bsj00
2008-07-12, 20:22
Help
I use combofix based on the following thread:
http://forums.spybot.info/showthread.php?t=30679
I am still infected.
--------------------------------------------------------------------------
ComboFix 08-07-11.1 - Robert W. Baker 2008-07-12 12:39:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1512 [GMT -4:00]
Running from: C:\Documents and Settings\Robert W. Baker\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BMc7563c0f.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\alifnvjo.dll
C:\WINDOWS\system32\apsamaik.dll
C:\WINDOWS\system32\bewrzv.dll
C:\WINDOWS\system32\bfsimfbl.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\egflvhwu.dll
C:\WINDOWS\system32\eyiadjql.dll
C:\WINDOWS\system32\fccdbYrq.dll
C:\WINDOWS\system32\gnbjzs.dll
C:\WINDOWS\system32\gosuryhd.ini
C:\WINDOWS\system32\hgGyvvVm.dll
C:\WINDOWS\system32\hkUBIkkj.ini
C:\WINDOWS\system32\hkUBIkkj.ini2
C:\WINDOWS\system32\iebnar.dll
C:\WINDOWS\system32\jkkJcCuR.dll
C:\WINDOWS\system32\kiamaspa.ini
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\klkkj.bak2
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\lqjdaiye.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfwlumpt.dll
C:\WINDOWS\system32\mlJBSjiJ.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\ojvnfila.ini
C:\WINDOWS\system32\opnlJbya.dll
C:\WINDOWS\system32\opnooLcA.dll
C:\WINDOWS\system32\oWFOVvut.ini
C:\WINDOWS\system32\oWFOVvut.ini2
C:\WINDOWS\system32\plkkcskl.ini
C:\WINDOWS\system32\PsYHRqss.ini
C:\WINDOWS\system32\PsYHRqss.ini2
C:\WINDOWS\system32\setup.exe.tmp
C:\WINDOWS\system32\ssqRHYsP.dll
C:\WINDOWS\system32\trcowyrn.dll
----- BITS: Possible infected sites -----
hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.
2008-07-12 12:59 . 2008-07-12 12:59 33,792 --a------ C:\Documents and Settings\Robert W. Baker\services.exe
2008-07-11 16:35 . 2008-07-11 16:35 <DIR> d-------- C:\Temp\stmpv4
2008-07-11 16:35 . 2008-07-11 16:35 <DIR> d-------- C:\Temp
2008-07-11 15:45 . 2008-07-11 15:45 3,639 --a------ C:\WINDOWS\system32\xxyaawwu.dll
2008-07-11 14:46 . 2008-07-11 14:46 3,639 --a------ C:\WINDOWS\system32\urqPfFus.dll
2008-07-11 13:45 . 2008-07-11 13:45 3,639 --a------ C:\WINDOWS\system32\rqRjiFYo.dll
2008-07-11 12:45 . 2008-07-11 12:45 3,639 --a------ C:\WINDOWS\system32\geBsRJaX.dll
2008-07-11 11:45 . 2008-07-11 11:45 3,639 --a------ C:\WINDOWS\system32\iifgFxyy.dll
2008-07-11 10:45 . 2008-07-11 10:45 3,639 --a------ C:\WINDOWS\system32\cbXNDVmj.dll
2008-07-11 10:28 . 2008-07-11 10:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-11 10:28 . 2008-07-11 10:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-11 09:28 . 2008-07-11 09:28 3,639 --a------ C:\WINDOWS\system32\jkkICTkk.dll
2008-07-10 18:33 . 2008-07-10 18:33 <DIR> d-------- C:\Documents and Settings\Robert W. Baker\.autobahn
2008-07-10 16:34 . 2008-07-11 21:56 110,419 --a------ C:\WINDOWS\BMc7563c0f.xml
2008-07-10 16:24 . 2008-07-12 01:06 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-10 12:16 . 2008-07-10 12:16 <DIR> d-------- C:\Program Files\Vista Buttons Trial
2008-07-10 10:46 . 2008-07-11 09:44 <DIR> d-------- C:\Program Files\eFile Express 2007
2008-07-10 09:43 . 2008-07-10 09:43 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-07-10 09:31 . 2008-07-10 09:31 <DIR> d-------- C:\Program Files\Driver-Soft
2008-07-10 09:31 . 2007-09-02 20:56 1,686,016 --a------ C:\WINDOWS\system32\clinetsuitex6.ocx
2008-07-10 09:31 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-07-07 14:19 . 2008-07-07 14:19 <DIR> d-------- C:\Documents and Settings\Robert W. Baker\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-07-07 14:12 . 2008-07-07 14:12 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-07 13:58 . 2008-07-07 15:23 <DIR> d-------- C:\Program Files\NOS
2008-07-07 13:58 . 2008-07-07 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-07-06 13:04 . 2008-03-04 09:29 327,680 --a------ C:\WINDOWS\system32\TwcToolbarIe7.dll
2008-07-06 13:04 . 2008-03-04 09:25 98,304 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll
2008-07-06 13:04 . 2007-12-03 12:36 25,600 --a------ C:\WINDOWS\system32\TwcToolInstDll.dll
2008-07-06 13:03 . 2008-07-06 13:04 <DIR> d-------- C:\Program Files\The Weather Channel Toolbar
2008-07-04 17:23 . 2008-07-04 17:23 <DIR> d-------- C:\WINDOWS\ie8updates
2008-07-04 17:18 . 2008-07-04 17:20 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Robert W. Baker\winlogon.exe
2008-06-17 09:59 . 2008-06-17 09:59 99,648 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 13:01 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-12 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-11 14:40 --------- d-----w C:\Program Files\Replay AV 8
2008-07-10 21:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 21:42 --------- d-----w C:\Program Files\Lavasoft
2008-07-10 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 20:24 --------- d-----w C:\Documents and Settings\Robert W. Baker\Application Data\AVG7
2008-07-10 20:14 --------- d-----w C:\Documents and Settings\Robert W. Baker\Application Data\LimeWire
2008-07-10 14:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-10 00:16 --------- d-----w C:\Documents and Settings\Robert W. Baker\Application Data\Move Networks
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 15:17 --------- d-----w C:\Program Files\iTunes
2008-06-02 15:17 --------- d-----w C:\Program Files\iPod
2008-06-02 15:16 --------- d-----w C:\Program Files\QuickTime
2008-06-02 15:13 --------- d-----w C:\Program Files\Apple Software Update
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 18:46 1460560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"="C:\Documents and Settings\Robert W. Baker\winlogon.exe" [2008-06-27 18:38 53248]
"eTrustPPAP"="C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2007-10-08 20:30 131072]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 23:05 579584]
"PDF Printer Pilot agent"="C:\Program Files\PDF Printer Pilot\pdfpragent.exe" [2007-06-08 00:40 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FLuninst"="C:\WINDOWS\system32\FLKill.exe" [2007-02-07 21:50 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-04 16:35 219136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"NoLogOff"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-01-30 09:57 101888 C:\WINDOWS\system32\ackpbsc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-01-30 15:57 260096 C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ActivClient Agent.lnk]
backup=C:\WINDOWS\pss\ActivClient Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
backup=C:\WINDOWS\pss\MLB.TV NexDef Plug-in.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PDF Suite POPUP.lnk]
backup=C:\WINDOWS\pss\PDF Suite POPUP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=C:\WINDOWS\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Robert W. Baker^Start Menu^Programs^Startup^Hewlett-Packard Recorder.lnk]
backup=C:\WINDOWS\pss\Hewlett-Packard Recorder.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Robert W. Baker^Start Menu^Programs^Startup^KillSync.exe]
path=C:\Documents and Settings\Robert W. Baker\Start Menu\Programs\Startup\KillSync.exe
backup=C:\WINDOWS\pss\KillSync.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Robert W. Baker^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Infuzer
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accrdsub]
--a------ 2006-11-10 13:28 275968 C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2005-02-08 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2004-09-07 17:28 213054 C:\Program Files\HPQ\Default Settings\Cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 12:01 392832 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 09:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 10:47 163840 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-04-11 16:21 794624 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 10:47 131072 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 08:00 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 12:01 1037736 c:\Program Files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-09-11 05:40 218032 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 05:40 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
--a------ 2005-07-04 11:50 643072 C:\Program Files\PureEdge\Viewer 6.5\masqform.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 08:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-01-13 10:46 135168 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 08:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 08:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
--------- 2007-02-12 22:12 253000 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 09:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-09-23 13:41 860160 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 10:11 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 18:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 03:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-11-13 16:23 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBTUCopy]
-ra------ 2007-01-19 05:57 356352 C:\Program Files\VBTUCopy\VBTUCopy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-04-13 10:12 88209 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 08:00 110592 C:\WINDOWS\system32\bthprops.cpl
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\MLB TV Mosaic\\mlbplayer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 acachsrv;ActivClient Authentication Service;C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 13:29]
R2 acautoup;ActivClient Auto-Update Service;C:\Program Files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 13:29]
R2 accoca;ActivClient Middleware Service;C:\Program Files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 13:29]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-05-04 10:27]
R3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2006-12-18 13:55]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc2.sys [2003-05-07 16:54]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys []
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys [2006-11-07 05:35]
S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;C:\WINDOWS\system32\DRIVERS\semwl5.sys [2005-01-03 00:49]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);C:\WINDOWS\system32\DRIVERS\swnc8u12.sys [2007-03-26 15:21]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);C:\WINDOWS\system32\DRIVERS\swumx12.sys [2007-03-26 15:21]
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 22:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 22:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{142b48fb-c778-11dc-baab-0012f09d124d}]
\Shell\AutoRun\command - E:\PortableVault.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{256d246d-cf9b-11dc-babe-0012f09d124d}]
\Shell\AutoRun\command - E:\Help!.exe
\Shell\open\command - E:\Help!.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33414343-9484-11dc-ba55-0012f09d124d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5200d036-d73f-11dc-badf-0012f09d124d}]
\Shell\AutoRun\command - F:\Help!.exe
\Shell\open\command - F:\Help!.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62eccff3-d19c-11dc-bac5-0012f09d124d}]
\Shell\AutoRun\command - E:\DTE_Privacy_launcher.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aa0a9ec-6c37-11dc-bff7-0012f09d124d}]
\Shell\AutoRun\command - E:\Help!.exe
\Shell\open\command - E:\Help!.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-06 01:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{7768234D-E494-424D-96E6-4819A1E16325} - (no file)
BHO-{DA50AC2E-F4C5-412F-B78B-BA5B96E97F98} - C:\WINDOWS\system32\tuvVOFWo.dll
BHO-{E331980B-1117-45A9-8646-79DC4B53D18D} - (no file)
Notify-fccdbYrq - (no file)
Notify-NavLogon - (no file)
MSConfigStartUp-AprvRemoveLegacyExcelKeys - C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe
MSConfigStartUp-AprvRemoveLegacyWordKeys - C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe
MSConfigStartUp-AT&T Communication Manager - C:\Program Files\AT&T\Communication Manager\ATTCM.exe
MSConfigStartUp-BMc7563c0f - C:\WINDOWS\system32\lsbwiybu.dll
MSConfigStartUp-PC Connection Agent - C:\Program Files\Microsoft ActiveSync\wcescomm.exe
MSConfigStartUp-Host Process - C:\WINDOWS\Fonts\svchost.exe
MSConfigStartUp-IntelWireless - C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
MSConfigStartUp-IntelZeroConfig - C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
MSConfigStartUp-PMCLoader - C:\Documents and Settings\Robert W. Baker\Application Data\Pinnacle\TVCenter Pro\PMCLoader.exe
MSConfigStartUp-rfagent - C:\Program Files\RFA\rfagent.exe
MSConfigStartUp-runner1 - C:\WINDOWS\mrofinu1188.exe
MSConfigStartUp-UltraMon - C:\Program Files\UltraMon\UltraMon.exe
MSConfigStartUp-vptray - C:\PROGRA~1\SYMANT~1\VPTray.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 12:58:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\wshom.ocx 98304 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Documents and Settings\Robert W. Baker\winlogon.exe
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2008-07-12 13:06:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-12 17:06:15
Pre-Run: 95,057,543,168 bytes free
Post-Run: 94,965,780,480 bytes free
329 --- E O F --- 2008-07-10 10:38:37
I use combofix based on the following thread:
http://forums.spybot.info/showthread.php?t=30679
I am still infected.
--------------------------------------------------------------------------
ComboFix 08-07-11.1 - Robert W. Baker 2008-07-12 12:39:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1512 [GMT -4:00]
Running from: C:\Documents and Settings\Robert W. Baker\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BMc7563c0f.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\acbeg.ini
C:\WINDOWS\system32\alifnvjo.dll
C:\WINDOWS\system32\apsamaik.dll
C:\WINDOWS\system32\bewrzv.dll
C:\WINDOWS\system32\bfsimfbl.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\egflvhwu.dll
C:\WINDOWS\system32\eyiadjql.dll
C:\WINDOWS\system32\fccdbYrq.dll
C:\WINDOWS\system32\gnbjzs.dll
C:\WINDOWS\system32\gosuryhd.ini
C:\WINDOWS\system32\hgGyvvVm.dll
C:\WINDOWS\system32\hkUBIkkj.ini
C:\WINDOWS\system32\hkUBIkkj.ini2
C:\WINDOWS\system32\iebnar.dll
C:\WINDOWS\system32\jkkJcCuR.dll
C:\WINDOWS\system32\kiamaspa.ini
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\klkkj.bak2
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\lqjdaiye.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfwlumpt.dll
C:\WINDOWS\system32\mlJBSjiJ.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\ojvnfila.ini
C:\WINDOWS\system32\opnlJbya.dll
C:\WINDOWS\system32\opnooLcA.dll
C:\WINDOWS\system32\oWFOVvut.ini
C:\WINDOWS\system32\oWFOVvut.ini2
C:\WINDOWS\system32\plkkcskl.ini
C:\WINDOWS\system32\PsYHRqss.ini
C:\WINDOWS\system32\PsYHRqss.ini2
C:\WINDOWS\system32\setup.exe.tmp
C:\WINDOWS\system32\ssqRHYsP.dll
C:\WINDOWS\system32\trcowyrn.dll
----- BITS: Possible infected sites -----
hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.
2008-07-12 12:59 . 2008-07-12 12:59 33,792 --a------ C:\Documents and Settings\Robert W. Baker\services.exe
2008-07-11 16:35 . 2008-07-11 16:35 <DIR> d-------- C:\Temp\stmpv4
2008-07-11 16:35 . 2008-07-11 16:35 <DIR> d-------- C:\Temp
2008-07-11 15:45 . 2008-07-11 15:45 3,639 --a------ C:\WINDOWS\system32\xxyaawwu.dll
2008-07-11 14:46 . 2008-07-11 14:46 3,639 --a------ C:\WINDOWS\system32\urqPfFus.dll
2008-07-11 13:45 . 2008-07-11 13:45 3,639 --a------ C:\WINDOWS\system32\rqRjiFYo.dll
2008-07-11 12:45 . 2008-07-11 12:45 3,639 --a------ C:\WINDOWS\system32\geBsRJaX.dll
2008-07-11 11:45 . 2008-07-11 11:45 3,639 --a------ C:\WINDOWS\system32\iifgFxyy.dll
2008-07-11 10:45 . 2008-07-11 10:45 3,639 --a------ C:\WINDOWS\system32\cbXNDVmj.dll
2008-07-11 10:28 . 2008-07-11 10:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-11 10:28 . 2008-07-11 10:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-11 09:28 . 2008-07-11 09:28 3,639 --a------ C:\WINDOWS\system32\jkkICTkk.dll
2008-07-10 18:33 . 2008-07-10 18:33 <DIR> d-------- C:\Documents and Settings\Robert W. Baker\.autobahn
2008-07-10 16:34 . 2008-07-11 21:56 110,419 --a------ C:\WINDOWS\BMc7563c0f.xml
2008-07-10 16:24 . 2008-07-12 01:06 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-10 12:16 . 2008-07-10 12:16 <DIR> d-------- C:\Program Files\Vista Buttons Trial
2008-07-10 10:46 . 2008-07-11 09:44 <DIR> d-------- C:\Program Files\eFile Express 2007
2008-07-10 09:43 . 2008-07-10 09:43 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-07-10 09:31 . 2008-07-10 09:31 <DIR> d-------- C:\Program Files\Driver-Soft
2008-07-10 09:31 . 2007-09-02 20:56 1,686,016 --a------ C:\WINDOWS\system32\clinetsuitex6.ocx
2008-07-10 09:31 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-07-07 14:19 . 2008-07-07 14:19 <DIR> d-------- C:\Documents and Settings\Robert W. Baker\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-07-07 14:12 . 2008-07-07 14:12 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-07 13:58 . 2008-07-07 15:23 <DIR> d-------- C:\Program Files\NOS
2008-07-07 13:58 . 2008-07-07 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-07-06 13:04 . 2008-03-04 09:29 327,680 --a------ C:\WINDOWS\system32\TwcToolbarIe7.dll
2008-07-06 13:04 . 2008-03-04 09:25 98,304 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll
2008-07-06 13:04 . 2007-12-03 12:36 25,600 --a------ C:\WINDOWS\system32\TwcToolInstDll.dll
2008-07-06 13:03 . 2008-07-06 13:04 <DIR> d-------- C:\Program Files\The Weather Channel Toolbar
2008-07-04 17:23 . 2008-07-04 17:23 <DIR> d-------- C:\WINDOWS\ie8updates
2008-07-04 17:18 . 2008-07-04 17:20 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Robert W. Baker\winlogon.exe
2008-06-17 09:59 . 2008-06-17 09:59 99,648 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 13:01 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-12 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-11 14:40 --------- d-----w C:\Program Files\Replay AV 8
2008-07-10 21:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 21:42 --------- d-----w C:\Program Files\Lavasoft
2008-07-10 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 20:24 --------- d-----w C:\Documents and Settings\Robert W. Baker\Application Data\AVG7
2008-07-10 20:14 --------- d-----w C:\Documents and Settings\Robert W. Baker\Application Data\LimeWire
2008-07-10 14:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-10 00:16 --------- d-----w C:\Documents and Settings\Robert W. Baker\Application Data\Move Networks
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 15:17 --------- d-----w C:\Program Files\iTunes
2008-06-02 15:17 --------- d-----w C:\Program Files\iPod
2008-06-02 15:16 --------- d-----w C:\Program Files\QuickTime
2008-06-02 15:13 --------- d-----w C:\Program Files\Apple Software Update
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 18:46 1460560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"="C:\Documents and Settings\Robert W. Baker\winlogon.exe" [2008-06-27 18:38 53248]
"eTrustPPAP"="C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2007-10-08 20:30 131072]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 23:05 579584]
"PDF Printer Pilot agent"="C:\Program Files\PDF Printer Pilot\pdfpragent.exe" [2007-06-08 00:40 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FLuninst"="C:\WINDOWS\system32\FLKill.exe" [2007-02-07 21:50 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-04 16:35 219136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"NoLogOff"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-01-30 09:57 101888 C:\WINDOWS\system32\ackpbsc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-01-30 15:57 260096 C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ActivClient Agent.lnk]
backup=C:\WINDOWS\pss\ActivClient Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
backup=C:\WINDOWS\pss\MLB.TV NexDef Plug-in.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PDF Suite POPUP.lnk]
backup=C:\WINDOWS\pss\PDF Suite POPUP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=C:\WINDOWS\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Robert W. Baker^Start Menu^Programs^Startup^Hewlett-Packard Recorder.lnk]
backup=C:\WINDOWS\pss\Hewlett-Packard Recorder.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Robert W. Baker^Start Menu^Programs^Startup^KillSync.exe]
path=C:\Documents and Settings\Robert W. Baker\Start Menu\Programs\Startup\KillSync.exe
backup=C:\WINDOWS\pss\KillSync.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Robert W. Baker^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Infuzer
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accrdsub]
--a------ 2006-11-10 13:28 275968 C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2005-02-08 17:38 159744 C:\Program Files\Apoint2K\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2004-09-07 17:28 213054 C:\Program Files\HPQ\Default Settings\Cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 12:01 392832 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 09:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 10:47 163840 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-04-11 16:21 794624 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 10:47 131072 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 08:00 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 12:01 1037736 c:\Program Files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-09-11 05:40 218032 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 05:40 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
--a------ 2005-07-04 11:50 643072 C:\Program Files\PureEdge\Viewer 6.5\masqform.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 08:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-01-13 10:46 135168 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 08:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 08:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
--------- 2007-02-12 22:12 253000 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 09:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-09-23 13:41 860160 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 10:11 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 18:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 03:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-11-13 16:23 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBTUCopy]
-ra------ 2007-01-19 05:57 356352 C:\Program Files\VBTUCopy\VBTUCopy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-04-13 10:12 88209 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 08:00 110592 C:\WINDOWS\system32\bthprops.cpl
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\MLB TV Mosaic\\mlbplayer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 acachsrv;ActivClient Authentication Service;C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 13:29]
R2 acautoup;ActivClient Auto-Update Service;C:\Program Files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 13:29]
R2 accoca;ActivClient Middleware Service;C:\Program Files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 13:29]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2007-05-04 10:27]
R3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2006-12-18 13:55]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc2.sys [2003-05-07 16:54]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys []
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys [2006-11-07 05:35]
S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;C:\WINDOWS\system32\DRIVERS\semwl5.sys [2005-01-03 00:49]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);C:\WINDOWS\system32\DRIVERS\swnc8u12.sys [2007-03-26 15:21]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);C:\WINDOWS\system32\DRIVERS\swumx12.sys [2007-03-26 15:21]
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 22:20]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 22:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{142b48fb-c778-11dc-baab-0012f09d124d}]
\Shell\AutoRun\command - E:\PortableVault.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{256d246d-cf9b-11dc-babe-0012f09d124d}]
\Shell\AutoRun\command - E:\Help!.exe
\Shell\open\command - E:\Help!.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33414343-9484-11dc-ba55-0012f09d124d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5200d036-d73f-11dc-badf-0012f09d124d}]
\Shell\AutoRun\command - F:\Help!.exe
\Shell\open\command - F:\Help!.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62eccff3-d19c-11dc-bac5-0012f09d124d}]
\Shell\AutoRun\command - E:\DTE_Privacy_launcher.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6aa0a9ec-6c37-11dc-bff7-0012f09d124d}]
\Shell\AutoRun\command - E:\Help!.exe
\Shell\open\command - E:\Help!.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-06 01:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{7768234D-E494-424D-96E6-4819A1E16325} - (no file)
BHO-{DA50AC2E-F4C5-412F-B78B-BA5B96E97F98} - C:\WINDOWS\system32\tuvVOFWo.dll
BHO-{E331980B-1117-45A9-8646-79DC4B53D18D} - (no file)
Notify-fccdbYrq - (no file)
Notify-NavLogon - (no file)
MSConfigStartUp-AprvRemoveLegacyExcelKeys - C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe
MSConfigStartUp-AprvRemoveLegacyWordKeys - C:\Program Files\ApproveIt\Support\Tools\AprvClean.exe
MSConfigStartUp-AT&T Communication Manager - C:\Program Files\AT&T\Communication Manager\ATTCM.exe
MSConfigStartUp-BMc7563c0f - C:\WINDOWS\system32\lsbwiybu.dll
MSConfigStartUp-PC Connection Agent - C:\Program Files\Microsoft ActiveSync\wcescomm.exe
MSConfigStartUp-Host Process - C:\WINDOWS\Fonts\svchost.exe
MSConfigStartUp-IntelWireless - C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
MSConfigStartUp-IntelZeroConfig - C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
MSConfigStartUp-PMCLoader - C:\Documents and Settings\Robert W. Baker\Application Data\Pinnacle\TVCenter Pro\PMCLoader.exe
MSConfigStartUp-rfagent - C:\Program Files\RFA\rfagent.exe
MSConfigStartUp-runner1 - C:\WINDOWS\mrofinu1188.exe
MSConfigStartUp-UltraMon - C:\Program Files\UltraMon\UltraMon.exe
MSConfigStartUp-vptray - C:\PROGRA~1\SYMANT~1\VPTray.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 12:58:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\wshom.ocx 98304 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Documents and Settings\Robert W. Baker\winlogon.exe
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2008-07-12 13:06:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-12 17:06:15
Pre-Run: 95,057,543,168 bytes free
Post-Run: 94,965,780,480 bytes free
329 --- E O F --- 2008-07-10 10:38:37