ComboFix 08-02-23 - Owner 2008-02-26 15:17:49.8 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.
2008-02-26 13:58 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-24 17:52 . 2008-02-24 17:54 <DIR> d-------- C:\Program Files\Panda Security
2008-02-24 01:43 . 2008-02-24 01:43 <DIR> d-------- C:\_OTMoveIt
2008-02-24 00:45 . 2008-02-24 00:45 218 --a------ C:\UnInstall.dat
2008-02-23 15:02 . 2008-02-23 15:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-23 15:02 . 2008-02-23 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-21 17:29 . 2008-02-21 17:29 <DIR> d-------- C:\Program Files\Winamp Remote
2008-02-21 17:29 . 2008-02-21 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-02-18 08:55 . 2008-02-18 08:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 23:26 . 2008-02-19 10:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-02-15 23:25 . 2008-02-15 23:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-15 23:24 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-15 23:24 . 2008-02-19 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-15 23:19 . 2008-02-17 16:47 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-15 19:20 . 2008-02-25 14:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-15 19:20 . 2008-02-15 19:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-14 20:59 . 2008-02-17 01:01 <DIR> d-------- C:\VundoFix Backups
2008-02-13 06:59 . 2008-02-13 06:59 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SlipStream
2008-02-08 23:25 . 2008-02-08 23:26 <DIR> d-------- C:\Program Files\FreeMPC
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-30 22:02 . 2008-01-30 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 21:20 . 2008-01-26 21:20 <DIR> d-------- C:\WINDOWS\system32\7173777A7E777E8
2008-01-26 15:49 . 2007-07-11 09:42 <DIR> dr--s---- C:\WINDOWS\assembly
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 21:49 --------- d-----w C:\Program Files\Greetings Workshop
2008-02-26 20:58 --------- d-----w C:\Program Files\Java
2008-02-26 20:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 07:21 --------- d-----w C:\Program Files\AudioStreamer
2008-02-25 07:21 --------- d-----r C:\Program Files\Programs
2008-02-25 06:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 06:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-25 05:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\POP Peeper
2008-02-25 04:59 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-25 04:11 --------- d-----w C:\Program Files\AoA DVD Creator
2008-02-25 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 09:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-24 08:34 --------- d-----w C:\Program Files\YVD
2008-02-24 08:33 --------- d-----w C:\Program Files\Yahoo!
2008-02-24 08:29 --------- d-----w C:\Program Files\NCH Swift Sound
2008-02-24 08:28 --------- d-----w C:\Program Files\stellarium
2008-02-24 08:21 --------- d-----w C:\Program Files\Psychedelix
2008-02-24 08:19 --------- d-----w C:\Program Files\Phota
2008-02-24 08:18 --------- d-----w C:\Program Files\Raxco
2008-02-24 07:59 --------- d-----w C:\Program Files\Nimiq
2008-02-24 07:46 --------- d-----w C:\Program Files\LimeWire
2008-02-24 07:31 --------- d-----w C:\Program Files\Gradient
2008-02-24 07:30 --------- d-----w C:\Program Files\GrabIt
2008-02-24 07:28 --------- d-----w C:\Program Files\Free Xmas Screensaver
2008-02-24 07:27 --------- d-----w C:\Program Files\Eye of the Storm Screen Saver
2008-02-24 07:20 --------- d-----w C:\Program Files\CloneDVD
2008-02-24 07:19 --------- d-----w C:\Program Files\ABF software
2008-02-24 07:15 --------- d-----w C:\Program Files\Azureus
2008-02-24 07:14 --------- d-----w C:\Program Files\Assorted
2008-02-24 07:09 --------- d-----w C:\Program Files\3D Spooky Halloween Screensaver
2008-02-23 01:12 --------- d-----w C:\Program Files\IZArc
2008-02-22 13:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-02-22 00:37 --------- d-----w C:\Program Files\Winamp
2008-02-18 15:40 --------- d-----w C:\Program Files\themexp
2008-02-18 15:40 --------- d-----w C:\Program Files\Safe-Share
2008-02-14 23:47 --------- d-----w C:\Documents and Settings\Michael\Application Data\StumbleUpon
2008-02-14 21:35 --------- d-----w C:\Program Files\Common Files\wiuq
2008-02-12 18:31 --------- d-----w C:\Program Files\GetRight
2008-02-10 03:29 --------- d-----w C:\Program Files\QuickTime
2008-01-31 05:02 --------- d-----w C:\Program Files\Lavasoft
2008-01-31 05:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-30 05:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Winamp
2008-01-26 22:57 10 ----a-w C:\Program Files\.autoreg
2008-01-25 17:58 1,101,353 --sha-w C:\WINDOWS\system32\bncfconm.tmp
2008-01-21 06:05 --------- d-----w C:\Program Files\easetech
2008-01-21 05:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\foobar2000
2008-01-16 02:21 --------- d-----w C:\Program Files\iTunes
2008-01-16 02:21 --------- d-----w C:\Program Files\iPod
2008-01-15 20:58 --------- d-----w C:\Program Files\Album Player Locator
2008-01-05 20:32 --------- d-----w C:\Program Files\Burrrn
2008-01-03 20:09 --------- d-----w C:\Program Files\Monkey's Audio
2007-12-28 20:27 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-28 20:26 --------- d-----w C:\Program Files\Free Audio Pack
2007-12-28 20:03 --------- d-----w C:\Program Files\Medieval Software
2007-12-14 18:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-09-23 02:25 31 ----a-w C:\Documents and Settings\Michael\getfile.dat
2007-09-22 18:21 31 ----a-w C:\Documents and Settings\Owner\getfile.dat
2007-08-07 14:54 31 ----a-w C:\Documents and Settings\Maggie\getfile.dat
2007-07-16 20:14 94,208 ----a-w C:\Program Files\markup.ovl
2007-07-16 20:14 86,016 ----a-w C:\Program Files\topic.top
2007-07-16 20:14 1,351,680 ----a-w C:\Program Files\study.not
2007-07-06 05:26 81,920 ----a-w C:\Program Files\Bookmarks.lst
2007-04-03 10:12 16,240,640 ------w C:\Program Files\tsk.cmt
2007-03-24 07:55 6,639 ----a-w C:\Documents and Settings\Owner\Application Data\unins000.dat
2007-03-24 07:54 682,266 ----a-w C:\Documents and Settings\Owner\Application Data\unins000.exe
2007-01-01 15:09 4,956,160 ----a-w C:\Program Files\e-Sword.exe
2006-12-30 20:59 204,800 ----a-w C:\Program Files\robertson.har
2006-12-27 03:09 65,863 ----a-w C:\Program Files\Readme.pdf
2006-12-21 20:01 19,096 ----a-w C:\Program Files\License.pdf
2006-11-14 15:49 14,680,064 ----a-w C:\Program Files\kjv+.bbl
2006-08-13 08:56 88 ----a-w C:\Program Files\Twilight Zone.theme
2006-08-10 06:31 8,067 ----a-w C:\Documents and Settings\Owner\newpics.zip
2005-09-20 20:27 84 ----a-w C:\Documents and Settings\Owner\config.dat
2005-08-18 14:58 6,334,464 ------w C:\Program Files\asv.bbl
2005-05-12 06:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2005-02-08 17:19 237,568 ----a-w C:\Program Files\RichEdit.ocx
2004-12-20 15:25 14,602,240 ------w C:\Program Files\History of the Christian Church.top
2004-08-11 03:16 3,016,704 ------w C:\Program Files\abs.map
2004-07-07 21:57 8,591 ----a-w C:\Program Files\e-Sword.tip
2003-10-16 22:29 6,830,080 ------w C:\Program Files\mediterranean.map
2003-10-01 03:30 823,296 ------w C:\Program Files\classic.map
2003-05-13 16:09 6,787,072 ------w C:\Program Files\kjv.bbl
2003-04-14 19:31 279,241 ----a-w C:\Program Files\e-Sword.hlp
2002-07-17 13:45 42,459,136 ------w C:\Program Files\henry.cmt
2002-05-24 21:41 6,893,568 ------w C:\Program Files\wesley.cmt
2002-05-15 17:03 5,859,328 ------w C:\Program Files\mhcc.cmt
2002-03-27 18:53 5,163,008 ----a-w C:\Program Files\strong.dct
2002-03-27 17:55 301,056 ------w C:\Program Files\hitchcock.dct
2001-12-07 18:48 24,309 ----a-w C:\Program Files\custom.dic
2001-10-22 17:48 2,752,512 ------w C:\Program Files\isv.bbl
2001-06-07 17:32 6,629,376 ------w C:\Program Files\bbe.bbl
2001-05-17 12:43 2,156,544 ------w C:\Program Files\isv.map
2001-02-09 20:12 524,339 ----a-w C:\Program Files\riched20.dll
2000-02-17 00:49 73,728 ----a-w C:\Program Files\Does Our Shepherd Lose His Sheep.lst
1999-09-17 12:44 1,344,475 ----a-w C:\Program Files\vssp_ae.dic
1999-08-30 17:44 342,910 ----a-w C:\Program Files\vsth_ae.the
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"POP Peeper"="C:\Program Files\POP Peeper\POPPeeper.exe" [2008-02-08 00:18 1429504]
"BackgroundSwitcher"="C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe" [2008-01-22 05:11 907152]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-16 11:34 579072]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 15:54 37376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-15 23:25 219136]
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-04-01 14:15:28 36864]
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
HP Organize.lnk - C:\Program Files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-04-01 14:15:28 36864]
C:\Program Files\Programs\Startup\
DeskSweeper.lnk - C:\Program Files\DeskSweeper\DeskSweeper.exe [1999-03-09 236032]
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1996-06-25 40448]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 22:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
--a------ 2005-07-02 13:36 421888 C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
--a------ 2005-07-01 20:58 8192 C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDSwitchAgent]
--a------ 2005-07-02 13:35 33280 C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 20:02 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2004-12-10 19:44 11776 C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunasDTServ]
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunasServ]
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg]
--a------ 1997-11-23 20:16 20992 C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-01-16 04:33 49152 C:\WINDOWS\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"XCOMM"=2 (0x2)
"VSSERV"=2 (0x2)
"iPod Service"=3 (0x3)
"bdss"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Winamp\\winamp.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Abacast\\Abaclient.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Documents and Settings\\Michael\\My Documents\\My Documents\\michael's stuff\\games\\Video games\\BZflag\\BZFlag2.0.8\\bzflag.exe"=
"C:\\Documents and Settings\\Michael\\My Documents\\My Documents\\michael's stuff\\games\\Video games\\BZflag\\BZFlag2.0.8\\bzfs.exe"=
"C:\\Documents and Settings\\Michael\\My Documents\\Michael's folders\\BZFlag2.0.8\\bzflag.exe"=
"C:\\Documents and Settings\\Michael\\My Documents\\Michael's folders\\games\\Video games\\BZflag\\BZFlag2.0.8\\bzflag.exe"=
"C:\WINDOWS\system32\bsvruujl.exe"= C:\WINDOWS\system32\bsv
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Documents and Settings\\Michael\\My Documents\\Michael's folders\\BZflag\\BZFlag2.0.10\\bzflag.exe"=
"F:\\BZFlag2.0.8\\bzflag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\Michael\\My Documents\\Michael's folders\\BZflag\\BZFlag2.0.8\\bzflag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57225:TCP"= 57225:TCP:Pando P2P TCP Listening Port
"57225:UDP"= 57225:UDP:Pando P2P UDP Listening Port
"9020:TCP"= 9020:TCP:BZFLAG
R2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender8\filespy.sys [2005-08-09 19:31]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-08-11 16:56]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daf6ba03-6a1b-11db-a929-00112f057540}]
\Shell\AutoRun\command - F:\SYS\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 02:01:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-24 16:59:00 C:\WINDOWS\Tasks\iRadio task 7.job"
- C:\PROGRA~1\3aLab\iRadio\iRadio.exe
"2008-02-26 16:00:00 C:\WINDOWS\Tasks\Kitchen.job"
- C:\WINDOWS\Kitchen.scr
"2008-02-26 22:29:05 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 15:29:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll
.
Completion time: 2008-02-26 15:37:47
ComboFix-quarantined-files.txt 2008-02-26 22:37:43
ComboFix2.txt 2008-02-26 20:22:10
ComboFix3.txt 2008-02-25 23:28:24
ComboFix4.txt 2008-02-25 20:30:17
ComboFix5.txt 2008-02-24 23:04:35
.
2008-02-14 22:06:28 --- E O F ---
The Red X is gone and everything is running smooth, no error messages.