Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:34 PM, on 09/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Documents and Settings\All Users\Application Data\OfficeGuardianV2\reminder\SacReminder.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.mywinnipeg.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:43902
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (filesize 1372472 bytes, MD5 C080735EC3D2D15CF13D44E5A1846BA9)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (filesize 62080 bytes, MD5 C11F6A1F61481E24BE3FDC06EA6F7D2A)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41760 bytes, MD5 3F59EDE1444C14CFBAA15C7EBBFE6196)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 79648 bytes, MD5 BEE32BCE0D0A5BF5692D9020BD0C0636)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (filesize 163128 bytes, MD5 65E9CBDFE35A33EF264E3C8BF38F9791)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (filesize 1372472 bytes, MD5 C080735EC3D2D15CF13D44E5A1846BA9)
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (filesize 48752 bytes, MD5 696F43558EA1C4BFF475A4B8ECC5CAC4)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeC:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (filesize 39792 bytes, MD5 392845E8D49B5F0E81AAC4D795000A8C)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" (filesize 248552 bytes, MD5 93DB1FF92B03D24738A71E6E4992DFD3)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (filesize 421888 bytes, MD5 49385AFEE6EDFA0A0177BE6651AADD77)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (filesize 421160 bytes, MD5 DDACBCA1D0E66BBA5C984842F372A6D4)
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s (filesize 2676696 bytes, MD5 FFC7CF5E4DAEDC38A818E9890EF337D2)
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (filesize 206112 bytes, MD5 6DA7C93AB37B4A204BFCAE9FA07FF48D)
O4 - HKCU\..\Run: [SacReminderHDDV2] C:\Documents and Settings\All Users\Application Data\OfficeGuardianV2\reminder\SacReminder.exeC:\Documents and Settings\All Users\Application Data\OfficeGuardianV2\reminder\SacReminder.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet (filesize 5252408 bytes, MD5 C0D12E6C85FC6DD7FF1DBB04F2DC933B)
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (filesize 118784 bytes, MD5 67B2E7B6AE3B400D832F0456068EA83D)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL (filesize 63840 bytes, MD5 22BDC1E6E606C9BAE68141D7099309AB)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 AAC1D4EE39DF138C5D30AC5883E3B59F)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 3E930C641079443D4DE036167A69CAA2)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200973999578O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200976591625O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeC:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeC:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exeC:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeC:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 10433 bytes
Results of screen317's Security Check version 0.99.6
Windows XP Service Pack 3
Internet Explorer 7
Out of date! ``````````````````````````````
Antivirus/Firewall Check: Windows Firewall Disabled!
Symantec AntiVirus
PC Tools Firewall Plus 7.0
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 22
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed! Adobe Flash Player 10.0.32.18
Adobe Reader 8.1.3
Out of date Adobe Reader installed! Mozilla Firefox (3.5.15)
Firefox Out of Date! ````````````````````````````````
Process Check:
objlist.exe by Laurent Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
PC Tools Firewall Plus FirewallGUI.exe
PC Tools Firewall Plus FWService.exe
````````````````````````````````
DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log```````````` ComboFix 10-12-08.04 - my name 09/12/2010 22:03:58.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.247 [GMT -6:00]
Running from: c:\documents and settings\my name\Desktop\commy.exe.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Install.exe
----- BITS: Possible infected sites -----
hxxp://au.download.windowj+|Cv+@J:NGD_DQ{zcxLJS@b^OueWU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHM6VwoQZCDHMXuEIy<cxLJS@GD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cvte.com
.
((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.
2010-12-09 23:01 . 2010-12-09 23:01 -------- d-----w- c:\program files\Trend Micro
2010-12-07 23:19 . 2010-12-07 23:19 -------- d-----w- c:\documents and settings\my name\Application Data\PCToolsFirewallPlus
2010-12-07 23:18 . 2010-11-25 16:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-12-07 23:18 . 2010-03-29 17:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-12-07 23:18 . 2010-11-17 16:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-12-07 23:17 . 2010-12-09 23:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-07 23:17 . 2010-12-07 23:18 -------- d-----w- c:\program files\Common Files\PC Tools
2010-12-07 23:17 . 2010-11-24 15:18 89192 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-12-07 23:17 . 2010-07-08 15:49 57536 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-12-07 23:17 . 2010-02-05 15:26 32808 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-12-07 23:17 . 2010-11-25 16:42 124992 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-12-07 23:17 . 2010-12-07 23:19 -------- d-----w- c:\program files\PC Tools Firewall Plus
2010-12-07 21:52 . 2010-12-07 21:52 -------- d-----w- c:\documents and settings\my name\Application Data\Malwarebytes
2010-12-07 21:52 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-07 21:52 . 2010-12-07 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-07 21:52 . 2010-12-07 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-07 21:52 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 20:02 . 2010-12-07 20:02 -------- d-----w- c:\documents and settings\my name\Application Data\SUPERAntiSpyware.com
2010-12-07 20:02 . 2010-12-07 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-07 20:00 . 2010-12-07 20:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-07 19:38 . 2010-12-07 19:38 -------- d-----w- c:\program files\CCleaner
2010-12-06 22:06 . 2010-12-06 22:06 -------- d-----w- c:\documents and settings\my name\Local Settings\Application Data\Yahoo
2010-12-06 21:59 . 2010-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-12-06 21:59 . 2010-12-06 22:00 -------- d-----w- c:\documents and settings\my name\Application Data\Yahoo!
2010-12-06 21:58 . 2010-12-06 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-12-06 21:55 . 2010-12-06 21:59 -------- d-----w- c:\program files\Yahoo!
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2002-10-01 13:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-10-01 13:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-10-01 13:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2002-10-01 13:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 09:50 . 2010-08-15 17:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29 . 2008-03-25 13:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-13 17:22 . 2010-09-13 17:22 69632 ----a-r- c:\documents and settings\my name\Application Data\Microsoft\Installer\{D25F26E6-7F37-4580-9E83-2BDD9BE9E0CE}\NewShortcut4_838BDC75346D4F49BD1D5328F986CD86.exe
2010-09-13 17:22 . 2010-09-13 17:22 413696 ----a-r- c:\documents and settings\my name\Application Data\Microsoft\Installer\{D25F26E6-7F37-4580-9E83-2BDD9BE9E0CE}\NewShortcut2_5B2EDCAA303A43629DACC3FFFABD0901.exe
2010-09-13 17:22 . 2010-09-13 17:22 413696 ----a-r- c:\documents and settings\my name\Application Data\Microsoft\Installer\{D25F26E6-7F37-4580-9E83-2BDD9BE9E0CE}\NewShortcut1_9F9ABBA94B874F449DBFBD7EB1332F16.exe
2010-09-13 17:22 . 2010-09-13 17:22 413696 ----a-r- c:\documents and settings\my name\Application Data\Microsoft\Installer\{D25F26E6-7F37-4580-9E83-2BDD9BE9E0CE}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SacReminderHDDV2"="c:\documents and settings\All Users\Application Data\OfficeGuardianV2\reminder\SacReminder.exe" [2010-05-05 501640]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCASUTIEXE"="TCAUDIAG -off" [X]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-11-29 2676696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-1-23 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R1 cmosa;cmosa;c:\windows\system32\drivers\cmosa.sys [21/01/2008 9:00 PM 29344]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [07/12/2010 5:18 PM 249616]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 12:41 PM 67656]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [07/12/2010 5:18 PM 160448]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [21/01/2008 9:40 PM 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [21/01/2008 9:40 PM 19534]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [07/12/2010 5:17 PM 89192]
R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [07/12/2010 5:17 PM 57536]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [07/12/2010 5:17 PM 124992]
S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [07/12/2010 5:17 PM 57536]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
.
Contents of the 'Scheduled Tasks' folder
2010-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mywinnipeg.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:43902
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\my name\Application Data\Mozilla\Firefox\Profiles\fx49hfxn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mywinnipeg.com/
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter:
[email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\my name\Application Data\Mozilla\Firefox\Profiles\fx49hfxn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\documents and settings\my name\Application Data\Mozilla\Firefox\Profiles\fx49hfxn.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - c:\documents and settings\my name\Application Data\Mozilla\Firefox\Profiles\fx49hfxn.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-12-09 22:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-09 22:25:03
ComboFix-quarantined-files.txt 2010-12-10 04:24
Pre-Run: 14,485,835,776 bytes free
Post-Run: 14,476,328,960 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 663BEDAB0DF9028BF984AC269FCC36E3