ComboFix 08-08-13.05 - GeRm 2008-08-14 12:05:48.1 - NTFSx86
Running from: C:\Documents and Settings\GeRm\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jer.JEREME\Favorites\Privacy Protector.url
C:\Documents and Settings\Jer.JEREME\Favorites\Spyware&Malware Protection.url
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\icroso~1.net\?icrosoft.NET\
C:\Program Files\Common Files\icroso~1.net\alg.exe
C:\Program Files\Common Files\sstem~1
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\Need2Find
C:\Program Files\Need2Find\bar\1.bin\N2FFXTBR.JAR
C:\Program Files\Need2Find\bar\1.bin\N2NTSTBR.JAR
C:\Program Files\Need2Find\bar\1.bin\PARTNER.DAT
C:\Program Files\Need2Find\bar\Cache\2DF4E441
C:\Program Files\Need2Find\bar\Cache\2DF4E904
C:\Program Files\Need2Find\bar\History\search
C:\Program Files\Need2Find\bar\Settings\prevcfg.htm
C:\Program Files\VideoAccessCodec
C:\Program Files\VideoAccessCodec\install.ico
C:\Program Files\VideoAccessCodec\Uninstall.exe
C:\Program Files\ystem3~1
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\msmdev.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\_000111_.tmp.dll
C:\WINDOWS\system32\_000228_.tmp.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\REGOBJ.DLL
C:\WINDOWS\system32\SOCKETX.DLL
C:\WINDOWS\system32\SOCKETX.OCX
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\ututv.ini2
C:\WINDOWS\system32\wintsvcc.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 02:07 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 02:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2006-12-20 20:20 560 -c--a-w C:\Program Files\Global.sw
2006-06-17 18:05 2 --shatr C:\WINDOWS\winstart.bat
2007-07-10 20:36 81,408 --sha-r C:\WINDOWS\system32\thqcawmm\lsass.exe
.
<pre>
----a-w 256,576 2008-01-06 06:00:17 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2008-01-06 06:00:03 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,694,208 2007-12-28 06:44:46 C:\Program Files\Messenger\msmsgs .exe
----a-w 1,289,000 2005-12-07 04:52:51 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-07 04:52:27 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-07 04:02:53 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-03 01:08:38 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-02 23:42:23 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-11 19:54:34 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-11 13:06:56 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-11 09:36:57 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-11 08:15:48 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-11 06:32:26 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-10 02:05:36 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-08 23:12:53 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-03 10:18:33 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-02 08:14:48 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-01 08:43:55 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-01 08:14:15 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-01 06:01:42 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-01 06:01:31 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-01 11:52:14 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-01 06:44:27 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 1,702,912 2005-12-01 06:20:01 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w 568,096 2005-12-01 06:07:55 C:\Program Files\Netscape\Netscape\Netscp .exe
----a-w 2,156,368 2005-12-10 02:11:09 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 1,910,040 2005-12-07 04:53:18 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster .exe
----a-w 5,729,136 2008-01-06 06:00:54 C:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w 5,729,136 2005-12-07 04:53:20 C:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w 204,288 2005-12-07 04:52:59 C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w 15,360 2005-12-08 23:12:56 C:\WINDOWS\system32\ctfmon .exe
----a-w 1,347,584 2005-12-07 04:52:41 C:\WINDOWS\system32\WLTRAY .exe
</pre>-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2005-12-06 23:52 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 11:33 1506544]
"smss"="" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2005-12-06 23:59 1232152]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 20:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 10:35 536576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 11:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^GeRm^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\GeRm\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^GeRm^Start Menu^Programs^Startup^lsass.lnk]
path=C:\Documents and Settings\GeRm\Start Menu\Programs\Startup\lsass.lnk
backup=C:\WINDOWS\pss\lsass.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tues]
C:\Documents and Settings\Admin\Application Data\??stem\?explore.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2005-12-08 18:12 1702912 C:\Program Files\Microsoft ActiveSync\wcescomm .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-06 00:59 692224 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\vtutu.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-12-28 01:43 2230784 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2005-12-06 23:53 5729136 C:\Program Files\Windows Live\Messenger\msnmsgr .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
-rahs---- 2007-07-10 15:36 81408 C:\WINDOWS\system32\thqcawmm\lsass.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-01-06 00:58 480768 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2005-12-07 00:17 638272 C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
--a------ 2004-10-06 03:26 71680 C:\WINDOWS\system32\CTASIO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2004-10-06 03:49 14848 C:\WINDOWS\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"PavPrSrv"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2005-12-06 23:59]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2005-12-06 23:59]
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 21:12]
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 USB20L;Linksys USB 2.0 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\USB200M.sys [2002-09-24 01:35]
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2007-08-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -
BHO-{BCAFFC4C-6C88-6A5D-8F58-4AE675F50AE1} - C:\WINDOWS\system32\bbzmi.dll
BHO-{E4FBAA44-638E-6B58-8B58-4AE675F40DE6} - C:\WINDOWS\system32\lduyur.dll
Notify-ljjjjgd - ljjjjgd.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\GeRm\Application Data\Mozilla\Firefox\Profiles\e921gdvq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-14 12:15:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-14 12:28:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 17:27:53
Pre-Run: 15,638,888,448 bytes free
Post-Run: 16,309,751,808 bytes free
244 --- E O F --- 2005-12-11 06:34:44
