ComboFix 09-04-15.08 - Gamer 04/15/2009 6:59.27 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.222 [GMT -4:00]
Running from: c:\documents and settings\Gamer\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.
2009-04-08 01:03 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-08 01:03 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 01:03 . 2009-04-08 01:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-24 05:48 . 2009-04-08 02:01 32 --s-a-w c:\windows\system32\3430773693.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 11:16 . 2009-02-19 11:16 129024 ----a-w c:\windows\system32\dbbfea.dll
2009-02-19 11:16 . 2009-02-19 11:16 129024 ----a-w c:\windows\system32\htpxrkix.dll
2009-02-18 23:17 . 2009-02-18 23:17 129024 ----a-w c:\windows\system32\nwpwqs.dll
2009-02-18 23:17 . 2009-02-18 23:17 129024 ----a-w c:\windows\system32\radtkonu.dll
2009-02-18 02:10 . 2009-02-18 02:10 129024 ----a-w c:\windows\system32\imicpmlf.dll
2009-02-18 02:10 . 2009-02-18 02:10 129024 ----a-w c:\windows\system32\ajwwde.dll
2005-03-12 05:54 . 2004-05-16 18:40 29304 ----a-w c:\documents and settings\Gamer\Application Data\GDIPFONTCACHEV1.DAT
2005-03-04 22:31 . 2004-05-11 15:36 29304 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-02-16 16:06 . 2005-12-26 01:10 218112 ----a-w c:\documents and settings\Gamer\HijackThis.exe
2005-01-13 22:32 . 2005-01-13 22:32 136 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\fusioncache.dat
2004-06-14 02:43 . 2004-06-10 23:51 449 ----a-w c:\documents and settings\Gamer\UpdateReg.reg
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= d:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"vidc.tscc"= d:\progra~1\MpcStar\Codecs\tscc\tsccvid.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^office.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\office.exe
backup=c:\windows\pss\office.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-04-29 02:00 323584 ----a-w c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ----a-w c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 21:05 81920 ------w d:\program files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2002-08-20 18:29 40960 ----a-w c:\windows\system32\ezSP_Px.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w c:\program files\Common Files\AOL\1144897544\ee\aolsoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07 114688 ----a-w c:\windows\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 ----a-w c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 ----a-w D:\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2002-05-18 16:04 327680 ----a-w c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-11-30 16:36 1945600 ------w d:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-08-19 01:56 4841472 ----a-w c:\windows\System32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w d:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-05 02:32 53248 ------w c:\program files\REGSHAVE\REGSHAVE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
2005-07-03 07:20 372736 ------w c:\windows\Samsung\ComSMMgr\SSMMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 17:35 90112 ----a-w c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-12-14 01:43 136600 ----a-w c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 05:08 28672 ----a-w c:\windows\Sonysys\VAIO Recovery\PartSeal.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-03-01 23:11 4670968 ----a-w c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-07-22 18:38 88361 ----a-w c:\windows\AGRSMMSG.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Gamer\\SteamApps\\philosophize\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\ezSP_Px.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16317:TCP"= 16317:TCP:BitComet 16317 TCP
"16317:UDP"= 16317:UDP:BitComet 16317 UDP
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-04-14 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-07-31 19:05]
2009-04-11 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-07-31 19:05]
.
- - - - ORPHANS REMOVED - - - -
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.atcomet.com/m/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.ddcd.jp/dd3e/sony/cd/faq.html
uInternet Settings,ProxyServer = gate.temple.edu:8080
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gamer\Application Data\Mozilla\Firefox\Profiles\pw0lcpho.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 07:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3148)
c:\windows\system32\msi.dll
.
Completion time: 2009-04-15 7:04
ComboFix-quarantined-files.txt 2009-04-15 11:03
ComboFix2.txt 2009-04-15 10:57
ComboFix3.txt 2009-04-10 20:08
ComboFix4.txt 2009-04-09 02:37
ComboFix5.txt 2009-04-15 10:59
Pre-Run: 2,279,714,816 bytes free
Post-Run: 2,264,342,528 bytes free
188