ComboFix 09-02-17.02 - Tom 2009-02-18 23:15:54.2 - NTFSx86
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
.
((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.
2009-02-17 17:55 . 2009-02-17 17:55 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-17 17:51 . 2009-02-17 17:51 <DIR> d-------- c:\windows\ERUNT
2009-02-17 17:37 . 2009-02-17 18:14 <DIR> d-------- C:\SDFix
2009-02-10 22:19 . 2009-02-10 22:19 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-10 22:19 . 2009-02-10 22:19 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-10 22:19 . 2009-02-10 22:19 <DIR> d-------- c:\program files\MSBuild
2009-02-10 22:17 . 2009-02-10 22:18 <DIR> d-------- C:\26a8e7806c33be24ec29c267b31477
2009-02-10 22:17 . 2008-07-06 04:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-10 22:17 . 2008-07-06 04:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-10 22:17 . 2008-07-06 02:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-10 22:17 . 2008-07-06 04:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-10 22:17 . 2008-07-06 04:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-10 22:17 . 2008-07-06 04:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-10 22:17 . 2008-07-06 04:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-10 22:16 . 2009-02-10 22:58 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-10 19:19 . 2009-02-10 19:19 <DIR> d-------- c:\program files\ERUNT
2009-02-10 18:55 . 2009-02-10 18:56 <DIR> d-------- c:\program files\HijackthisNEW
2009-02-10 18:53 . 2009-02-10 18:53 488,144 --a------ c:\program files\HJTsetupNEW.exe
2009-02-08 10:22 . 2009-02-08 10:22 <DIR> d-------- c:\documents and settings\Tom\Application Data\cogad
2009-02-07 12:07 . 2009-02-07 12:07 85,637 --a------ c:\windows\system32\adf3902d-e01a-f7c2-5c4d-4be2b5b96324.exe
2009-02-07 12:07 . 2009-02-09 20:29 48,266 --a------ c:\windows\system32\cdxetbrdgoypuvcm.exe
2009-02-05 13:38 . 2009-02-05 13:38 675,328 --a------ c:\windows\system32\nsc1B.dll
2009-01-28 21:34 . 2009-01-28 21:34 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-28 21:34 . 2009-01-28 21:34 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-28 21:34 . 2009-01-28 21:34 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-28 21:34 . 2009-01-28 21:34 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-28 21:02 . 2009-02-08 10:34 <DIR> d-------- c:\documents and settings\Tom\Application Data\Twain
2009-01-28 20:57 . 2009-02-10 19:38 <DIR> d-------- c:\program files\WebShow
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 03:56 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-18 04:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-16 02:38 --------- d-----w c:\program files\Introduction to Accounting
2009-02-11 06:09 --------- d-----w c:\program files\Google
2009-02-08 17:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-08 17:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-07 19:58 --------- d-----w c:\program files\Microsoft Works
2009-02-07 19:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-07 19:26 --------- d-----w c:\documents and settings\Tom\Application Data\Move Networks
2009-01-29 07:24 --------- d-----w c:\program files\ewido anti-spyware 4.0
2009-01-29 07:15 --------- d-----w c:\documents and settings\Tom\Application Data\Ludia
2009-01-29 05:25 --------- d-----w c:\program files\Bonjour
2009-01-18 21:56 --------- d-----w c:\documents and settings\Tom\Application Data\CiscoCAA
2009-01-17 05:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-16 02:28 --------- d-----w c:\program files\Microsoft Picture It! PhotoPub
2009-01-08 05:35 --------- d-----w c:\program files\QBrew
2009-01-06 03:48 --------- d-----w c:\documents and settings\Tom\Application Data\BeerTools Pro
2009-01-06 01:48 --------- d-----w c:\program files\Common Files\CourseStream Player
2009-01-03 23:31 --------- d-----w c:\documents and settings\All Users\Application Data\RetroExp
2008-12-22 06:10 --------- d-----w c:\program files\iTunes
2008-12-22 06:10 --------- d-----w c:\program files\iPod
2008-12-22 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 06:08 --------- d-----w c:\program files\QuickTime
2008-12-22 06:07 --------- d-----w c:\program files\Common Files\Apple
2008-12-21 21:38 --------- d-----w c:\program files\BeerTools Pro 1.5
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2006-09-19 06:48 488,144 ----a-w c:\program files\HJTsetup.exe
2008-10-15 02:51 56 --sh--r c:\windows\system32\B7FC035303.sys
2008-10-15 02:51 4,704 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-24 01:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082320080824\index.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-02-16_ 0.39.37.63 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-02-18 01:52:21 1,306,624 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2009-02-18 01:52:21 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-02-18 01:51:50 1,306,624 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2009-02-18 01:51:50 8,192 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2009-02-16 08:33:16 226,649 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-18 03:00:10 226,644 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5d6abd6b-a780-1039-3bcb-c89497cef5fa}]
2009-02-05 13:38 675328 --a------ c:\windows\system32\nsc1B.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-09 188416]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]
"WD Button Manager"="WDBtnMgr.exe" [2008-08-10 c:\windows\system32\WDBtnMgr.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-05-24 24576]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Tom^Start Menu^Programs^Startup^Imation_Flash_Detect.lnk]
path=c:\documents and settings\Tom\Start Menu\Programs\Startup\Imation_Flash_Detect.lnk
backup=c:\windows\pss\Imation_Flash_Detect.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPort Base Station Agent]
--a------ 2008-05-20 14:17 737280 c:\program files\AirPort\APAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a------ 2004-04-01 05:51 1589248 c:\dell\DellHelp\DellHelp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 15:37 2178832 c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-08-08 12:00 311350 c:\program files\Microsoft Works\wkssb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2000-08-08 12:00 28739 c:\program files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-09 23:24 20480 c:\program files\NetWaiting\netwaiting.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-07-15 01:07 32768 c:\program files\CyberLink\PowerDVD SE\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
--a------ 2006-09-11 16:32 9371648 c:\progra~1\RETROS~1\RETROS~1.0\RetroExpress.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-28 17:01 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-09-11 22:14 100056 c:\progra~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
--a------ 2003-12-11 18:35 70800 c:\program files\Norton Internet Security\URLLSTCK.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 c:\program files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2000-08-08 12:00 24576 c:\program files\Microsoft Works\wkfud.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\Retrospect.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\retrorun.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
R2 gupdate1c985cc255f982;Google Update Service (gupdate1c985cc255f982);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
--- Other Services/Drivers In Memory ---
*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - APPDRV
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - Automatic LiveUpdate Scheduler
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - ccEvtMgr
*Deregistered* - ccProxy
*Deregistered* - ccSetMgr
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - COMSysApp
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - Dnscache
*Deregistered* - drvnddm
*Deregistered* - dsunidrv
*Deregistered* - ehRecvr
*Deregistered* - ehSched
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - EvtEng
*Deregistered* - ewido anti-spyware 4.0 driver
*Deregistered* - ewido anti-spyware 4.0 guard
*Deregistered* - Fax
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - gupdate1c985cc255f982
*Deregistered* - gusvc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - i2omgmt
*Deregistered* - IISADMIN
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LiveUpdate
*Deregistered* - LmHosts
*Deregistered* - LVCOMSer
*Deregistered* - LVPr2Mon
*Deregistered* - LVPrcSrv
*Deregistered* - LVSrvLauncher
*Deregistered* - LVUSBSta
*Deregistered* - McrdSvc
*Deregistered* - MDM
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - MSFtpsvc
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - navapsvc
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - NICCONFIGSVC
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RegSrvc
*Deregistered* - RemoteRegistry
*Deregistered* - RetroExpLauncher
*Deregistered* - RpcSs
*Deregistered* - S24EventMonitor
*Deregistered* - s24trans
*Deregistered* - SamSs
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - SAVScan
*Deregistered* - SBService
*Deregistered* - Schedule
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SMTPSVC
*Deregistered* - SNDSrvc
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Symantec Core LC
*Deregistered* - SYMDNS
*Deregistered* - SymEvent
*Deregistered* - SYMFW
*Deregistered* - SYMIDS
*Deregistered* - SYMIDSCO
*Deregistered* - symlcbrd
*Deregistered* - SYMNDIS
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - SymWSC
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - upnphost
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - W3SVC
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - WinDefend
*Deregistered* - winmgmt
*Deregistered* - WLANKEEPER
*Deregistered* - WMPNetworkSvc
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{694c0e66-31ac-11dc-8725-0015c500c6c2}]
\Shell\AutoRun\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
\Shell\open\command - g:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acc6157b-ba75-11dc-8775-0015c500c6c2}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b83e1a00-df91-11dd-8819-0015c500c6c2}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
.
Contents of the 'Scheduled Tasks' folder
2008-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-02-19 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 22:52]
2008-12-27 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (SARAH-Bill).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
2009-02-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-02-14 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2003-12-04 17:22]
2009-02-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} - hxxp://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 23:21:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-18 23:24:34
ComboFix-quarantined-files.txt 2009-02-19 07:23:17
ComboFix2.txt 2009-02-16 08:44:28
Pre-Run: 30,840,664,064 bytes free
Post-Run: 30,892,666,880 bytes free
448 --- E O F --- 2009-02-16 20:30:57
