mccabesw
2008-08-26, 17:31
hijackthis report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:54 AM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219597155162
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 4085 bytes
combofix report
ComboFix 08-08-25.01 - Admin 2008-08-26 11:13:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.63 [GMT -4:00]
Running from: C:\Documents and Settings\Admin\My Documents\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM93f8b883.txt
C:\WINDOWS\BM93f8b883.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\akfgjenv.exe
C:\WINDOWS\system32\ccelnhwt.dll
C:\WINDOWS\system32\coghkf.dll
C:\WINDOWS\system32\EhRuDcdd.ini
C:\WINDOWS\system32\EhRuDcdd.ini2
C:\WINDOWS\system32\fsmjarsm.ini
C:\WINDOWS\system32\hvuqxo.dll
C:\WINDOWS\system32\iifdabCV.dll
C:\WINDOWS\system32\lkrhrxrh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msrajmsf.dll
C:\WINDOWS\system32\ohtxkcjs.dll
C:\WINDOWS\system32\rimcobhw.ini
C:\WINDOWS\system32\rqRHywxw.dll
C:\WINDOWS\system32\uxIjmUvw.ini
C:\WINDOWS\system32\uxIjmUvw.ini2
C:\WINDOWS\system32\VCbadfii.ini
C:\WINDOWS\system32\VCbadfii.ini2
C:\WINDOWS\system32\vtUnnnkL.dll
C:\WINDOWS\system32\whbocmir.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.
2008-08-25 11:54 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-25 11:54 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-25 11:54 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-25 11:54 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-25 11:53 . 2008-08-25 12:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-25 11:53 . 2008-08-25 11:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PC Tools
2008-08-25 10:25 . 2008-08-25 10:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 10:15 . 2008-08-25 13:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 22:12 . 2008-08-25 13:10 211 --a------ C:\WINDOWS\wininit.ini
2008-08-24 19:49 . 2008-08-24 19:55 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-24 19:08 . 2008-08-24 20:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-24 19:08 . 2008-08-25 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-24 18:07 . 2008-08-24 18:07 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\dvdcss
2008-08-24 17:22 . 2008-08-24 17:22 <DIR> d-------- C:\Program Files\Palm
2008-08-24 17:17 . 2008-08-24 17:17 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-24 17:05 . 2008-08-24 17:05 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-08-24 17:04 . 2008-08-24 17:19 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-08-24 17:00 . 2005-11-21 01:48 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-08-24 17:00 . 2005-11-21 01:48 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-08-24 16:58 . 2008-08-24 16:59 <DIR> d-------- C:\Program Files\Xilisoft
2008-08-24 16:49 . 2008-08-24 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-24 16:27 . 2008-08-24 16:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\HP
2008-08-24 16:22 . 2008-08-24 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-08-24 16:21 . 2008-08-24 16:21 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-24 16:18 . 2008-08-24 16:18 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-08-24 16:17 . 2008-08-24 16:17 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-24 16:16 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-08-24 16:16 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-08-24 16:16 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-08-24 16:16 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-08-24 16:16 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-08-24 16:16 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-08-24 16:16 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-08-24 16:12 . 2008-08-24 16:22 <DIR> d-------- C:\Program Files\HP
2008-08-24 16:09 . 2008-08-24 16:25 113,168 --a------ C:\WINDOWS\hpoins07.dat
2008-08-24 16:09 . 2005-05-24 02:52 21,124 --------- C:\WINDOWS\hpomdl07.dat
2008-08-24 16:08 . 2005-03-08 00:43 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-08-24 16:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-08-24 16:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-08-24 16:08 . 2005-03-08 00:43 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-08-24 16:08 . 2005-03-08 00:43 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-08-24 16:07 . 2005-04-07 21:51 606,208 -ra------ C:\WINDOWS\system32\hpotscl.dll
2008-08-24 16:07 . 2005-04-07 21:51 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2008-08-24 16:07 . 2005-03-08 00:39 274,432 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2008-08-24 16:07 . 2005-04-07 21:51 258,122 -ra------ C:\WINDOWS\system32\hpovst08.dll
2008-08-24 16:07 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-24 16:07 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-24 16:02 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-24 16:02 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-24 16:01 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-08-24 16:01 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-08-24 16:01 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-24 15:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-24 15:48 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-24 15:48 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-24 14:49 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-08-24 14:41 . 2008-08-24 14:41 <DIR> d-------- C:\Program Files\Microsoft Works
2008-08-24 14:40 . 2008-08-24 14:40 <DIR> d-------- C:\Program Files\MSBuild
2008-08-24 14:25 . 2008-08-24 14:39 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-08-24 14:24 . 2008-08-24 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-24 14:22 . 2008-08-24 14:22 <DIR> dr-h----- C:\MSOCache
2008-08-24 13:32 . 2008-08-24 13:32 <DIR> d-------- C:\WINDOWS\provisioning
2008-08-24 13:30 . 2008-08-24 13:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-24 13:28 . 2008-08-24 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-24 13:28 . 2008-08-24 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-08-24 13:28 . 2008-08-24 13:28 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\acccore
2008-08-24 13:28 . 2004-08-04 00:56 2,897,920 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-08-24 13:27 . 2008-08-24 13:27 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-08-24 13:27 . 2008-08-24 13:28 <DIR> d-------- C:\Program Files\AIM6
2008-08-24 13:27 . 2008-08-24 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-08-24 13:27 . 2008-08-24 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-08-24 13:27 . 2008-08-24 13:28 404 --ah----- C:\IPH.PH
2008-08-24 13:26 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002135_.tmp
2008-08-24 13:23 . 2008-08-24 13:23 <DIR> d-------- C:\WINDOWS\EHome
2008-08-24 13:02 . 2008-08-24 13:02 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-24 13:02 . 2008-08-24 14:32 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-24 13:02 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-24 13:01 . 2004-08-04 00:56 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-08-24 13:01 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-08-24 13:01 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-08-24 13:01 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-08-24 13:01 . 2004-08-04 00:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 16:49 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 11:21 50472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36 1207080]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16 1166216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\AIM6\\aim6.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
Contents of the 'Scheduled Tasks' folder
2008-08-26 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]
.
- - - - ORPHANS REMOVED - - - -
BHO-{152A5718-96A7-47D0-A5F2-2A14EECD8E3C} - C:\WINDOWS\system32\wvUmjIxu.dll
BHO-{4035B8B6-9500-44D3-AD96-14B968EAC000} - (no file)
BHO-{6177A088-0E0A-44C0-AD5C-1809E14E7A39} - (no file)
BHO-{86953B13-BCF3-4881-A3ED-9E7A7E58C9FD} - (no file)
BHO-{B85E5E92-A40E-48B0-922E-84867A826470} - C:\WINDOWS\system32\ddcDuRhE.dll
BHO-{E243A8E7-6244-49E0-A361-22DBF30FD46C} - (no file)
HKLM-Run-BM93f8b883 - C:\WINDOWS\system32\evenofww.dll
HKLM-Run-90cb8b1f - C:\WINDOWS\system32\msrajmsf.dll
Notify-vtUnnnkL - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 11:20:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2008-08-26 11:23:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 15:23:16
Pre-Run: 131,282,853,888 bytes free
Post-Run: 131,209,392,128 bytes free
214 --- E O F --- 2008-08-24 18:46:10
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:54 AM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219597155162
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 4085 bytes
combofix report
ComboFix 08-08-25.01 - Admin 2008-08-26 11:13:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.63 [GMT -4:00]
Running from: C:\Documents and Settings\Admin\My Documents\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM93f8b883.txt
C:\WINDOWS\BM93f8b883.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\akfgjenv.exe
C:\WINDOWS\system32\ccelnhwt.dll
C:\WINDOWS\system32\coghkf.dll
C:\WINDOWS\system32\EhRuDcdd.ini
C:\WINDOWS\system32\EhRuDcdd.ini2
C:\WINDOWS\system32\fsmjarsm.ini
C:\WINDOWS\system32\hvuqxo.dll
C:\WINDOWS\system32\iifdabCV.dll
C:\WINDOWS\system32\lkrhrxrh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msrajmsf.dll
C:\WINDOWS\system32\ohtxkcjs.dll
C:\WINDOWS\system32\rimcobhw.ini
C:\WINDOWS\system32\rqRHywxw.dll
C:\WINDOWS\system32\uxIjmUvw.ini
C:\WINDOWS\system32\uxIjmUvw.ini2
C:\WINDOWS\system32\VCbadfii.ini
C:\WINDOWS\system32\VCbadfii.ini2
C:\WINDOWS\system32\vtUnnnkL.dll
C:\WINDOWS\system32\whbocmir.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.
2008-08-25 11:54 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-25 11:54 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-25 11:54 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-25 11:54 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-25 11:53 . 2008-08-25 12:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-25 11:53 . 2008-08-25 11:53 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\PC Tools
2008-08-25 10:25 . 2008-08-25 10:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 10:15 . 2008-08-25 13:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 22:12 . 2008-08-25 13:10 211 --a------ C:\WINDOWS\wininit.ini
2008-08-24 19:49 . 2008-08-24 19:55 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-24 19:08 . 2008-08-24 20:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-24 19:08 . 2008-08-25 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-24 18:07 . 2008-08-24 18:07 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\dvdcss
2008-08-24 17:22 . 2008-08-24 17:22 <DIR> d-------- C:\Program Files\Palm
2008-08-24 17:17 . 2008-08-24 17:17 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-24 17:05 . 2008-08-24 17:05 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-08-24 17:04 . 2008-08-24 17:19 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-08-24 17:00 . 2005-11-21 01:48 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-08-24 17:00 . 2005-11-21 01:48 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-08-24 16:58 . 2008-08-24 16:59 <DIR> d-------- C:\Program Files\Xilisoft
2008-08-24 16:49 . 2008-08-24 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-24 16:27 . 2008-08-24 16:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\HP
2008-08-24 16:22 . 2008-08-24 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-08-24 16:21 . 2008-08-24 16:21 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-24 16:18 . 2008-08-24 16:18 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-08-24 16:17 . 2008-08-24 16:17 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-24 16:16 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-08-24 16:16 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-08-24 16:16 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-08-24 16:16 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-08-24 16:16 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-08-24 16:16 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-08-24 16:16 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-08-24 16:12 . 2008-08-24 16:22 <DIR> d-------- C:\Program Files\HP
2008-08-24 16:09 . 2008-08-24 16:25 113,168 --a------ C:\WINDOWS\hpoins07.dat
2008-08-24 16:09 . 2005-05-24 02:52 21,124 --------- C:\WINDOWS\hpomdl07.dat
2008-08-24 16:08 . 2005-03-08 00:43 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-08-24 16:08 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-08-24 16:08 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-08-24 16:08 . 2005-03-08 00:43 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-08-24 16:08 . 2005-03-08 00:43 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-08-24 16:07 . 2005-04-07 21:51 606,208 -ra------ C:\WINDOWS\system32\hpotscl.dll
2008-08-24 16:07 . 2005-04-07 21:51 278,528 -ra------ C:\WINDOWS\system32\hpgwiamd.dll
2008-08-24 16:07 . 2005-03-08 00:39 274,432 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2008-08-24 16:07 . 2005-04-07 21:51 258,122 -ra------ C:\WINDOWS\system32\hpovst08.dll
2008-08-24 16:07 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-24 16:07 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-24 16:02 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-24 16:02 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-24 16:01 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-08-24 16:01 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-08-24 16:01 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-24 15:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-24 15:48 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-24 15:48 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-24 14:49 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-08-24 14:41 . 2008-08-24 14:41 <DIR> d-------- C:\Program Files\Microsoft Works
2008-08-24 14:40 . 2008-08-24 14:40 <DIR> d-------- C:\Program Files\MSBuild
2008-08-24 14:25 . 2008-08-24 14:39 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-08-24 14:24 . 2008-08-24 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-24 14:22 . 2008-08-24 14:22 <DIR> dr-h----- C:\MSOCache
2008-08-24 13:32 . 2008-08-24 13:32 <DIR> d-------- C:\WINDOWS\provisioning
2008-08-24 13:30 . 2008-08-24 13:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-24 13:28 . 2008-08-24 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-24 13:28 . 2008-08-24 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-08-24 13:28 . 2008-08-24 13:28 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\acccore
2008-08-24 13:28 . 2004-08-04 00:56 2,897,920 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-08-24 13:27 . 2008-08-24 13:27 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-08-24 13:27 . 2008-08-24 13:28 <DIR> d-------- C:\Program Files\AIM6
2008-08-24 13:27 . 2008-08-24 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-08-24 13:27 . 2008-08-24 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-08-24 13:27 . 2008-08-24 13:28 404 --ah----- C:\IPH.PH
2008-08-24 13:26 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002135_.tmp
2008-08-24 13:23 . 2008-08-24 13:23 <DIR> d-------- C:\WINDOWS\EHome
2008-08-24 13:02 . 2008-08-24 13:02 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-24 13:02 . 2008-08-24 14:32 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-24 13:02 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-24 13:01 . 2004-08-04 00:56 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-08-24 13:01 . 2004-08-04 00:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-08-24 13:01 . 2004-08-04 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-08-24 13:01 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-08-24 13:01 . 2004-08-04 00:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 16:49 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 11:21 50472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36 1207080]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 09:16 1166216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\AIM6\\aim6.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
Contents of the 'Scheduled Tasks' folder
2008-08-26 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]
.
- - - - ORPHANS REMOVED - - - -
BHO-{152A5718-96A7-47D0-A5F2-2A14EECD8E3C} - C:\WINDOWS\system32\wvUmjIxu.dll
BHO-{4035B8B6-9500-44D3-AD96-14B968EAC000} - (no file)
BHO-{6177A088-0E0A-44C0-AD5C-1809E14E7A39} - (no file)
BHO-{86953B13-BCF3-4881-A3ED-9E7A7E58C9FD} - (no file)
BHO-{B85E5E92-A40E-48B0-922E-84867A826470} - C:\WINDOWS\system32\ddcDuRhE.dll
BHO-{E243A8E7-6244-49E0-A361-22DBF30FD46C} - (no file)
HKLM-Run-BM93f8b883 - C:\WINDOWS\system32\evenofww.dll
HKLM-Run-90cb8b1f - C:\WINDOWS\system32\msrajmsf.dll
Notify-vtUnnnkL - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 11:20:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2008-08-26 11:23:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 15:23:16
Pre-Run: 131,282,853,888 bytes free
Post-Run: 131,209,392,128 bytes free
214 --- E O F --- 2008-08-24 18:46:10