Hi Bio-Hazard.
I noticed that Combofix deleted a lot of "Limewire" files. I was wondering if the following might be of some assitance to you.
When all this crap started the first thing I noticed was that I couldn't download any attachments form Email messages. Also about 2 months ago the free version of Limewire we were using wouldn't connect. A friend of mine (might not be a friend after all this
) suggested that I install a program called Bearshare. I did this and as I now recall that was when things went haywire. I dumped Bearshare and paid for and installed the full version of Limewire. This connected once and then fell over as per the first. I now read on your site that "Peer to Peer" programs are dangerous. However, I note that Limewire is listed as "safe" and Bearshare is not. What is your opinion on the use of Limewire?
Here are the files you requested.
ComboFix 09-01-21.02 - Owner 2009-01-23 10:53:50.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.665 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\JUNK\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\JUNK\CFScript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
FILE ::
c:\windows\system32\drivers\msqpdxedfldnbm.dll
c:\windows\system32\drivers\msqpdxwwowxns1.sys
c:\windows\system32\drivers\tmp.reg
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\1A1F4
c:\documents and settings\All Users\Application Data\1A1F4\{C8CA95FF-CFFD-4D0B-8749-39BF42DDA06B}.swf
c:\documents and settings\All Users\Application Data\1B280
c:\documents and settings\All Users\Application Data\1B280\{CA264AEC-ED92-4DB2-893A-509B4F35BE5D}.swf
c:\documents and settings\All Users\Application Data\2177
c:\documents and settings\All Users\Application Data\2177\{1C886207-FDE0-42AF-B9F3-B0063758C48C}.swf
c:\documents and settings\All Users\Application Data\236D
c:\documents and settings\All Users\Application Data\236D\{2B365F2E-D1AB-4103-AE43-DC9095164217}.swf
c:\documents and settings\All Users\Application Data\28AB
c:\documents and settings\All Users\Application Data\28AB\{A061B6BA-F2E1-41AF-94DC-4CF0BA601A62}.swf
c:\documents and settings\All Users\Application Data\4186
c:\documents and settings\All Users\Application Data\4186\{0A37C198-47CA-42CE-9B1B-CD2CE9306382}.swf
c:\documents and settings\Owner\Application Data\LimeWire
c:\documents and settings\Owner\Application Data\LimeWire\412splashfree.png
c:\documents and settings\Owner\Application Data\LimeWire\414splashfree.png
c:\documents and settings\Owner\Application Data\LimeWire\active.mojito
c:\documents and settings\Owner\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Owner\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Owner\Application Data\LimeWire\data.ser
c:\documents and settings\Owner\Application Data\LimeWire\downloads.dat
c:\documents and settings\Owner\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Owner\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Owner\Application Data\LimeWire\filters.props
c:\documents and settings\Owner\Application Data\LimeWire\gnutella.net
c:\documents and settings\Owner\Application Data\LimeWire\installation.props
c:\documents and settings\Owner\Application Data\LimeWire\library.dat
c:\documents and settings\Owner\Application Data\LimeWire\limewire.props
c:\documents and settings\Owner\Application Data\LimeWire\mojito.props
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Owner\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Owner\Application Data\LimeWire\pub1.key
c:\documents and settings\Owner\Application Data\LimeWire\public.key
c:\documents and settings\Owner\Application Data\LimeWire\questions.props
c:\documents and settings\Owner\Application Data\LimeWire\responses.cache
c:\documents and settings\Owner\Application Data\LimeWire\secureMessage.key
c:\documents and settings\Owner\Application Data\LimeWire\simpp.xml
c:\documents and settings\Owner\Application Data\LimeWire\spam.dat
c:\documents and settings\Owner\Application Data\LimeWire\tables.props
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme.lwtp
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\
01_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\
02_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\
03_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\
04_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\
05_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\chat.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\dir_closed.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\dir_open.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\forward_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\forward_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\kill.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\kill_on.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\lime.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\lw_logo.png
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\pause_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\pause_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\play_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\play_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\question.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\rewind_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\rewind_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\stop_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\stop_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\theme.txt
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\version.txt
c:\documents and settings\Owner\Application Data\LimeWire\themes\limewirePro_theme\warning.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\
01_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\
02_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\
03_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\
04_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\
05_star.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Owner\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Owner\Application Data\LimeWire\ttree.cache
c:\documents and settings\Owner\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Owner\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Owner\Application Data\LimeWire\update.xml
c:\documents and settings\Owner\Application Data\LimeWire\version.key
c:\documents and settings\Owner\Application Data\LimeWire\version.xml
c:\documents and settings\Owner\Application Data\LimeWire\version.xml48598tmp
c:\documents and settings\Owner\Application Data\LimeWire\versions.props
c:\documents and settings\Owner\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\Owner\Application Data\LimeWire\xml\data\delete_me
c:\documents and settings\Owner\Application Data\LimeWire\xml\data\video.sxml2
c:\documents and settings\Owner\Application Data\LimeWire\xml\misc\application.gif
c:\documents and settings\Owner\Application Data\LimeWire\xml\misc\audio.gif
c:\documents and settings\Owner\Application Data\LimeWire\xml\misc\document.gif
c:\documents and settings\Owner\Application Data\LimeWire\xml\misc\image.gif
c:\documents and settings\Owner\Application Data\LimeWire\xml\misc\video.gif
c:\documents and settings\Owner\Application Data\LimeWire\xml\schemas\application.xsd
c:\documents and settings\Owner\Application Data\LimeWire\xml\schemas\audio.xsd
c:\documents and settings\Owner\Application Data\LimeWire\xml\schemas\document.xsd
c:\documents and settings\Owner\Application Data\LimeWire\xml\schemas\image.xsd
c:\documents and settings\Owner\Application Data\LimeWire\xml\schemas\video.xsd
c:\program files\LimeWire
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\GenericWindowsUtils.dll
c:\program files\LimeWire\i18n.jar
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\jl011.jar
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib(2)\aopalliance.jar
c:\program files\LimeWire\lib(2)\clink.jar
c:\program files\LimeWire\lib(2)\commons-codec-1.3.jar
c:\program files\LimeWire\lib(2)\commons-logging.jar
c:\program files\LimeWire\lib(2)\commons-net.jar
c:\program files\LimeWire\lib(2)\daap.jar
c:\program files\LimeWire\lib(2)\dnsjava.jar
c:\program files\LimeWire\lib(2)\forms.jar
c:\program files\LimeWire\lib(2)\foxtrot.jar
c:\program files\LimeWire\lib(2)\gettext-commons.jar
c:\program files\LimeWire\lib(2)\guice-1.0.jar
c:\program files\LimeWire\lib(2)\hashes
c:\program files\LimeWire\lib(2)\httpclient-4.0-alpha5-20080522.192134-5.jar
c:\program files\LimeWire\lib(2)\httpcore-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib(2)\httpcore-nio-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib(2)\icu4j.jar
c:\program files\LimeWire\lib(2)\jaudiotagger.jar
c:\program files\LimeWire\lib(2)\jcraft.jar
c:\program files\LimeWire\lib(2)\jdic.jar
c:\program files\LimeWire\lib(2)\jdic_stub.jar
c:\program files\LimeWire\lib(2)\jflac.jar
c:\program files\LimeWire\lib(2)\jl.jar
c:\program files\LimeWire\lib(2)\jmdns.jar
c:\program files\LimeWire\lib(2)\jogg.jar
c:\program files\LimeWire\lib(2)\jorbis.jar
c:\program files\LimeWire\lib(2)\log4j.jar
c:\program files\LimeWire\lib(2)\looks.jar
c:\program files\LimeWire\lib(2)\messages.jar
c:\program files\LimeWire\lib(2)\mp3spi.jar
c:\program files\LimeWire\lib(2)\onion-common.jar
c:\program files\LimeWire\lib(2)\onion-fec.jar
c:\program files\LimeWire\lib(2)\ProgressTabs.jar
c:\program files\LimeWire\lib(2)\swt.jar
c:\program files\LimeWire\lib(2)\themes.jar
c:\program files\LimeWire\lib(2)\tritonus.jar
c:\program files\LimeWire\lib(2)\vorbisspi.jar
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\httpclient-4.0-alpha5-20080522.192134-5.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2-20080510.140437-10.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\LimeWire20.dll
c:\program files\LimeWire\MessagesBundles.jar
c:\program files\LimeWire\mp3sp14.jar
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root(2)\magnet10(2)\badge.img
c:\program files\LimeWire\root(2)\magnet10(2)\canHandle.img
c:\program files\LimeWire\root(2)\magnet10(2)\limewire.gif
c:\program files\LimeWire\root(2)\magnet10(2)\options.js
c:\program files\LimeWire\root(2)\magnet10(2)\silentdetect.js
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\LimeWire\vorbis.jar
c:\program files\LimeWire\WindowsFirewall.dll
c:\program files\LimeWire\WindowsV5PlusUtils.dll
c:\program files\LimeWire\xerces.jar
c:\program files\LimeWire\xml-apis.jar
.
((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.
2009-01-21 10:10 . 2009-01-21 10:10 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-21 09:21 . 2009-01-21 09:21 <DIR> d-------- C:\rsit
2009-01-21 09:14 . 2009-01-21 09:14 <DIR> d-------- c:\documents and settings\Owner\.SunDownloadManager
2009-01-15 13:24 . 2005-08-27 02:38 1,435,272 --a------ c:\windows\system32\Flash.ocx
2009-01-15 13:24 . 2003-11-19 13:59 512,688 --a------ c:\windows\system32\XceedCry.dll
2009-01-15 13:24 . 2004-05-11 09:56 423,784 --a------ c:\windows\system32\XceedBkp.dll
2009-01-15 13:24 . 2004-02-05 20:53 389,120 --a------ c:\windows\system32\ACTSKN43.OCX
2009-01-15 13:24 . 2004-01-09 10:54 188,416 --a------ c:\windows\system32\actsplash.ocx
2009-01-15 13:24 . 2004-03-08 23:00 131,856 --a------ c:\windows\system32\MSADODC.ocx
2009-01-15 13:24 . 2001-03-28 22:02 89,088 --a------ c:\windows\system32\ProgressBar4.ocx
2009-01-15 13:24 . 1999-01-26 19:36 11,012 --a------ c:\windows\system32\threadapi.tlb
2009-01-15 09:32 . 2009-01-15 09:32 <DIR> d-------- c:\program files\IObit
2009-01-15 09:32 . 2009-01-15 09:50 <DIR> d-------- c:\documents and settings\Owner\Application Data\IObit
2009-01-13 16:27 . 2009-01-13 16:27 <DIR> d-------- c:\program files\Participatory Culture Foundation
2009-01-13 16:27 . 2009-01-13 16:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\Participatory Culture Foundation
2009-01-10 09:32 . 2009-01-23 10:34 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-10 09:32 . 2009-01-10 09:32 1,409 --a------ c:\windows\QTFont.for
2009-01-08 15:05 . 2009-01-08 15:07 <DIR> d-------- c:\program files\JPEG to PDF
2009-01-02 09:53 . 2009-01-02 09:53 <DIR> d-------- c:\program files\LexarMedia
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 21:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-20 23:10 --------- d-----w c:\program files\Java
2009-01-20 22:21 --------- d-----w c:\program files\Trend Micro
2009-01-14 22:48 --------- d-----w c:\program files\Recuva
2009-01-14 22:48 --------- d-----w c:\program files\Paint Shop Pro
2009-01-14 22:48 --------- d-----w c:\program files\PageBreeze
2009-01-14 22:48 --------- d-----w c:\program files\FreeUndelete
2009-01-14 22:48 --------- d-----w c:\program files\Free Hide Folder
2009-01-14 22:48 --------- d-----w c:\program files\Desktop Taipei
2009-01-14 22:48 --------- d-----w c:\program files\DAP
2009-01-08 04:17 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-26 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 21:16 --------- d-----w c:\program files\CCleaner
2008-12-18 02:19 --------- d-----w c:\program files\IrfanView
2008-12-17 23:14 80,400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2008-12-17 23:14 50,192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2008-12-17 23:14 49,680 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2008-12-17 23:14 334,352 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2008-12-17 23:14 144,912 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-12-12 01:46 --------- d-----w c:\program files\Google
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 02:52 --------- d-----w c:\documents and settings\Owner\Application Data\Imesh MP3 Downloader
2008-11-27 01:42 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2008-11-27 01:42 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2008-11-27 01:39 1,195,384 ----a-w c:\windows\system32\drivers\vsapint.sys
2008-11-24 00:44 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-08 01:46 68,560 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-09-23 06:37 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092320080924\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-22_ 9.25.25.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-22 23:34:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WireLessMouse "="c:\program files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 503808]
"WireLessKeyboard "="c:\program files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\tahlias stuff\NOKIA phone\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-18 497008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LG SyncManager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LG SyncManager.lnk
backup=c:\windows\pss\LG SyncManager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 03:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2008-12-20 05:28 1434864 c:\program files\CCleaner\ccleaner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comodo Launch Pad App]
--a------ 2008-09-06 09:54 225864 c:\program files\Comodo\LaunchPad\CLPGuiApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comodo Launch Pad Tray]
--a------ 2008-09-06 09:54 229448 c:\program files\Comodo\LaunchPad\CLPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComodoBackup]
--a------ 2006-03-02 17:33 3177984 c:\program files\Comodo\Backup\CmdBackUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
--a------ 2008-12-18 10:14 497008 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 16:10 271360 c:\tahlias stuff\NOKIA phone\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-12-18 10:14 970808 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-06-01 20:22 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56544:TCP"= 56544:TCP:Pando P2P TCP Listening Port
"56544:UDP"= 56544:UDP:Pando P2P UDP Listening Port
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-18 334352]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-12-18 181584]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-12-18 36368]
S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-12-18 49680]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2008-12-18 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-12-18 677128]
.
Contents of the 'Scheduled Tasks' folder
2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-22 c:\windows\Tasks\SyncBack Corvon.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe []
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com.au/uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dzur9zzm.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com.au/FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-23 10:55:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-23 10:56:26
ComboFix-quarantined-files.txt 2009-01-22 23:56:24
ComboFix2.txt 2009-01-21 22:45:49
ComboFix3.txt 2009-01-21 22:33:30
ComboFix4.txt 2009-01-21 22:26:46
Pre-Run: 193,206,706,176 bytes free
Post-Run: 193,218,281,472 bytes free
411 --- E O F --- 2009-01-22 05:52:16
THIS IS COMBOFIX2.TXTComboFix 09-01-21.02 - Owner 2009-01-22 9:43:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.670 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\JUNK\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
.
((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.
2009-01-21 10:10 . 2009-01-21 10:10 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-21 09:21 . 2009-01-21 09:21 <DIR> d-------- C:\rsit
2009-01-21 09:14 . 2009-01-21 09:14 <DIR> d-------- c:\documents and settings\Owner\.SunDownloadManager
2009-01-15 13:24 . 2005-08-27 02:38 1,435,272 --a------ c:\windows\system32\Flash.ocx
2009-01-15 13:24 . 2003-11-19 13:59 512,688 --a------ c:\windows\system32\XceedCry.dll
2009-01-15 13:24 . 2004-05-11 09:56 423,784 --a------ c:\windows\system32\XceedBkp.dll
2009-01-15 13:24 . 2004-02-05 20:53 389,120 --a------ c:\windows\system32\ACTSKN43.OCX
2009-01-15 13:24 . 2004-01-09 10:54 188,416 --a------ c:\windows\system32\actsplash.ocx
2009-01-15 13:24 . 2004-03-08 23:00 131,856 --a------ c:\windows\system32\MSADODC.ocx
2009-01-15 13:24 . 2001-03-28 22:02 89,088 --a------ c:\windows\system32\ProgressBar4.ocx
2009-01-15 13:24 . 1999-01-26 19:36 11,012 --a------ c:\windows\system32\threadapi.tlb
2009-01-15 09:32 . 2009-01-15 09:32 <DIR> d-------- c:\program files\IObit
2009-01-15 09:32 . 2009-01-15 09:50 <DIR> d-------- c:\documents and settings\Owner\Application Data\IObit
2009-01-13 16:27 . 2009-01-13 16:27 <DIR> d-------- c:\program files\Participatory Culture Foundation
2009-01-13 16:27 . 2009-01-13 16:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\Participatory Culture Foundation
2009-01-10 09:32 . 2009-01-22 09:29 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-10 09:32 . 2009-01-10 09:32 1,409 --a------ c:\windows\QTFont.for
2009-01-08 15:05 . 2009-01-08 15:07 <DIR> d-------- c:\program files\JPEG to PDF
2009-01-02 09:53 . 2009-01-02 09:53 <DIR> d-------- c:\program files\LexarMedia
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 21:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-20 23:10 --------- d-----w c:\program files\Java
2009-01-20 22:21 --------- d-----w c:\program files\Trend Micro
2009-01-14 22:48 --------- d-----w c:\program files\Recuva
2009-01-14 22:48 --------- d-----w c:\program files\Paint Shop Pro
2009-01-14 22:48 --------- d-----w c:\program files\PageBreeze
2009-01-14 22:48 --------- d-----w c:\program files\LimeWire
2009-01-14 22:48 --------- d-----w c:\program files\FreeUndelete
2009-01-14 22:48 --------- d-----w c:\program files\Free Hide Folder
2009-01-14 22:48 --------- d-----w c:\program files\Desktop Taipei
2009-01-14 22:48 --------- d-----w c:\program files\DAP
2009-01-08 04:17 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-31 23:34 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2008-12-26 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 21:16 --------- d-----w c:\program files\CCleaner
2008-12-18 02:19 --------- d-----w c:\program files\IrfanView
2008-12-17 23:14 80,400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2008-12-17 23:14 50,192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2008-12-17 23:14 49,680 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2008-12-17 23:14 334,352 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2008-12-17 23:14 144,912 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-12-16 10:08 --------- d-----w c:\documents and settings\All Users\Application Data\1A1F4
2008-12-12 01:46 --------- d-----w c:\program files\Google
2008-12-08 02:52 --------- d-----w c:\documents and settings\Owner\Application Data\Imesh MP3 Downloader
2008-12-02 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\4186
2008-12-01 09:45 --------- d-----w c:\documents and settings\All Users\Application Data\1B280
2008-11-27 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\236D
2008-11-27 01:42 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2008-11-27 01:42 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2008-11-27 01:39 1,195,384 ----a-w c:\windows\system32\drivers\vsapint.sys
2008-11-26 10:28 --------- d-----w c:\documents and settings\All Users\Application Data\2177
2008-11-24 00:44 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-21 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\28AB
2008-11-21 22:34 --------- d-----w c:\program files\FastStone Capture
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-08 01:46 68,560 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-09-23 06:37 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092320080924\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-22_ 9.25.25.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-21 22:29:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_208.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WireLessMouse "="c:\program files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 503808]
"WireLessKeyboard "="c:\program files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\tahlias stuff\NOKIA phone\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-18 497008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LG SyncManager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LG SyncManager.lnk
backup=c:\windows\pss\LG SyncManager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 03:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2008-12-20 05:28 1434864 c:\program files\CCleaner\ccleaner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comodo Launch Pad App]
--a------ 2008-09-06 09:54 225864 c:\program files\Comodo\LaunchPad\CLPGuiApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comodo Launch Pad Tray]
--a------ 2008-09-06 09:54 229448 c:\program files\Comodo\LaunchPad\CLPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComodoBackup]
--a------ 2006-03-02 17:33 3177984 c:\program files\Comodo\Backup\CmdBackUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
--a------ 2008-12-18 10:14 497008 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 16:10 271360 c:\tahlias stuff\NOKIA phone\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-12-18 10:14 970808 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-06-01 20:22 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56544:TCP"= 56544:TCP:Pando P2P TCP Listening Port
"56544:UDP"= 56544:UDP:Pando P2P UDP Listening Port
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-18 334352]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-12-18 181584]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-12-18 36368]
S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-12-18 49680]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2008-12-18 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-12-18 677128]
.
Contents of the 'Scheduled Tasks' folder
2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-21 c:\windows\Tasks\SyncBack Corvon.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe []
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com.au/uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dzur9zzm.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com.au/FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-22 09:44:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-22 9:45:48
ComboFix-quarantined-files.txt 2009-01-21 22:45:45
ComboFix2.txt 2009-01-21 22:33:30
ComboFix3.txt 2009-01-21 22:26:46
Pre-Run: 193,319,002,112 bytes free
Post-Run: 193,307,828,224 bytes free
183 --- E O F --- 2008-12-18 03:27:53
THIS IS COMBOFIX3.TXTComboFix 09-01-21.02 - Owner 2009-01-22 9:31:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.681 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
.
((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.
2009-01-21 10:10 . 2009-01-21 10:10 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-21 09:21 . 2009-01-21 09:21 <DIR> d-------- C:\rsit
2009-01-21 09:14 . 2009-01-21 09:14 <DIR> d-------- c:\documents and settings\Owner\.SunDownloadManager
2009-01-15 13:24 . 2005-08-27 02:38 1,435,272 --a------ c:\windows\system32\Flash.ocx
2009-01-15 13:24 . 2003-11-19 13:59 512,688 --a------ c:\windows\system32\XceedCry.dll
2009-01-15 13:24 . 2004-05-11 09:56 423,784 --a------ c:\windows\system32\XceedBkp.dll
2009-01-15 13:24 . 2004-02-05 20:53 389,120 --a------ c:\windows\system32\ACTSKN43.OCX
2009-01-15 13:24 . 2004-01-09 10:54 188,416 --a------ c:\windows\system32\actsplash.ocx
2009-01-15 13:24 . 2004-03-08 23:00 131,856 --a------ c:\windows\system32\MSADODC.ocx
2009-01-15 13:24 . 2001-03-28 22:02 89,088 --a------ c:\windows\system32\ProgressBar4.ocx
2009-01-15 13:24 . 1999-01-26 19:36 11,012 --a------ c:\windows\system32\threadapi.tlb
2009-01-15 09:32 . 2009-01-15 09:32 <DIR> d-------- c:\program files\IObit
2009-01-15 09:32 . 2009-01-15 09:50 <DIR> d-------- c:\documents and settings\Owner\Application Data\IObit
2009-01-13 16:27 . 2009-01-13 16:27 <DIR> d-------- c:\program files\Participatory Culture Foundation
2009-01-13 16:27 . 2009-01-13 16:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\Participatory Culture Foundation
2009-01-10 09:32 . 2009-01-22 09:29 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-10 09:32 . 2009-01-10 09:32 1,409 --a------ c:\windows\QTFont.for
2009-01-08 15:05 . 2009-01-08 15:07 <DIR> d-------- c:\program files\JPEG to PDF
2009-01-02 09:53 . 2009-01-02 09:53 <DIR> d-------- c:\program files\LexarMedia
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 21:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-20 23:10 --------- d-----w c:\program files\Java
2009-01-20 22:21 --------- d-----w c:\program files\Trend Micro
2009-01-14 22:48 --------- d-----w c:\program files\Recuva
2009-01-14 22:48 --------- d-----w c:\program files\Paint Shop Pro
2009-01-14 22:48 --------- d-----w c:\program files\PageBreeze
2009-01-14 22:48 --------- d-----w c:\program files\LimeWire
2009-01-14 22:48 --------- d-----w c:\program files\FreeUndelete
2009-01-14 22:48 --------- d-----w c:\program files\Free Hide Folder
2009-01-14 22:48 --------- d-----w c:\program files\Desktop Taipei
2009-01-14 22:48 --------- d-----w c:\program files\DAP
2009-01-08 04:17 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-31 23:34 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2008-12-26 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 21:16 --------- d-----w c:\program files\CCleaner
2008-12-18 02:19 --------- d-----w c:\program files\IrfanView
2008-12-17 23:14 80,400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2008-12-17 23:14 50,192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2008-12-17 23:14 49,680 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2008-12-17 23:14 334,352 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2008-12-17 23:14 144,912 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-12-16 10:08 --------- d-----w c:\documents and settings\All Users\Application Data\1A1F4
2008-12-12 01:46 --------- d-----w c:\program files\Google
2008-12-08 02:52 --------- d-----w c:\documents and settings\Owner\Application Data\Imesh MP3 Downloader
2008-12-02 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\4186
2008-12-01 09:45 --------- d-----w c:\documents and settings\All Users\Application Data\1B280
2008-11-27 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\236D
2008-11-27 01:42 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2008-11-27 01:42 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2008-11-27 01:39 1,195,384 ----a-w c:\windows\system32\drivers\vsapint.sys
2008-11-26 10:28 --------- d-----w c:\documents and settings\All Users\Application Data\2177
2008-11-24 00:44 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-21 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\28AB
2008-11-21 22:34 --------- d-----w c:\program files\FastStone Capture
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-08 01:46 68,560 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-09-23 06:37 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092320080924\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-22_ 9.25.25.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-21 22:29:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_208.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WireLessMouse "="c:\program files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 503808]
"WireLessKeyboard "="c:\program files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\tahlias stuff\NOKIA phone\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-18 497008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LG SyncManager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LG SyncManager.lnk
backup=c:\windows\pss\LG SyncManager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 03:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2008-12-20 05:28 1434864 c:\program files\CCleaner\ccleaner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comodo Launch Pad App]
--a------ 2008-09-06 09:54 225864 c:\program files\Comodo\LaunchPad\CLPGuiApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comodo Launch Pad Tray]
--a------ 2008-09-06 09:54 229448 c:\program files\Comodo\LaunchPad\CLPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComodoBackup]
--a------ 2006-03-02 17:33 3177984 c:\program files\Comodo\Backup\CmdBackUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
--a------ 2008-12-18 10:14 497008 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 16:10 271360 c:\tahlias stuff\NOKIA phone\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-12-18 10:14 970808 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-06-01 20:22 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56544:TCP"= 56544:TCP:Pando P2P TCP Listening Port
"56544:UDP"= 56544:UDP:Pando P2P UDP Listening Port
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-18 334352]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-12-18 181584]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-12-18 36368]
S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-12-18 49680]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2008-12-18 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-12-18 677128]
.
Contents of the 'Scheduled Tasks' folder
2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-21 c:\windows\Tasks\SyncBack Corvon.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe []
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com.au/uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dzur9zzm.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com.au/FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-22 09:32:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-22 9:33:29
ComboFix-quarantined-files.txt 2009-01-21 22:33:26
ComboFix2.txt 2009-01-21 22:26:46
Pre-Run: 193,323,249,664 bytes free
Post-Run: 193,310,306,304 bytes free
182 --- E O F --- 2008-12-18 03:27:53
I noticed that there is now Combofix4.txt as well, so here it is in case you need it.ComboFix 09-01-21.02 - Owner 2009-01-22 9:18:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.591 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Antivirus 2009
c:\windows\system32\drivers\msqpdxwwowxnsi.sys
c:\windows\system32\msqpdxedfldnbm.dll
c:\windows\system32\tmp.reg
D:\resycled
d:\resycled\boot.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_MSQPDXSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.
2009-01-21 10:10 . 2009-01-21 10:10 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-21 09:21 . 2009-01-21 09:21 <DIR> d-------- C:\rsit
2009-01-21 09:14 . 2009-01-21 09:14 <DIR> d-------- c:\documents and settings\Owner\.SunDownloadManager
2009-01-15 13:24 . 2005-08-27 02:38 1,435,272 --a------ c:\windows\system32\Flash.ocx
2009-01-15 13:24 . 2003-11-19 13:59 512,688 --a------ c:\windows\system32\XceedCry.dll
2009-01-15 13:24 . 2004-05-11 09:56 423,784 --a------ c:\windows\system32\XceedBkp.dll
2009-01-15 13:24 . 2004-02-05 20:53 389,120 --a------ c:\windows\system32\ACTSKN43.OCX
2009-01-15 13:24 . 2004-01-09 10:54 188,416 --a------ c:\windows\system32\actsplash.ocx
2009-01-15 13:24 . 2004-03-08 23:00 131,856 --a------ c:\windows\system32\MSADODC.ocx
2009-01-15 13:24 . 2001-03-28 22:02 89,088 --a------ c:\windows\system32\ProgressBar4.ocx
2009-01-15 13:24 . 1999-01-26 19:36 11,012 --a------ c:\windows\system32\threadapi.tlb
2009-01-15 09:32 . 2009-01-15 09:32 <DIR> d-------- c:\program files\IObit
2009-01-15 09:32 . 2009-01-15 09:50 <DIR> d-------- c:\documents and settings\Owner\Application Data\IObit
2009-01-13 16:27 . 2009-01-13 16:27 <DIR> d-------- c:\program files\Participatory Culture Foundation
2009-01-13 16:27 . 2009-01-13 16:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\Participatory Culture Foundation
2009-01-10 09:32 . 2009-01-22 09:08 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-10 09:32 . 2009-01-10 09:32 1,409 --a------ c:\windows\QTFont.for
2009-01-08 15:05 . 2009-01-08 15:07 <DIR> d-------- c:\program files\JPEG to PDF
2009-01-02 09:53 . 2009-01-02 09:53 <DIR> d-------- c:\program files\LexarMedia
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 21:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-20 23:10 --------- d-----w c:\program files\Java
2009-01-20 22:21 --------- d-----w c:\program files\Trend Micro
2009-01-14 22:48 --------- d-----w c:\program files\Recuva
2009-01-14 22:48 --------- d-----w c:\program files\Paint Shop Pro
2009-01-14 22:48 --------- d-----w c:\program files\PageBreeze
2009-01-14 22:48 --------- d-----w c:\program files\LimeWire
2009-01-14 22:48 --------- d-----w c:\program files\FreeUndelete
2009-01-14 22:48 --------- d-----w c:\program files\Free Hide Folder
2009-01-14 22:48 --------- d-----w c:\program files\Desktop Taipei
2009-01-14 22:48 --------- d-----w c:\program files\DAP
2009-01-08 04:17 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-31 23:34 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2008-12-26 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-23 21:16 --------- d-----w c:\program files\CCleaner
2008-12-18 02:19 --------- d-----w c:\program files\IrfanView
2008-12-17 23:14 80,400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2008-12-17 23:14 50,192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2008-12-17 23:14 49,680 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2008-12-17 23:14 334,352 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2008-12-17 23:14 144,912 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-12-16 10:08 --------- d-----w c:\documents and settings\All Users\Application Data\1A1F4
2008-12-12 01:46 --------- d-----w c:\program files\Google
2008-12-08 02:52 --------- d-----w c:\documents and settings\Owner\Application Data\Imesh MP3 Downloader
2008-12-02 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\4186
2008-12-01 09:45 --------- d-----w c:\documents and settings\All Users\Application Data\1B280
2008-11-27 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\236D
2008-11-27 01:42 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2008-11-27 01:42 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2008-11-27 01:39 1,195,384 ----a-w c:\windows\system32\drivers\vsapint.sys
2008-11-26 10:28 --------- d-----w c:\documents and settings\All Users\Application Data\2177
2008-11-24 00:44 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-21 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\28AB
2008-11-21 22:34 --------- d-----w c:\program files\FastStone Capture
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-11-08 01:46 68,560 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-09-23 06:37 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092320080924\index.dat
2008-09-23 06:37 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2008-12-20 1434864]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-18 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WireLessMouse "="c:\program files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 503808]
"WireLessKeyboard "="c:\program files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-12-18 970808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\tahlias stuff\NOKIA phone\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-12-18 497008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LG SyncManager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LG SyncManager.lnk
backup=c:\windows\pss\LG SyncManager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 03:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comodo Launch Pad App]
--a------ 2008-09-06 09:54 225864 c:\program files\Comodo\LaunchPad\CLPGuiApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comodo Launch Pad Tray]
--a------ 2008-09-06 09:54 229448 c:\program files\Comodo\LaunchPad\CLPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComodoBackup]
--a------ 2006-03-02 17:33 3177984 c:\program files\Comodo\Backup\CmdBackUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 16:10 271360 c:\tahlias stuff\NOKIA phone\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-06-01 20:22 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56544:TCP"= 56544:TCP:Pando P2P TCP Listening Port
"56544:UDP"= 56544:UDP:Pando P2P UDP Listening Port
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-18 334352]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-12-18 181584]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-12-18 49680]
R4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2008-12-18 492888]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-12-18 36368]
R4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-12-18 677128]
.
Contents of the 'Scheduled Tasks' folder
2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-01-21 c:\windows\Tasks\SyncBack Corvon.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe []
.
- - - - ORPHANS REMOVED - - - -
BHO-{5E06398E-3017-467B-A399-18425A20F655} - (no file)
MSConfigStartUp-MSFox - c:\docume~1\Owner\LOCALS~1\Temp\yyy571.exe
MSConfigStartUp-RAM Idle Professional - c:\program files\RAM Idle LE\RAM_XP.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com.au/uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dzur9zzm.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com.au/FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-22 09:25:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-22 9:26:44
ComboFix-quarantined-files.txt 2009-01-21 22:26:39
Pre-Run: 193,320,099,840 bytes free
Post-Run: 193,305,370,624 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
197 --- E O F --- 2008-12-18 03:27:53
Logfile of HijackThis v1.99.1
Scan saved at 11:06:21, on 1/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Multimedia Combo Set\MouseDrv.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -
http://upload.facebook.com/controls/200 ... oader5.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) -
http://www.trendsecure.com/service_comp ... mHcmsX.CABO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cabO16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} -
http://upload.facebook.com/controls/Fac ... oader2.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resour ... se9602.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/Fac ... loader.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/microsoftup ... 2351632781O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 2351482781O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) -
http://upload.facebook.com/controls/Fac ... der4_5.cabO16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) -
https://online.westpac.com.au/wtoa/wtOt ... agerwt.cabO16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
http://by105fd.bay105.hotmail.msn.com/a ... Atchmt.ocxO18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
Many thanks
Aub