ComboFix 09-01-08.02 - Tom 2009-01-08 23:45:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1041 [GMT -6:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\windows media player\mplayer2.exe
.
---- Previous Run -------
.
c:\program files\windows media player\mplayer2.exe
c:\windows\Downloaded Program Files\rave
c:\windows\Downloaded Program Files\rave\avirexe.vdm
c:\windows\Downloaded Program Files\rave\avirscr.vdm
c:\windows\Downloaded Program Files\rave\base.vdm
c:\windows\Downloaded Program Files\rave\daily.vdm
c:\windows\Downloaded Program Files\rave\daily.vdt
c:\windows\Downloaded Program Files\rave\filters.vdm
c:\windows\Downloaded Program Files\rave\kernel.vdk
c:\windows\Downloaded Program Files\rave\keyring.vdk
c:\windows\Downloaded Program Files\rave\mapi_vdm.vdm
c:\windows\Downloaded Program Files\rave\modules.vdk
c:\windows\Downloaded Program Files\rave\rav8def.vdm
c:\windows\Downloaded Program Files\rave\rufs.vdm
c:\windows\Downloaded Program Files\rave\rufsplg.vdm
c:\windows\Downloaded Program Files\rave\unarch.vdm
c:\windows\Downloaded Program Files\rave\unmail.vdm
c:\windows\Downloaded Program Files\rave\unpack.vdm
c:\windows\Downloaded Program Files\setup.inf
c:\windows\Downloaded Program Files\Temp
c:\windows\IE4 Error Log.txt
c:\windows\system32\open.ico
c:\windows\system32\system
c:\windows\system32\system\msxml4.dll
c:\windows\system32\system\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Legacy_R_SERVER
-------\Service_seneka
-------\Legacy_NPF
-------\Legacy_R_SERVER
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.
2009-01-07 21:13 . 2009-01-07 21:16 <DIR> d-------- C:\regsearch
2009-01-07 12:35 . 2009-01-07 12:35 <DIR> d-------- c:\program files\ERUNT
2009-01-07 12:32 . 2009-01-07 18:24 <DIR> d-------- C:\Reg Finder
2009-01-05 17:25 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-05 17:24 . 2009-01-05 17:24 <DIR> d-------- c:\program files\Panda Security
2009-01-01 16:37 . 2009-01-01 16:37 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-01 12:27 . 2009-01-01 12:27 <DIR> d-------- c:\documents and settings\Georgia\Application Data\Malwarebytes
2008-12-31 21:22 . 2008-12-31 21:22 <DIR> d-------- c:\program files\Opera
2008-12-31 21:17 . 2008-12-31 21:17 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-26 19:33 . 2009-01-07 21:08 <DIR> d-------- C:\1avgtemp1
2008-12-24 15:09 . 2009-01-07 21:32 250 --a------ c:\windows\gmer.ini
2008-12-24 12:59 . 2009-01-07 21:59 <DIR> d-------- C:\1avgtemp
2008-12-24 12:44 . 2008-12-24 12:47 11,164,087 --------- c:\windows\system32\TAQAUEZOZJR
2008-12-23 03:24 . 2008-12-23 03:24 665,088 --------- c:\windows\system32\spsplib1.dll
2008-12-17 17:16 . 2008-12-17 17:32 <DIR> d-------- c:\windows\NV36961336.TMP
2008-12-17 17:16 . 2008-09-17 23:55 453,152 --------- c:\windows\system32\nvuninst.exe
2008-12-17 17:16 . 2008-09-17 23:55 201,050 --------- c:\windows\system32\nvapps.nvb
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 05:36 --------- d-----w c:\documents and settings\Tom\Application Data\Spamihilator
2009-01-08 22:44 --------- d-----w c:\documents and settings\Tom\Application Data\AVG7
2009-01-07 18:34 --------- d-----w c:\documents and settings\Tom\Application Data\uTorrent
2009-01-07 18:33 --------- d-----w c:\program files\Java
2009-01-07 18:31 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 00:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 00:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-04 23:12 --------- d-----w c:\program files\QuoteTracker
2009-01-01 18:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 18:46 --------- d-----w c:\program files\SpywareBlaster
2009-01-01 18:13 --------- d-----w c:\program files\Spamihilator
2009-01-01 03:46 --------- d-----w c:\program files\YPOPs
2008-12-27 01:04 --------- d-----w c:\documents and settings\Tom\Application Data\Move Networks
2008-12-18 23:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 21:29 --------- d-----w c:\documents and settings\Tom\Application Data\Thinstall
2008-12-06 21:23 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2008-12-06 16:58 --------- d-----w c:\documents and settings\Tom\Application Data\DivX
2008-12-06 16:56 --------- d-----w c:\program files\DivX
2008-12-05 03:06 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-25 21:11 0 ---h--w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-11-25 21:08 --------- d-----w c:\program files\Motorola Phone Tools
2008-11-25 21:04 --------- d-----w c:\program files\Common Files\Motorola Shared
2008-11-25 21:02 92,064 ------w c:\documents and settings\Tom\mqdmmdm.sys
2008-11-25 21:02 9,232 ------w c:\documents and settings\Tom\mqdmmdfl.sys
2008-11-25 21:02 79,328 ------w c:\documents and settings\Tom\mqdmserd.sys
2008-11-25 21:02 66,656 ------w c:\documents and settings\Tom\mqdmbus.sys
2008-11-25 21:02 6,208 ------w c:\documents and settings\Tom\mqdmcmnt.sys
2008-11-25 21:02 5,936 ------w c:\documents and settings\Tom\mqdmwhnt.sys
2008-11-25 21:02 4,048 ------w c:\documents and settings\Tom\mqdmcr.sys
2008-11-25 21:02 25,600 ------w c:\documents and settings\Tom\usbsermptxp.sys
2008-11-25 21:02 22,768 ------w c:\documents and settings\Tom\usbsermpt.sys
2004-02-12 00:25 560 ------w c:\documents and settings\Tom\PCDOC.BAT
2004-02-07 02:00 26,296 ------w c:\documents and settings\Tom\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 02:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"Spamihilator"="c:\program files\Spamihilator\spamihilator.exe" [2008-12-23 1321984]
"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-02 219136]
c:\documents and settings\Tom\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2006-11-16 1172992]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 3.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-03-02 16:20 9216 c:\windows\system32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\
0lsdelete\
0pgdfgsvc C 1
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 2.lnk]
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 2.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
backup=c:\windows\pss\Microsoft Office.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk.disabled]
backup=c:\windows\pss\WinZip Quick Pick.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Tom^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2002-08-29 06:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 23:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2002-08-29 06:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--------- 2008-09-17 23:55 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDRealtime]
--------- 2003-03-15 22:46 168448 c:\windows\realtime.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2003-09-20 19:12 77824 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-09-16 11:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2008-10-30 08:40 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2008-09-17 23:55 1657376 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=2 (0x2)
"RasMan"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=3 (0x3)
"TermService"=2 (0x2)
"Backup Server"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SoundMan"=SOUNDMAN.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TPP Auto Loader"=c:\windows\tppaldr.exe
"ATIPTA"=c:\mea\WINDOWS\SYSTEM32\atiptaxx.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Spamihilator\\cdcc.exe"=
"c:\\Program Files\\Spamihilator\\dccproc.exe"=
"c:\\Program Files\\Spamihilator\\spamihilator.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-05 28544]
R0 pkwwjrdy;pkwwjrdy;c:\windows\system32\drivers\pkwwjrdy.sys [2002-08-29 23424]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-06 47640]
R4 Yahoo! Zimbra Desktop Service;Yahoo! Zimbra Desktop Service;c:\zimbra\zdesktop\zdesktop.exe [2008-12-05 139264]
S3 ATICDSDr;ATICDSDr; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X; [x]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\drivers\TPP300.SYS [2003-09-29 33669]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2005-10-07 24447]
S4 Backup Server;Backup Server;c:\progra~1\NOVANE~1\BACKUP~2.EXE [2004-01-05 576512]
S4 gupdate1c9202de24f0e3e;Google Update Service (gupdate1c9202de24f0e3e);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 133104]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 RLOOCCUE;RLOOCCUE;c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe --> c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2009-01-08 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]
2009-01-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 17:54]
2009-01-09 c:\windows\Tasks\mnyzdial.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0536321F-23FA-464F-8B53-12F03CFF164E} - c:\windows\system32\kfrls.dll
HKU-Default-Run-msiexec.exe - msiconf.exe
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/advanced_search?hl=enuLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
mLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) =
hxxp://www.google.com/keyword/%s
IE: Add To CheckIt &86 Trust List - c:\progra~1\CheckIt\86\AddToTrustList.js
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone:
www.msi.com.twO16 -: DirectAnimation Java Classes -
file://c:\i386\DAJAVA.CAB
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java -
file://c:\i386\XMLDSO.CAB
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} -
hxxp://tw.msi.com.tw/autobios/LOnline/install.cabc:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\
FF - prefs.js: browser.startup.homepage -
hxxp://www.okhistory.orgFF - plugin: c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-08 23:53:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\avgwlntf.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Grisoft\AVG7\avgamsvr.exe
c:\program files\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-01-08 23:58:49 - machine was rebooted [Tom]
ComboFix-quarantined-files.txt 2009-01-09 05:58:27
Pre-Run: 50,560,655,360 bytes free
Post-Run: 50,480,070,656 bytes free
302 --- E O F --- 2008-12-12 09:03:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:14 AM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\zimbra\zdesktop\zdesktop.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\No-IP\DUC20.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\highjackthis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0536321F-23FA-464F-8B53-12F03CFF164E} - C:\WINDOWS\system32\kfrls.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 3.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone:
http://www.msi.com.twO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
http://housecall65.trendmicro.com/house ... hcImpl.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/Shar ... vSniff.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -
http://acs.pandasoftware.com/activescan ... stubie.cabO16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} -
http://moneycentral.msn.com/cabs/pmupd806.exeO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://photos.walmart.com/WalmartActivia.cabO16 - DPF: {49232000-16E4-426C-A231-62846947304B} -
http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cabO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitdefender.com/resourc ... oscan8.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resour ... se6662.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v ... 3661854406O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) -
http://www.youbet.net/wr_5_8/controls/ybrequest.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004 ... scan53.cabO16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) -
http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cabO16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) -
http://tw.msi.com.tw/autobios/LOnline/install.cabO16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivirus.com/scan/ravonline.cabO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.com/download.yahoo.c ... mplete.cabO16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) -
http://support.f-secure.com/ols/fscax.cabO16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} -
http://www.seagate.com/support/disc/asp ... atools.cabO20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Update Service (gupdate1c9202de24f0e3e) (gupdate1c9202de24f0e3e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Zimbra Desktop Service - Unknown owner - C:\zimbra\zdesktop\zdesktop.exe
--
End of file - 8981 bytes