CFScript ComboFix log and new HijackThis log
ComboFix 08-09-30.03 - Owner 2008-09-30 17:03:45.7 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\ahoxhpds.dll
C:\WINDOWS\system32\kaojxywe.dll
C:\WINDOWS\system32\klbdhbby.dll
C:\WINDOWS\system32\mklefxvs.dll
C:\WINDOWS\system32\mqvxzi.dll
C:\WINDOWS\system32\nhrplq.dll
C:\WINDOWS\system32\nyfqdz.dll
C:\WINDOWS\system32\oebijfct.dll
C:\WINDOWS\system32\sigjfjgr.dll
C:\WINDOWS\system32\sobnosbg.dll
C:\WINDOWS\system32\uughwliy.ini
C:\WINDOWS\system32\vehwmy.dll
C:\WINDOWS\system32\xpbudtjq.dll
C:\WINDOWS\system32\xtrhmyyl.dll
C:\WINDOWS\system32\xxcqvbyi.dll
C:\WINDOWS\system32\ypbofson.dll
C:\WINDOWS\system32\yxfgve.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Application Data\LimeWire
C:\Documents and Settings\Owner\Application Data\LimeWire\414splashfree.png
C:\Documents and Settings\Owner\Application Data\LimeWire\certificate\limewire.keystore
C:\Documents and Settings\Owner\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\downloads.dat
C:\Documents and Settings\Owner\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Owner\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\filters.props
C:\Documents and Settings\Owner\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Owner\Application Data\LimeWire\installation.props
C:\Documents and Settings\Owner\Application Data\LimeWire\library.dat
C:\Documents and Settings\Owner\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Owner\Application Data\LimeWire\lwc57849tmp
C:\Documents and Settings\Owner\Application Data\LimeWire\mojito.props
C:\Documents and Settings\Owner\Application Data\LimeWire\promotion\promodb.backup
C:\Documents and Settings\Owner\Application Data\LimeWire\promotion\promodb.data
C:\Documents and Settings\Owner\Application Data\LimeWire\promotion\promodb.properties
C:\Documents and Settings\Owner\Application Data\LimeWire\promotion\promodb.script
C:\Documents and Settings\Owner\Application Data\LimeWire\questions.props
C:\Documents and Settings\Owner\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Owner\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Owner\Application Data\LimeWire\tables.props
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\
01_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\
02_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\
03_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\
04_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\
05_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\splash.png
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\splashpro.png
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\version.txt
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\ttree.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\ttrees.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\ttroot.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\version.xml
C:\Documents and Settings\Owner\Application Data\LimeWire\versions.props
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\data\audio.sxml2
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\data\delete_me
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\application.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\audio.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\document.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\image.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\video.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\application.xsd
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\audio.xsd
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\document.xsd
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\image.xsd
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\video.xsd
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\WINDOWS\BMdb0de935.txt
C:\WINDOWS\BMdb0de935.xml
C:\WINDOWS\system32\ahoxhpds.dll
C:\WINDOWS\system32\kaojxywe.dll
C:\WINDOWS\system32\klbdhbby.dll
C:\WINDOWS\system32\mklefxvs.dll
C:\WINDOWS\system32\mqvxzi.dll
C:\WINDOWS\system32\nhrplq.dll
C:\WINDOWS\system32\nyfqdz.dll
C:\WINDOWS\system32\oebijfct.dll
C:\WINDOWS\system32\uughwliy.ini
C:\WINDOWS\system32\vehwmy.dll
C:\WINDOWS\system32\xpbudtjq.dll
C:\WINDOWS\system32\xtrhmyyl.dll
C:\WINDOWS\system32\xxcqvbyi.dll
C:\WINDOWS\system32\ypbofson.dll
C:\WINDOWS\system32\yxfgve.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MCHINJDRV
-------\Legacy_ZESOFT
((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.
2008-09-29 16:29 . 2008-09-29 16:29 121 ---hs---- C:\WINDOWS\system32\gbsonbos.ini
2008-09-29 12:38 . 2008-09-29 12:38 <DIR> d----c--- C:\f93045bc64fb16704121
2008-09-26 10:45 . 2008-09-26 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-26 10:07 . 2008-09-26 10:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-24 09:12 . 2008-09-25 18:51 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-22 14:10 . 2008-09-30 17:14 11,347 --a------ C:\WINDOWS\system32\Config.MPF
2008-09-22 14:06 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-09-22 13:53 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-09-22 13:53 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-09-22 13:53 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-09-22 13:53 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-09-22 13:53 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-09-22 13:52 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-09-22 13:46 . 2008-09-22 13:49 <DIR> d-------- C:\Program Files\McAfee.com
2008-09-22 13:44 . 2008-09-22 13:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-09-16 11:42 . 2008-09-16 11:42 <DIR> dr---c--- C:\Documents and Settings\All Users\Application Data\CleanupTool
2008-09-16 11:14 . 2008-09-22 13:39 <DIR> d-------- C:\Program Files\Common Files\CleanupTool
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-30 16:40 --------- d-----w C:\Program Files\LimeWire
2008-09-26 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-24 22:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\ComcastToolbar
2008-09-24 21:34 --------- dc----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-23 17:15 --------- d-----w C:\Program Files\Common Files\scanner
2008-09-22 21:10 --------- dc----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-22 21:08 --------- d-----w C:\Program Files\McAfee
2008-08-20 00:19 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-11 03:52 1,461 -c-ha-w C:\hpothb07.dat
2008-08-01 14:35 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-02-09 02:01 60,968 -c--a-w C:\Documents and Settings\Owner\GoToAssistDownloadHelper.exe
2005-08-09 02:22 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2004-09-05 02:07 1,269 -c-ha-w C:\Program Files\hpothb07.tif
2002-09-11 14:26 63,730 -c--a-w C:\Program Files\viewsonicinstruct_xp.pdf
2001-06-27 12:39 210 -c----w C:\Program Files\copye.bat
1956-09-09 16:26 3,198,976 -c--a-w C:\Program Files\ViewSonicregistration.exe
2001-08-18 12:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 -csh--w C:\WINDOWS\twain_32.dll
2007-12-04 18:38 550,912 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe
.
((((((((((((((((((((((((((((( snapshot_2008-09-29_16.12.44.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-29 23:51:38 503,808 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\bb3c2f59a821abc54f420f3a9e051d6a\ComSvcConfig.ni.exe
+ 2008-09-29 23:51:43 1,232,896 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\e3dce636e798c53ec2b44d1d4aadb850\Microsoft.Transactions.Bridge.ni.dll
+ 2008-09-29 23:51:46 401,408 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f3902a808549b40d648206c9303f2788\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2008-09-29 23:52:06 1,581,056 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\ab2b2664932688ae7c8e0bd9d10448ef\PresentationBuildTasks.ni.dll
+ 2008-09-29 23:51:49 139,264 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\feac66e81309d67b48f7a9f4cb98f7c8\ServiceModelReg.ni.exe
+ 2008-09-29 23:51:51 299,008 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\169ba2fe1a4d87ede3ab8dd3d44d867e\SMDiagnostics.ni.dll
+ 2008-09-29 23:51:53 323,584 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMSvcHost\a098c66aa40d958878f3f5344e6ae1a4\SMSvcHost.ni.exe
+ 2008-09-29 23:11:08 241,664 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\492d16599426c7ab35ad2c499a9d4ae6\System.IdentityModel.Selectors.ni.dll
+ 2008-09-29 23:11:02 1,118,208 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\bdd94a4c46e4424787dfed9381196cb3\System.IdentityModel.ni.dll
+ 2008-09-29 23:11:12 417,792 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IO.Log\e1e6aa5272543f1d9dad98be897b693e\System.IO.Log.ni.dll
+ 2008-09-29 23:11:32 2,445,312 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\e27527e67611d8acc0d8dff6d286af23\System.Runtime.Serialization.ni.dll
+ 2008-09-29 23:51:15 18,071,552 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\350903c091629396c08742c996c1caba\System.ServiceModel.ni.dll
+ 2008-09-29 23:52:34 2,039,808 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Speech\d4147c99010667b5c547fcfc56ed7bd5\System.Speech.ni.dll
+ 2008-09-29 23:52:51 3,084,288 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\9798b3ba448ba7d5f1dd70a8a1fb7562\System.Workflow.Activities.ni.dll
+ 2008-09-29 23:53:02 4,579,328 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\575dad1c0dc9d035acbab10846802ce0\System.Workflow.ComponentModel.ni.dll
+ 2008-09-29 23:53:08 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\9d89b57d703aefe4938b45f8b398d378\System.Workflow.Runtime.ni.dll
+ 2008-09-29 23:15:41 4,843,377 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18C.tmp\System.ServiceModel.dll
+ 2008-09-29 23:53:14 483,328 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\c2e5aa36c753a605bdefb97ab83e8806\UIAutomationClient.ni.dll
+ 2008-09-29 23:53:17 1,118,208 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\ae395b4b568f0d71fec35e3902a46a99\UIAutomationClientsideProviders.ni.dll
+ 2008-09-29 23:53:27 270,336 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\b7c202147607f93463ead99e743c78b9\WindowsFormsIntegration.ni.dll
+ 2008-09-29 23:51:55 380,928 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WsatConfig\13f498f606b7cb97c086eea149b8c872\WsatConfig.ni.exe
- 2008-09-29 21:44:57 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-01 00:01:11 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-29 21:44:57 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-01 00:01:11 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-09 02:19:43 298,048 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-09-29 23:21:17 298,048 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-09-29 20:45:51 24,038 ----a-w C:\WINDOWS\system32\InetCntrl\Data\userpolicy.bin
+ 2008-10-01 00:24:37 24,038 ----a-w C:\WINDOWS\system32\InetCntrl\Data\userpolicy.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-18 212992]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 188416]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 45056]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"InetCntrl"="C:\WINDOWS\system32\InetCntrl\InetCntrl.exe" [2008-01-29 841008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-01 185896]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-08-08 148760]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"S3apphk"="S3apphk.exe" [2001-12-04 C:\WINDOWS\system32\S3apphk.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 C:\WINDOWS\ltmsg.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MS Office.hta]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MS Office.hta
backup=C:\WINDOWS\pss\MS Office.htaCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2002-03-14 10:25 102455 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2001-08-07 23:36 90112 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-08 21:30 188416 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2001-08-08 00:25 143360 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
--a--c--- 2001-12-12 23:05 36864 c:\hp\drivers\printers\photosmart\HPHprld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a--c--- 2004-03-18 10:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-03-09 16:53 364544 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SMINST\\INSTALL_HP.EXE"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Album\\hpqaprnt.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\hp\\support\\HPSysInfo.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\Hpqdirec.exe"=
"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Printing\\Hpi_Print.exe"=
"C:\\Program Files\\PC-Doctor for Windows XP\\PCDRW32.EXE"=
"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\InetCntrl\\InetCntrl.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-09-30 17:18:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\snmp.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-09-30 17:48:36 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-10-01 00:47:48
ComboFix2.txt 2008-09-30 02:14:51
ComboFix3.txt 2008-09-29 23:15:04
ComboFix4.txt 2008-09-29 20:45:55
Pre-Run: 14,215,196,672 bytes free
Post-Run: 14,261,432,320 bytes free
337 --- E O F --- 2008-09-29 19:39:38
*
*
*
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:00 PM, on 9/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\wkkraus.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {E0019445-4C1F-414D-A70E-AD80F231C584} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O15 - Trusted Zone:
http://www6.comcast.net
O15 - Trusted Zone:
http://www.listen.com
O15 - Trusted Zone: *.listen.com
O15 - Trusted Zone: *.llnwd.net
O15 - Trusted Zone: *.real.com
O15 - Trusted Zone:
http://*.turbotax.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1202523933312
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O19 - User stylesheet: (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 8760 bytes
