ComboFix 08-07-26.1 - Owner 2008-07-26 19:34:29.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.
2008-07-26 18:40 . 2008-07-26 18:40 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-07-26 14:08 . 2008-07-26 14:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-26 14:07 . 2008-07-26 14:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 14:07 . 2008-07-26 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 14:07 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 14:07 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 10:24 . 2008-07-26 19:14 <DIR> d-------- C:\sniper.exe
2008-07-26 10:22 . 2008-07-26 10:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-26 04:34 . 2008-07-26 12:04 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-26 04:32 . 2008-07-26 15:43 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-26 04:32 . 2008-07-26 17:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-26 04:32 . 2008-07-26 04:32 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-26 04:32 . 2008-07-26 04:32 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-26 04:32 . 2008-07-26 04:32 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-07-26 04:32 . 2008-07-26 04:32 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-26 04:31 . 2008-07-26 04:31 <DIR> d-------- C:\Program Files\AVG
2008-07-26 04:31 . 2008-07-26 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-24 16:53 . 2007-08-10 12:56 303,104 --a------ C:\WINDOWS\system32\ciplListBar.ocx
2008-07-24 16:53 . 2007-08-10 12:56 155,648 --a------ C:\WINDOWS\system32\ciplImageList.ocx
2008-07-24 16:26 . 2008-07-24 16:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ascentive
2008-07-24 16:09 . 2008-07-24 16:09 <DIR> d-------- C:\Program Files\RegCure
2008-07-24 03:40 . 2008-07-24 03:40 <DIR> d--hs---- C:\found.000
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-07-26 17:22 --------- d-----w C:\Program Files\Winzy
2008-07-26 17:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-26 17:21 --------- d-----w C:\Program Files\Java
2008-07-26 16:59 --------- d-----w C:\Program Files\McAfee
2008-07-26 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-26 08:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-26 08:27 --------- d-----w C:\Program Files\Ascentive
2008-07-24 18:31 --------- d-----w C:\Program Files\LimeWire
2008-07-24 18:29 --------- d-----w C:\Program Files\BigFix
2008-07-19 18:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\WholeSecurity
2008-07-18 00:54 4,724 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-07-16 03:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-07-13 00:12 --------- d--h--w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 02:42 --------- d-----w C:\Program Files\Battle For Troy
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 07:29 --------- d-----w C:\Program Files\Disney
2008-06-02 03:17 --------- d-----w C:\Program Files\AIM6
2008-05-28 01:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\QQ Games Plugin
2008-05-27 22:58 --------- d-----w C:\Program Files\Tencent
2008-05-27 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 17:14 208,896 ----a-w C:\WINDOWS\system32\ConTest.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 17:26 68856]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"Performance Center"="C:\Program Files\Ascentive\Performance Center\ApcMain.exe" [2008-03-13 17:35 3239936]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01 32768]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-05-18 21:10 169984]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 21:44 139264]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-04-20 17:29 652528]
"Monitor"="C:\WINDOWS\PixArt\PAC207\Monitor.exe" [2006-11-03 11:01 319488]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-26 04:32 1235736]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 20:44 16120832 C:\WINDOWS\RTHDCPL.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-26 04:32]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-26 04:32]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 04:32]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-26 04:32]
R3 PAC207;PC Camera;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2007-05-29 13:30]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-26 04:32]
S2 W55U01;WINBOND W55U01 USB;C:\WINDOWS\system32\Drivers\W55U01.sys [2005-08-12 09:58]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 16:12]
.
Contents of the 'Scheduled Tasks' folder
2008-07-26 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
2008-07-24 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-07-26 19:40:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OOBEDDDemise = cmd /x /c erase C:\WINDOWS\System32\oobe\msoobe.exe?
???C?w?
???e?
?i?wis?
?H?
??*&?|l?
&?|??-w?
`?
?|?&?|?
?&?|B%?|?
|?$?|?
??-wC
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-07-26 19:52:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 23:51:17
Pre-Run: 63,690,960,896 bytes free
Post-Run: 63,639,945,216 bytes free
160 --- E O F --- 2008-07-25 00:46:52