51 28,568 --a------ c:\windows\system32\drivers\AVHook.sys
2009-02-06 15:05 . 2007-12-06 16:51 21,912 --a------ c:\windows\system32\drivers\AVRec.sys
2009-02-06 15:05 . 2008-02-12 11:44 21,904 --a------ c:\windows\system32\drivers\AVFilter.sys
2009-02-06 14:50 . 2009-02-06 14:50 <DIR> d-------- c:\program files\RegCure
2009-02-06 09:23 . 2009-02-06 09:23 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-04 18:53 . 2009-02-06 16:43 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-04 18:49 . 2009-02-04 18:49 214,082 --a------ C:\isimer.exe
2009-02-04 18:43 . 2009-02-04 18:43 106,496 -r-hs---- c:\windows\windbg32.exe
2009-02-04 18:43 . 2009-02-04 18:43 106,496 --a------ C:\mrsmsn.exe
2009-02-04 18:25 . 2009-02-04 18:25 2,367,545 --a------ C:\ez.exe
2009-02-04 18:20 . 2009-02-04 18:20 94,208 --a------ C:\atjkhwe32.exe
2009-01-31 19:04 . 2009-01-31 19:56 94,208 --a------ C:\winsys.exe
2009-01-31 19:04 . 2009-01-31 19:04 94,208 -r-hs---- c:\windows\winbsvc.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 12:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-06 12:19 --------- d-----w c:\documents and settings\Owner\Application Data\Symantec
2009-02-06 12:19 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-05 01:20 --------- d-----w c:\program files\Symantec
2009-01-29 23:46 --------- d-----w c:\program files\Lx_cats
2009-01-22 17:47 1,690 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-12-24 21:39 --------- d-----w c:\program files\Google
2008-12-24 21:20 135,168 --sh--r c:\windows\winmsvc.exe
2008-12-20 12:51 131,072 --sh--r c:\windows\winhsvc.exe
2008-12-15 01:41 131,072 --sh--r c:\windows\winsvc32.exe
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 06:49 --------- d-----w c:\program files\LimeWire
2008-12-08 15:37 --------- d-----w c:\program files\Azureus
2008-12-08 15:36 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus
2008-11-18 20:34 64,562 --sh--r c:\windows\sqlhostt32.exe
2006-04-04 18:48 5,285,707 ----a-w c:\program files\win2k_xp1420.exe
2008-04-14 00:12 214,082 --sh--r c:\windows\system32\svcghosts.exe
2008-09-12 09:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-07-06 173368]
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-07-06 11:44 1164600 --a------ c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 1164600]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 1164600]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 68856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"Mixersel"="d:\i386\Apps\App31030\config\mixersel.exe" [2003-11-10 369664]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"lxccmon.exe"="c:\program files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 192512]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-01-19 299008]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2008-07-06 111928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-12-04 1370000]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-25 c:\windows\ALCWZRD.EXE]
"sqlhostt32bit"="sqlhostt32.exe" [2008-11-18 c:\windows\sqlhostt32.exe]
"winsvc32"="winsvc32.exe" [2008-12-14 c:\windows\winsvc32.exe]
"winhsvc"="winhsvc.exe" [2008-12-20 c:\windows\winhsvc.exe]
"winmsvc"="winmsvc.exe" [2008-12-24 c:\windows\winmsvc.exe]
"winbsvc"="winbsvc.exe" [2009-01-31 c:\windows\winbsvc.exe]
"windbgservice"="windbg32.exe" [2009-02-04 c:\windows\windbg32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"<NO NAME>"="svcghosts.exe" [2008-04-13 c:\windows\system32\svcghosts.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2006-10-28 2392064]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\msagent\\i386\\svchost.exe"=
"c:\\WINDOWS\\system32\\IME\\MSINTLGNT\\msall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6667:TCP"= 6667:TCP:msiexec
R2 General-Systems;General-Systems;c:\windows\msagent\i386\Systems.exe [2009-02-04 167962]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
S2 msall.exe;msall.exe;c:\windows\system32\IME\MSINTLGNT\Service.exe [2009-02-04 557056]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-02-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]
2009-02-06 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Yahoo! Pager - ~c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKLM-Run-sqlhosts32bit - sqlhosts32.exe
HKLM-Run-winlogin - winlogin.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?.home=msgr
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=msgr
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techto ... ntrols.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 16:51:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(824)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2009-02-06 16:52:54
ComboFix-quarantined-files.txt 2009-02-06 21:52:34
Pre-Run: 154,006,134,784 bytes free
Post-Run: 154,934,431,744 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
218 --- E O F --- 2009-01-15 12:47:45