ComboFix
ComboFix 08-02-20.2 - RCS 2008-02-21 23:55:28.5 - NTFSx86
Running from: C:\Documents and Settings\RCS\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.
2008-02-21 23:22 . 2008-02-21 23:22 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-21 23:09 . 2008-02-21 23:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-21 21:52 . 2008-02-21 22:16 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-02-21 18:25 . 2008-02-21 18:25 <DIR> d-------- C:\Program Files\CCleaner
2008-02-21 18:23 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-21 18:21 . 2008-02-21 18:23 <DIR> d-------- C:\Program Files\Java
2008-02-21 18:21 . 2008-02-21 18:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-19 20:25 . 2008-02-19 20:25 <DIR> d-------- C:\_OTMoveIt
2008-02-19 17:32 . 2005-04-06 01:23 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-02-19 17:32 . 2005-04-06 01:22 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-02-19 17:32 . 2005-04-06 01:19 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-02-13 11:37 . 2008-02-13 11:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-12 14:55 . 2007-12-06 20:21 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-12 14:55 . 2007-06-30 21:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-12 14:55 . 2007-06-30 21:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-12 14:55 . 2007-12-06 20:21 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-12 14:55 . 2007-12-06 20:21 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-12 14:55 . 2007-12-06 20:21 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-12 14:55 . 2007-12-06 20:21 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-12 14:55 . 2007-12-06 20:21 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-12 14:55 . 2007-12-06 05:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-12 14:49 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2008-02-12 04:04 . 2007-07-09 07:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-12 03:00 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-11 13:50 . 2008-02-11 13:17 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 13:50 . 2008-02-11 13:50 3,440 --a------ C:\WINDOWS\unins000.dat
2008-02-11 09:40 . 2008-02-11 09:40 2,715,648 --a------ C:\WINDOWS\system32\OnlineScanner.ocx
2008-02-11 09:39 . 2008-02-11 09:39 253,952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 . 2008-02-11 09:39 237,568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 13:53 . 2008-02-08 13:53 110,592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 08:48 . 2008-02-05 08:48 77,824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-31 08:34 . 2008-01-31 08:34 13 --a------ C:\WINDOWS\system32\di1.gif
2008-01-29 18:15 . 2008-02-11 13:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 18:15 . 2008-02-11 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 18:04 . 2008-01-29 18:04 <DIR> d--hs---- C:\AVSystemCare
2008-01-29 17:35 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-27 12:34 . 2008-01-27 12:34 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-27 12:29 . 2008-01-27 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-27 12:28 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-27 12:28 . 2008-01-27 12:34 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-27 12:27 . 2008-01-27 13:47 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-27 12:26 . 2008-01-27 13:47 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-26 20:43 . 2008-02-21 08:00 <DIR> d-------- C:\Documents and Settings\RCS\Application Data\AVG7
2008-01-26 20:41 . 2008-01-26 20:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-26 20:41 . 2008-01-26 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-26 20:41 . 2008-01-26 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-26 11:42 . 2008-01-26 11:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-26 11:42 . 2008-01-26 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 11:41 . 2008-01-26 11:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-25 03:35 . 2008-01-25 03:35 <DIR> d-------- C:\WINDOWS\system32\4B4C504C4A5254
2008-01-23 19:24 . 2008-01-23 19:24 14 --a------ C:\WINDOWS\3F2C-1623-F30A-AF21.dat
2008-01-23 17:53 . 2008-02-21 15:01 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 04:13 --------- d-----w C:\Program Files\Symantec
2008-02-20 04:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-20 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-20 00:18 --------- d-----w C:\Program Files\UltraVNC
2008-01-11 05:53 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-08 16:51 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2004-12-21 23:34 25,214 ----a-w C:\Program Files\dplogo32.ico
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E59226D-9D00-435B-ADF3-55029A05F6FA}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{221BBF54-3327-4548-9006-84385B1A5840}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23BFE3A9-D01E-43FB-87F6-9580A7C6732C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ef1e364-f619-4c0e-90c0-2f29bd91a404}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99DD1FD1-456E-4181-AD80-CB36153E3934}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-27 12:34 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Performance USB keyboard hotkey blocker"="C:\Program Files\Dell\USBKEYBLCK\bak\USBKeyBlock.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-26 20:41 579072]
"20d2d191"="C:\WINDOWS\system32\ngvspsqt.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-26 20:41 219136]
C:\Documents and Settings\RCS\Start Menu\Programs\Startup\
Focus.lnk - C:\Focus\FOCUS.EXE [2005-07-19 15:05:19 1488896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkifeb]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 09:51 24638 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rldxyxzm]
R1 MMstub;MMstub Driver;C:\WINDOWS\system32\DRIVERS\MMstub.sys [2001-10-31 13:15]
R2 DynuBasic;Dynu Basic Dynamic DNS Client v3.24;C:\Program Files\Dynu Systems\Basic\basicsvc.exe [2004-06-25 04:43]
R2 monmouse;Monmouse Driver;C:\WINDOWS\system32\DRIVERS\monmouse.sys [2001-11-12 13:14]
R3 dpK00701;U.are.U Fingerprint Reader Upper Driver;C:\WINDOWS\system32\DRIVERS\dpK00701.sys [2004-10-12 15:51]
R3 UsbdpFP;U.are.U Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-10-12 15:53]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##rcs-mike1#CdRom]
\Shell\AutoRun\command - Z:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 05:55:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 23:57:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-21 23:57:57
ComboFix-quarantined-files.txt 2008-02-22 05:57:41
ComboFix2.txt 2008-02-22 03:19:42
ComboFix3.txt 2008-02-21 21:04:04
ComboFix4.txt 2008-02-21 01:01:00
.
2008-02-13 18:36:18 --- E O F ---
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:04 AM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Dynu Systems\Basic\basicsvc.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcshouston.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E59226D-9D00-435B-ADF3-55029A05F6FA} - (no file)
O2 - BHO: (no name) - {221BBF54-3327-4548-9006-84385B1A5840} - (no file)
O2 - BHO: (no name) - {23BFE3A9-D01E-43FB-87F6-9580A7C6732C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7ef1e364-f619-4c0e-90c0-2f29bd91a404} - (no file)
O2 - BHO: (no name) - {99DD1FD1-456E-4181-AD80-CB36153E3934} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [Dell Performance USB keyboard hotkey blocker] C:\Program Files\Dell\USBKEYBLCK\bak\USBKeyBlock.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [20d2d191] rundll32.exe "C:\WINDOWS\system32\ngvspsqt.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Focus.lnk = C:\Focus\FOCUS.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Basic Client.lnk = C:\Program Files\Dynu Systems\Basic\DynuBas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBD555BF-9BDC-4DC5-A378-FEC1D3248D8E}: NameServer = 192.168.1.1,0.0.0.0
O20 - Winlogon Notify: jkkifeb - C:\WINDOWS\
O20 - Winlogon Notify: rldxyxzm - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DpHost - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Dynu Basic Dynamic DNS Client v3.24 (DynuBasic) - Unknown owner - C:\Program Files\Dynu Systems\Basic\basicsvc.exe
O23 - Service: EloTouchscreen - Elo TouchSystems, Inc. - C:\WINDOWS\system32\DRIVERS\EloTouch.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 6123 bytes