letters4jeff
New member
combo fix log
ComboFix 08-09-05.09 - Brooke 2008-09-08 20:20:25.1 - NTFSx86
Running from: C:\Documents and Settings\Brooke\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\url(3).dll
.
((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.
2008-09-06 11:14 . 2008-09-06 11:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 11:14 . 2008-09-06 11:14 <DIR> d-------- C:\Documents and Settings\Brooke\Application Data\Malwarebytes
2008-09-06 11:14 . 2008-09-06 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-06 11:14 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-06 11:14 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-05 15:31 . 2008-09-02 23:58 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-05 15:31 . 2008-08-28 22:36 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-09-05 15:31 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-09-04 13:08 . 2008-09-06 00:17 676 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-30 14:28 . 2008-08-30 14:41 <DIR> d-------- C:\Program Files\Security Task Manager
2008-08-30 14:28 . 2008-08-30 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-30 13:57 . 2008-08-30 15:33 <DIR> d-------- C:\Program Files\BHODemon 2
2008-08-29 20:41 . 2008-08-29 20:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 18:00 . 2008-08-29 18:00 <DIR> d-------- C:\Program Files\ToniArts
2008-08-29 15:34 . 2008-08-29 15:34 <DIR> d--h----- C:\Documents and Settings\Brooke\Application Data\yahoo!
2008-08-29 01:07 . 2008-08-29 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-29 00:58 . 2008-08-29 11:29 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-27 14:21 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-27 13:59 . 2008-08-27 13:59 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-27 13:59 . 2008-08-27 13:59 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-27 13:59 . 2008-08-27 13:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-27 13:59 . 2008-08-27 13:59 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-26 18:54 . 2008-08-26 18:56 <DIR> d-------- C:\Program Files\Musicmatch
2008-08-26 18:54 . 2008-08-26 18:54 <DIR> d-------- C:\Documents and Settings\Brooke\Application Data\Musicmatch
2008-08-26 18:48 . 2008-08-26 18:48 <DIR> d-------- C:\Program Files\Thomson
2008-08-26 15:53 . 2008-08-30 15:44 <DIR> d-------- C:\Documents and Settings\Brooke\Application Data\LimeWire
2008-08-26 12:57 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-26 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-26 12:56 . 2008-04-13 20:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-08-26 12:56 . 2008-04-13 14:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-26 12:55 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\system32\qagentrt.dll
2008-08-26 12:55 . 2008-04-13 20:12 150,528 --------- C:\WINDOWS\system32\qagent.dll
2008-08-26 12:55 . 2008-04-13 20:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-08-26 12:55 . 2008-04-13 20:12 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-08-26 12:55 . 2008-04-13 20:12 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-08-26 12:55 . 2008-04-13 20:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-08-26 12:54 . 2008-04-13 20:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-26 12:54 . 2008-04-13 20:12 193,024 --------- C:\WINDOWS\system32\napmontr.dll
2008-08-26 12:54 . 2008-04-13 20:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-08-26 12:54 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\system32\mssha.dll
2008-08-26 12:54 . 2008-04-13 13:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-26 12:54 . 2008-04-13 14:14 76,800 --------- C:\WINDOWS\system32\msshavmsg.dll
2008-08-26 12:54 . 2008-04-13 20:12 30,208 --------- C:\WINDOWS\system32\napipsec.dll
2008-08-26 12:53 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-08-26 12:53 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-26 12:53 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-26 12:53 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-08-26 12:53 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-08-26 12:52 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-08-26 12:52 . 2008-04-13 20:12 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2008-08-26 12:52 . 2008-04-13 20:12 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2008-08-26 12:52 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-08-26 12:52 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-08-26 12:52 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-08-26 12:52 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-08-26 12:52 . 2007-06-21 01:52 974 --------- C:\WINDOWS\system32\pid.inf
2008-08-26 12:51 . 2008-04-13 20:11 184,832 --------- C:\WINDOWS\system32\eapp3hst.dll
2008-08-26 12:51 . 2008-04-13 20:11 180,224 --------- C:\WINDOWS\system32\eapphost.dll
2008-08-26 12:51 . 2008-04-13 12:36 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-08-26 12:51 . 2008-04-13 20:11 126,976 --------- C:\WINDOWS\system32\eappcfg.dll
2008-08-26 12:51 . 2008-04-13 20:11 94,208 --------- C:\WINDOWS\system32\eappgnui.dll
2008-08-26 12:51 . 2008-04-13 20:11 59,392 --------- C:\WINDOWS\system32\eapqec.dll
2008-08-26 12:51 . 2008-04-13 20:11 40,960 --------- C:\WINDOWS\system32\eappprxy.dll
2008-08-26 12:51 . 2008-04-13 20:11 33,792 --------- C:\WINDOWS\system32\eapsvc.dll
2008-08-26 12:51 . 2008-04-13 20:11 30,720 --------- C:\WINDOWS\system32\eapolqec.dll
2008-08-25 12:55 . 2008-08-25 12:55 <DIR> d-------- C:\Documents and Settings\Brooke\dwhelper
2008-08-24 20:27 . 2008-08-24 20:27 <DIR> d-------- C:\Program Files\FDRLab
2008-08-24 20:27 . 2008-08-24 20:27 <DIR> d-------- C:\Documents and Settings\Brooke\Application Data\FDRLab
2008-08-19 16:34 . 2008-08-19 16:34 <DIR> d-------- C:\WINDOWS\Sun
2008-08-19 12:55 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-19 12:53 . 2008-08-19 12:55 <DIR> d-------- C:\Program Files\Java
2008-08-19 12:52 . 2008-08-19 12:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-13 15:25 . 2005-08-16 12:23 38,422 --a------ C:\WINDOWS\system32\drivers\StMp3Rec.sys
2008-08-13 15:24 . 2008-08-13 15:25 <DIR> d-------- C:\Program Files\Creative
2008-08-12 19:08 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 19:07 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-10 23:19 . 2008-09-05 22:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-10 23:19 . 2008-08-10 23:19 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 18:44 --------- d-----w C:\Program Files\Picasa2
2008-08-29 22:19 --------- d-----w C:\Program Files\TomTom HOME
2008-08-29 22:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 16:31 --------- d-----w C:\Documents and Settings\Brooke\Application Data\U3
2008-08-27 14:04 164,976 ----a-w C:\WINDOWS\system32\drivers\HookSys.sys
2008-08-25 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-23 16:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-07 15:31 --------- d-----w C:\Documents and Settings\Brooke\Application Data\Corel
2008-08-07 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-08-06 17:03 10,736 ----a-w C:\WINDOWS\system32\drivers\RsNTGdi.sys
2008-08-06 17:02 62,576 ----a-w C:\WINDOWS\system32\drivers\HookNtos.sys
2008-08-06 17:02 38,256 ----a-w C:\WINDOWS\system32\drivers\HOOKREG.sys
2008-08-06 17:02 30,704 ----a-w C:\WINDOWS\system32\drivers\HookHelp.sys
2008-08-06 17:02 13,808 ----a-w C:\WINDOWS\system32\drivers\HookCont.sys
2008-08-05 15:48 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-05 15:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-05 15:48 --------- d-----w C:\Program Files\Belkin
2008-08-01 22:00 --------- d-----w C:\Program Files\Pure Networks
2008-08-01 22:00 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-01 21:58 --------- d-----w C:\Documents and Settings\Brooke\Application Data\AOL
2008-08-01 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-01 21:19 --------- d-----w C:\Program Files\Common Files\aolback
2008-08-01 21:17 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-08-01 21:17 --------- d-----w C:\Documents and Settings\Brooke\Application Data\You've Got Pictures Screensaver
2008-08-01 21:16 --------- d-----w C:\Program Files\QuickTime
2008-08-01 21:15 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2008-08-01 21:15 --------- d-----w C:\Program Files\Common Files\Real
2008-08-01 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-08-01 21:14 --------- d-----w C:\Program Files\Real
2008-08-01 21:13 --------- d-----w C:\Program Files\Viewpoint
2008-08-01 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-01 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-07-26 16:37 --------- d-----w C:\Documents and Settings\Brooke\Application Data\HP
2008-07-26 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-07-26 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-26 16:29 --------- d-----w C:\Program Files\HP
2008-07-20 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-07-20 06:38 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-07-20 06:36 --------- d-----w C:\Program Files\Logitech
2008-07-20 06:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-20 06:35 --------- d-----w C:\Program Files\Labtec
2008-07-19 21:37 88 --sh--r C:\Documents and Settings\All Users\Application Data\FA785541EB.sys
2008-07-19 21:37 2,516 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2003-06-25 20:05 266,360 ----a-r C:\Program Files\TweakUI.exe
2007-08-16 16:26 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RavTask"="C:\Program Files\Rising\Rav\RavTask.exe" [2008-08-06 211568]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-08-01 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-08-01 98304]
C:\Documents and Settings\Brooke\Start Menu\Programs\Startup\
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-02-12 778240]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{32CD708B-60A7-4C00-9377-D73EAA495F0F}"= "C:\WINDOWS\system32\RavExt.dll" [2008-08-06 113264]
[HKLM\~\startupfolder\C:^Documents and Settings^Brooke^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Brooke\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-10-25 16:33 563984 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 16:37 2178832 C:\Program Files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-06-15 08:56 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-06-15 08:56 135168 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-05-15 17:34 3975848 C:\Program Files\TomTom HOME\TomTomHOME.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
R0 RsNTGDI;RsNTGDI;C:\WINDOWS\system32\Drivers\RsNTGdi.sys [2008-08-06 10736]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 HookCont;HookCont;C:\WINDOWS\system32\drivers\HookCont.sys [2008-08-06 13808]
R1 HookNtos;HookNtos;C:\WINDOWS\system32\drivers\HookNtos.sys [2008-08-06 62576]
R1 HookReg;HookReg;C:\WINDOWS\system32\drivers\HookReg.sys [2008-08-06 38256]
R1 HookSys;HookSys;C:\WINDOWS\system32\drivers\HookSys.sys [2008-08-27 164976]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 RsCCenter;Rising Process Communication Center;C:\Program Files\Rising\Rav\CCenter.exe [2008-08-06 162416]
S2 RsRavMon;Rising RealTime Monitor;C:\PROGRAM FILES\RISING\RAV\Ravmond.exe [2008-08-06 395888]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2006-02-09 20704]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae15fa43-4bd7-11dc-8a83-806d6172696f}]
\Shell\AutoRun\command - D:\OSDRUN.EXE /w2kPlus /ShowError OSDICW.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c683a04e-b32d-11dc-a1a0-0008021b644e}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Brooke\Application Data\Mozilla\Firefox\Profiles\b6n8fd6y.default\
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 20:26:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-08 20:30:33
ComboFix-quarantined-files.txt 2008-09-09 00:30:21
Pre-Run: 7,074,246,656 bytes free
Post-Run: 7,065,399,296 bytes free
219 --- E O F --- 2008-08-29 05:51:52
ComboFix 08-09-05.09 - Brooke 2008-09-08 20:20:25.1 - NTFSx86
Running from: C:\Documents and Settings\Brooke\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\url(3).dll
.
((((((((((((((((((((((((( Files Created from 2008-08-09 to 2008-09-09 )))))))))))))))))))))))))))))))
.
2008-09-06 11:14 . 2008-09-06 11:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 11:14 . 2008-09-06 11:14 <DIR> d-------- C:\Documents and Settings\Brooke\Application Data\Malwarebytes
2008-09-06 11:14 . 2008-09-06 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-06 11:14 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-06 11:14 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-05 15:31 . 2008-09-02 23:58 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-05 15:31 . 2008-08-28 22:36 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-09-05 15:31 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-09-04 13:08 . 2008-09-06 00:17 676 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-30 14:28 . 2008-08-30 14:41 <DIR> d-------- C:\Program Files\Security Task Manager
2008-08-30 14:28 . 2008-08-30 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-30 13:57 . 2008-08-30 15:33 <DIR> d-------- C:\Program Files\BHODemon 2
2008-08-29 20:41 . 2008-08-29 20:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 18:00 . 2008-08-29 18:00 <DIR> d-------- C:\Program Files\ToniArts
2008-08-29 15:34 . 2008-08-29 15:34 <DIR> d--h----- C:\Documents and Settings\Brooke\Application Data\yahoo!
2008-08-29 01:07 . 2008-08-29 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-29 00:58 . 2008-08-29 11:29 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-27 14:21 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-27 13:59 . 2008-08-27 13:59 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-27 13:59 . 2008-08-27 13:59 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-27 13:59 . 2008-08-27 13:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-27 13:59 . 2008-08-27 13:59 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-26 18:54 . 2008-08-26 18:56 <DIR> d-------- C:\Program Files\Musicmatch
2008-08-26 18:54 . 2008-08-26 18:54 <DIR> d-------- C:\Documents and Settings\Brooke\Application Data\Musicmatch
2008-08-26 18:48 . 2008-08-26 18:48 <DIR> d-------- C:\Program Files\Thomson
2008-08-26 15:53 . 2008-08-30 15:44 <DIR> d-------- C:\Documents and Settings\Brooke\Application Data\LimeWire
2008-08-26 12:57 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-26 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-26 12:56 . 2008-04-13 20:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-08-26 12:56 . 2008-04-13 14:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-26 12:55 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\system32\qagentrt.dll
2008-08-26 12:55 . 2008-04-13 20:12 150,528 --------- C:\WINDOWS\system32\qagent.dll
2008-08-26 12:55 . 2008-04-13 20:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-08-26 12:55 . 2008-04-13 20:12 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-08-26 12:55 . 2008-04-13 20:12 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-08-26 12:55 . 2008-04-13 20:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-08-26 12:54 . 2008-04-13 20:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-08-26 12:54 . 2008-04-13 20:12 193,024 --------- C:\WINDOWS\system32\napmontr.dll
2008-08-26 12:54 . 2008-04-13 20:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-08-26 12:54 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\system32\mssha.dll
2008-08-26 12:54 . 2008-04-13 13:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-08-26 12:54 . 2008-04-13 14:14 76,800 --------- C:\WINDOWS\system32\msshavmsg.dll
2008-08-26 12:54 . 2008-04-13 20:12 30,208 --------- C:\WINDOWS\system32\napipsec.dll
2008-08-26 12:53 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-08-26 12:53 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-08-26 12:53 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-08-26 12:53 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-08-26 12:53 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-08-26 12:52 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-08-26 12:52 . 2008-04-13 20:12 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2008-08-26 12:52 . 2008-04-13 20:12 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2008-08-26 12:52 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-08-26 12:52 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-08-26 12:52 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-08-26 12:52 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-08-26 12:52 . 2007-06-21 01:52 974 --------- C:\WINDOWS\system32\pid.inf
2008-08-26 12:51 . 2008-04-13 20:11 184,832 --------- C:\WINDOWS\system32\eapp3hst.dll
2008-08-26 12:51 . 2008-04-13 20:11 180,224 --------- C:\WINDOWS\system32\eapphost.dll
2008-08-26 12:51 . 2008-04-13 12:36 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-08-26 12:51 . 2008-04-13 20:11 126,976 --------- C:\WINDOWS\system32\eappcfg.dll
2008-08-26 12:51 . 2008-04-13 20:11 94,208 --------- C:\WINDOWS\system32\eappgnui.dll
2008-08-26 12:51 . 2008-04-13 20:11 59,392 --------- C:\WINDOWS\system32\eapqec.dll
2008-08-26 12:51 . 2008-04-13 20:11 40,960 --------- C:\WINDOWS\system32\eappprxy.dll
2008-08-26 12:51 . 2008-04-13 20:11 33,792 --------- C:\WINDOWS\system32\eapsvc.dll
2008-08-26 12:51 . 2008-04-13 20:11 30,720 --------- C:\WINDOWS\system32\eapolqec.dll
2008-08-25 12:55 . 2008-08-25 12:55 <DIR> d-------- C:\Documents and Settings\Brooke\dwhelper
2008-08-24 20:27 . 2008-08-24 20:27 <DIR> d-------- C:\Program Files\FDRLab
2008-08-24 20:27 . 2008-08-24 20:27 <DIR> d-------- C:\Documents and Settings\Brooke\Application Data\FDRLab
2008-08-19 16:34 . 2008-08-19 16:34 <DIR> d-------- C:\WINDOWS\Sun
2008-08-19 12:55 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-19 12:53 . 2008-08-19 12:55 <DIR> d-------- C:\Program Files\Java
2008-08-19 12:52 . 2008-08-19 12:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-13 15:25 . 2005-08-16 12:23 38,422 --a------ C:\WINDOWS\system32\drivers\StMp3Rec.sys
2008-08-13 15:24 . 2008-08-13 15:25 <DIR> d-------- C:\Program Files\Creative
2008-08-12 19:08 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 19:07 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-10 23:19 . 2008-09-05 22:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-10 23:19 . 2008-08-10 23:19 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 18:44 --------- d-----w C:\Program Files\Picasa2
2008-08-29 22:19 --------- d-----w C:\Program Files\TomTom HOME
2008-08-29 22:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 16:31 --------- d-----w C:\Documents and Settings\Brooke\Application Data\U3
2008-08-27 14:04 164,976 ----a-w C:\WINDOWS\system32\drivers\HookSys.sys
2008-08-25 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-23 16:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-07 15:31 --------- d-----w C:\Documents and Settings\Brooke\Application Data\Corel
2008-08-07 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-08-06 17:03 10,736 ----a-w C:\WINDOWS\system32\drivers\RsNTGdi.sys
2008-08-06 17:02 62,576 ----a-w C:\WINDOWS\system32\drivers\HookNtos.sys
2008-08-06 17:02 38,256 ----a-w C:\WINDOWS\system32\drivers\HOOKREG.sys
2008-08-06 17:02 30,704 ----a-w C:\WINDOWS\system32\drivers\HookHelp.sys
2008-08-06 17:02 13,808 ----a-w C:\WINDOWS\system32\drivers\HookCont.sys
2008-08-05 15:48 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-08-05 15:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-05 15:48 --------- d-----w C:\Program Files\Belkin
2008-08-01 22:00 --------- d-----w C:\Program Files\Pure Networks
2008-08-01 22:00 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-01 21:58 --------- d-----w C:\Documents and Settings\Brooke\Application Data\AOL
2008-08-01 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-01 21:19 --------- d-----w C:\Program Files\Common Files\aolback
2008-08-01 21:17 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-08-01 21:17 --------- d-----w C:\Documents and Settings\Brooke\Application Data\You've Got Pictures Screensaver
2008-08-01 21:16 --------- d-----w C:\Program Files\QuickTime
2008-08-01 21:15 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2008-08-01 21:15 --------- d-----w C:\Program Files\Common Files\Real
2008-08-01 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-08-01 21:14 --------- d-----w C:\Program Files\Real
2008-08-01 21:13 --------- d-----w C:\Program Files\Viewpoint
2008-08-01 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-01 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-07-26 16:37 --------- d-----w C:\Documents and Settings\Brooke\Application Data\HP
2008-07-26 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-07-26 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-26 16:29 --------- d-----w C:\Program Files\HP
2008-07-20 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-07-20 06:38 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-07-20 06:36 --------- d-----w C:\Program Files\Logitech
2008-07-20 06:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-20 06:35 --------- d-----w C:\Program Files\Labtec
2008-07-19 21:37 88 --sh--r C:\Documents and Settings\All Users\Application Data\FA785541EB.sys
2008-07-19 21:37 2,516 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2003-06-25 20:05 266,360 ----a-r C:\Program Files\TweakUI.exe
2007-08-16 16:26 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RavTask"="C:\Program Files\Rising\Rav\RavTask.exe" [2008-08-06 211568]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-08-01 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-08-01 98304]
C:\Documents and Settings\Brooke\Start Menu\Programs\Startup\
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-02-12 778240]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{32CD708B-60A7-4C00-9377-D73EAA495F0F}"= "C:\WINDOWS\system32\RavExt.dll" [2008-08-06 113264]
[HKLM\~\startupfolder\C:^Documents and Settings^Brooke^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Brooke\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-10-25 16:33 563984 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 16:37 2178832 C:\Program Files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-06-15 08:56 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-06-15 08:56 135168 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-05-15 17:34 3975848 C:\Program Files\TomTom HOME\TomTomHOME.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
R0 RsNTGDI;RsNTGDI;C:\WINDOWS\system32\Drivers\RsNTGdi.sys [2008-08-06 10736]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 HookCont;HookCont;C:\WINDOWS\system32\drivers\HookCont.sys [2008-08-06 13808]
R1 HookNtos;HookNtos;C:\WINDOWS\system32\drivers\HookNtos.sys [2008-08-06 62576]
R1 HookReg;HookReg;C:\WINDOWS\system32\drivers\HookReg.sys [2008-08-06 38256]
R1 HookSys;HookSys;C:\WINDOWS\system32\drivers\HookSys.sys [2008-08-27 164976]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 RsCCenter;Rising Process Communication Center;C:\Program Files\Rising\Rav\CCenter.exe [2008-08-06 162416]
S2 RsRavMon;Rising RealTime Monitor;C:\PROGRAM FILES\RISING\RAV\Ravmond.exe [2008-08-06 395888]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2006-02-09 20704]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae15fa43-4bd7-11dc-8a83-806d6172696f}]
\Shell\AutoRun\command - D:\OSDRUN.EXE /w2kPlus /ShowError OSDICW.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c683a04e-b32d-11dc-a1a0-0008021b644e}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Brooke\Application Data\Mozilla\Firefox\Profiles\b6n8fd6y.default\
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 20:26:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-08 20:30:33
ComboFix-quarantined-files.txt 2008-09-09 00:30:21
Pre-Run: 7,074,246,656 bytes free
Post-Run: 7,065,399,296 bytes free
219 --- E O F --- 2008-08-29 05:51:52
