Combo fix log:
ComboFix 08-10-23.03 - student 2008-10-23 20:35:09.1 - NTFSx86
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\TDSSbxbx.dll
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSSfxwp.dll
C:\WINDOWS\system32\TDSSnmxa.dll
C:\WINDOWS\system32\TDSSnrsr.dat
C:\WINDOWS\system32\TDSSoiqh.log
C:\WINDOWS\system32\TDSSosvn.dll
C:\WINDOWS\system32\TDSSpqxt.log
C:\WINDOWS\system32\TDSSrdym.log
C:\WINDOWS\system32\TDSSsihc.dll
C:\WINDOWS\system32\TDSStkdv.dll
.
((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.
2008-10-23 00:17 . 2008-10-23 00:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-23 00:04 . 2008-10-23 00:04 <DIR> d-------- C:\rsit
2008-10-22 21:16 . 2008-10-22 21:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-22 21:16 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-22 21:16 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-22 17:09 . 2008-10-22 17:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-22 17:05 . 2008-10-23 20:23 <DIR> d-------- C:\SDFix
2008-10-21 19:09 . 2008-10-21 19:09 <DIR> d-------- C:\Documents and Settings\student\Application Data\Malwarebytes
2008-10-21 19:09 . 2008-10-21 19:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-10-21 15:30 . 2008-10-21 15:30 164 --a------ C:\WINDOWS\system32\TDSSpaxt.dat
2008-10-21 15:08 . 2008-10-22 17:09 60,416 --a------ C:\WINDOWS\system32\drivers\TDSSmhlt.sys
2008-10-08 20:54 . 2008-10-08 20:54 <DIR> d-------- C:\Program Files\Windows Live
2008-10-06 10:41 . 2008-10-06 10:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-30 01:30 . 2008-09-30 01:30 <DIR> d-------- C:\Program Files\Alwil Software
2008-09-28 22:13 . 2008-09-28 22:13 477,184 --a------ C:\WINDOWS\system32\autoprnt.exe
2008-09-28 22:13 . 2008-09-28 22:13 118,784 --a------ C:\WINDOWS\system32\snapapi.dll
2008-09-28 22:13 . 2008-09-28 22:13 77,728 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-09-28 22:13 . 2008-09-28 22:13 37,888 --a------ C:\WINDOWS\system32\setupnt.dll
2008-09-28 22:12 . 2008-09-28 22:12 <DIR> d-------- C:\Program Files\Common Files\Acronis
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-23 23:05 --------- d-----w C:\Program Files\Java
2008-10-22 01:52 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-10-21 19:12 --------- d-----w C:\Documents and Settings\student\Application Data\Azureus
2008-10-09 03:48 38,088 ----a-w C:\Documents and Settings\student\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 00:54 --------- d-----w C:\Program Files\MSN Messenger
2008-10-09 00:54 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-09-30 05:35 --------- d-----w C:\Program Files\ESET
2008-09-30 05:32 --------- d---a-w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 16:30 --------- d-----w C:\Program Files\Azureus
2008-08-27 02:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 02:50 --------- d-----w C:\Program Files\Symantec
2007-05-22 23:14 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-22 23:17 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
2003-04-10 14:20 30,208 ------w C:\Program Files\internet explorer\plugins\lfbmp13n.dll
2003-04-10 14:20 35,840 ------w C:\Program Files\internet explorer\plugins\lfcal13n.dll
2003-04-10 14:28 406,528 ------w C:\Program Files\internet explorer\plugins\LFCMP13n.DLL
2003-04-10 14:20 47,104 ------w C:\Program Files\internet explorer\plugins\lfgif13n.dll
2003-04-10 14:21 18,944 ------w C:\Program Files\internet explorer\plugins\lfmsp13n.dll
2003-04-10 14:21 26,624 ------w C:\Program Files\internet explorer\plugins\lfpcx13n.dll
2003-04-10 14:32 181,760 ------w C:\Program Files\internet explorer\plugins\Lfpng13n.dll
2003-04-10 14:21 55,808 ------w C:\Program Files\internet explorer\plugins\lfpsd13n.dll
2003-04-10 14:21 24,576 ------w C:\Program Files\internet explorer\plugins\lftga13n.dll
2002-09-27 16:04 4,033,084 ------w C:\Program Files\internet explorer\plugins\library.dll
2003-04-10 14:18 269,824 ------w C:\Program Files\internet explorer\plugins\LTDIS13n.dll
2003-04-04 20:55 206,848 ------w C:\Program Files\internet explorer\plugins\ltefx13n.dll
2003-04-10 14:18 144,384 ------w C:\Program Files\internet explorer\plugins\ltfil13n.DLL
2003-04-10 14:19 447,488 ------w C:\Program Files\internet explorer\plugins\ltimg13n.dll
2003-04-10 14:18 446,464 ------w C:\Program Files\internet explorer\plugins\ltkrn13n.dll
2003-06-11 14:59 245,839 ------w C:\Program Files\internet explorer\plugins\MWPro.dll
2003-06-11 15:23 73,728 ------w C:\Program Files\internet explorer\plugins\Paint.dll
2003-06-11 15:43 151,552 ------w C:\Program Files\internet explorer\plugins\sprites.dll
1998-07-12 05:13 53,760 ------w C:\Program Files\internet explorer\plugins\zlib.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Gestionnaire Antidote.exe"="C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe" [2007-04-16 534200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-26 151552]
"PDService.exe"="C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-05 110592]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2006-05-25 40960]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2006-05-25 45056]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-09-13 237568]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-26 208896]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-17 69632]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"TpShocks"="TpShocks.exe" [2005-11-07 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 C:\WINDOWS\system32\TP4EX.exe]
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-10 24576]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HotSync Manager.lnk - D:\Program Files\Palm\Hotsync.exe [2004-06-09 471040]
PASPortal.lnk - C:\WINDOWS\Installer\{BA52BCD8-C7A4-4D27-AA07-A5541F65B721}\NewShortcut1.exe [2006-11-15 40960]
TotalMedia Backup Monitor.lnk - D:\ArcSoft Total Media Backup & Record\uBBMonitor.exe [2008-03-04 270336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-17 03:07 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 00:45 28672 C:\WINDOWS\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 23:16 24576 C:\WINDOWS\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfy
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
backup=C:\WINDOWS\pss\PASPortal.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
--a------ 2008-10-16 20:25 1257104 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"UCLauncherService"=2 (0x2)
"SMART Board Service"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"iPodService"=3 (0x3)
"wscsvc"=2 (0x2)
"CiSvc"=3 (0x3)
"cusrvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\StubInstaller.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
- - - - ORPHANS REMOVED - - - -
Notify-NavLogon - (no file)
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\DOCUME~1\student\APPLIC~1\Mozilla\Firefox\Profiles\39hnx97q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
www.google.caFF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npnipp.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npRACtrl.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-10-23 20:46:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-10-23 20:54:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-24 00:54:31
Pre-Run: 1,294,417,920 bytes free
Post-Run: 1,470,304,256 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
239 --- E O F --- 2008-09-25 12:18:59
hijack this log is attached.
[Saving space - attachment deleted by admin]