ComboFix 08-01-16.1 - Heather 2008-01-15 17:33:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382 [GMT -6:00]
Running from: C:\Documents and Settings\Heather\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Heather\Application Data\ASEMBL~1
C:\Program Files\Common Files\stem~1
C:\Program Files\fnts~1
C:\Program Files\Temporary
C:\WINDOWS\racle~1
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\wtssu32.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.
2008-01-15 17:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 00:20 . 2008-01-14 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 20:40 . 2008-01-11 20:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 01:06 . 2007-10-10 17:55 6,065,664 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-01-10 01:06 . 2007-06-30 21:31 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-01-10 01:06 . 2007-06-30 21:36 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-01-10 01:06 . 2007-10-10 17:55 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-01-10 01:06 . 2007-10-10 17:55 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-01-10 01:06 . 2007-10-10 17:55 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-01-10 01:06 . 2007-10-10 17:55 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-01-10 01:06 . 2007-10-10 17:55 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-01-10 01:06 . 2007-10-10 04:59 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-01-10 00:25 . 2008-01-10 00:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-10 00:24 . 2008-01-10 00:24 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-09 23:57 . 2008-01-10 01:19 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-09 23:56 . 2006-08-21 03:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-01-09 23:56 . 2006-08-21 03:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-01-09 23:56 . 2006-08-21 06:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-01-09 17:46 . 2007-07-09 07:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-01-09 06:56 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-01-09 06:56 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-09 06:56 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-01-09 06:56 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-01-09 06:56 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-01-07 20:12 . 2008-01-07 23:44 <DIR> d-------- C:\VundoFix Backups
2008-01-06 17:01 . 2008-01-06 17:01 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\U3
2007-12-26 17:50 . 2007-12-26 17:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-26 17:23 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-26 17:19 . 2008-01-13 19:15 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\HouseCall 6.6
2007-12-25 20:17 . 2008-01-09 17:33 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\AVG7
2007-12-25 20:16 . 2007-12-26 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-25 20:16 . 2008-01-13 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-25 07:57 . 2008-01-08 23:22 <DIR> d--hs---- C:\WINDOWS\SGVhdGhlcg
2007-12-23 06:57 . 2007-12-26 17:42 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 12:30 --------- d-----w C:\Program Files\MyWay
2008-01-13 05:17 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-12 15:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-08 01:17 --------- d-----w C:\Documents and Settings\Heather\Application Data\GameHouse
2008-01-07 00:01 --------- d-----w C:\Program Files\McAfee.com
2008-01-07 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-06 23:58 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-06 23:58 --------- d-----w C:\Program Files\Yahoo!
2008-01-06 23:55 --------- d-----w C:\Program Files\Common Files\Real
2008-01-06 23:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-06 23:45 --------- d-----w C:\Program Files\BroadJump
2008-01-06 16:29 --------- d-----w C:\Program Files\QuickTime
2008-01-06 05:04 --------- d-----w C:\Program Files\Zune
2007-12-23 15:06 --------- d-----w C:\Program Files\Oberon Media
2007-12-11 04:24 49,840 -c--a-w C:\Documents and Settings\Heather\Application Data\GDIPFONTCACHEV1.DAT
2006-01-06 02:28 4,267,744 -c--a-w C:\Program Files\mw9791enu.exe
2003-01-28 09:24 207,758 -c--a-w C:\Program Files\INSTALL.LOG
.
Code:
<pre>
----a-w 180,269 2007-12-26 05:15:54 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 579,072 2007-12-26 05:16:01 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 24,104 2007-12-26 05:15:54 C:\Program Files\Zune\ZuneLauncher .exe
----a-w 15,360 2007-12-26 23:42:51 C:\WINDOWS\SYSTEM32\ctfmon .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-25 20:16 219136]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 16:44 679936 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
--a--c--- 2003-02-08 16:42 86102 C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Goz]
C:\Program Files\Common Files\??stem\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 07:59 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 07:59 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jfid]
C:\WINDOWS\?racle\ntvdm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\geeba.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2003-12-10 03:52 380928 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-04-03 17:12 777424 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2003-12-09 13:02 57344 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YCentral]
c:\progra~1\yahoo!\YCentral\YahooCentral.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 17:48:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-16 17:52:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 23:52:50
.
2008-01-12 18:09:16 --- E O F ---