ComboFix 09-01-21.04 - Gary Hamlett 2009-01-23 8:52:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.588 [GMT -5:00]
Running from: c:\documents and settings\Gary Hamlett\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.
2009-01-22 09:01 . 2009-01-22 09:03 <DIR> d-------- c:\program files\Trend Micro
2009-01-21 23:38 . 2009-01-21 23:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 23:38 . 2009-01-21 23:38 <DIR> d-------- c:\documents and settings\Gary Hamlett\Application Data\Malwarebytes
2009-01-21 23:38 . 2009-01-21 23:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 23:38 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 23:38 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-21 17:51 . 2009-01-21 17:51 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-21 17:51 . 2009-01-21 17:51 <DIR> d-------- c:\documents and settings\Gary Hamlett\Application Data\SUPERAntiSpyware.com
2009-01-21 17:51 . 2009-01-21 17:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-21 17:50 . 2009-01-21 17:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-21 17:30 . 2009-01-21 17:30 <DIR> d-------- c:\program files\CCleaner
2009-01-21 16:44 . 2009-01-21 16:44 <DIR> d-------- c:\program files\Avira
2009-01-21 16:44 . 2009-01-21 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-19 13:01 . 2009-01-19 13:00 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-18 22:49 . 2009-01-22 10:45 <DIR> d-------- c:\documents and settings\Gary Hamlett\Application Data\HPAppData
2009-01-13 20:00 . 2009-01-13 20:00 <DIR> d-------- c:\documents and settings\Gary Hamlett\Application Data\HP
2009-01-10 21:20 . 2009-01-10 21:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-10 21:19 . 2009-01-10 21:19 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-10 21:19 . 2009-01-10 21:19 <DIR> d-------- c:\program files\Common Files\HP
2009-01-10 21:19 . 2009-01-10 21:19 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-10 21:19 . 2009-01-10 21:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-01-10 21:18 . 2009-01-10 21:18 <DIR> d-------- c:\windows\yellowtail
2009-01-10 21:18 . 2009-01-10 21:18 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-10 21:18 . 2007-11-06 21:04 1,373,528 -ra------ c:\windows\hpzshl01.exe
2009-01-10 21:18 . 2007-11-06 21:15 1,140,056 -ra------ c:\windows\hpzmsi01.exe
2009-01-10 21:18 . 2008-01-07 09:10 10,563 -ra------ c:\windows\hpwscr19.dat
2009-01-10 21:17 . 2009-01-10 21:20 <DIR> d-------- c:\program files\HP
2009-01-10 21:17 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-10 21:17 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2009-01-10 21:14 . 2009-01-10 21:54 176,379 --a------ c:\windows\hpwins19.dat
2009-01-10 21:14 . 2008-01-07 09:08 997 -ra------ c:\windows\hpwmdl19.dat
2009-01-01 00:27 . 2007-10-17 15:35 1,299,520 --a------ c:\windows\system32\drivers\WMP110.sys
2009-01-01 00:27 . 2007-10-29 23:34 405,583 --a------ c:\windows\system32\jswscsup.dll
2009-01-01 00:27 . 2003-10-13 00:30 94,208 --a------ c:\windows\system32\GTW32N50.dll
2009-01-01 00:27 . 2007-08-28 21:46 57,344 --a------ c:\windows\system32\jswscimd.sys
2009-01-01 00:27 . 2007-08-28 21:46 57,344 --a------ c:\windows\system32\drivers\jswscimd.sys
2009-01-01 00:27 . 2003-09-25 08:28 31,930 --a------ c:\windows\system32\GTNDIS3.VXD
2009-01-01 00:27 . 2007-09-21 12:09 27,298 --a------ c:\windows\system32\jswscimdp.cat
2009-01-01 00:27 . 2007-09-21 12:09 26,869 --a------ c:\windows\system32\jswscimd.cat
2009-01-01 00:27 . 2009-01-01 00:27 21,035 --a------ c:\windows\system32\drivers\AegisP.sys
2009-01-01 00:27 . 2003-09-25 07:15 15,872 --a------ c:\windows\system32\GTNDIS5.sys
2009-01-01 00:27 . 2007-08-28 21:45 5,529 --a------ c:\windows\system32\jswscimdp.inf
2009-01-01 00:27 . 2007-08-28 21:45 2,231 --a------ c:\windows\system32\jswscimd.inf
2009-01-01 00:26 . 2009-01-01 00:26 <DIR> d-------- c:\program files\Linksys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 13:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-21 21:32 --------- d-----w c:\program files\Dell
2009-01-21 21:29 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-21 21:03 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-01-21 19:41 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-01-19 18:00 --------- d-----w c:\program files\Java
2009-01-19 17:30 --------- d-----w c:\program files\Yahoo!
2009-01-19 17:28 --------- d-----w c:\program files\Kodak
2009-01-19 17:25 --------- d-----w c:\program files\Common Files\Corel
2009-01-19 17:12 --------- d-----w c:\program files\AdvancedEnhancer
2009-01-01 05:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 04:30 --------- d-----w c:\program files\Common Files\Adobe
2008-12-14 08:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-01 15:24 4,184 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2006-11-09 20:45 251 ----a-w c:\program files\wt3d.ini
2008-08-30 11:33 88 --sh--r c:\windows\system32\F35501B0EF.sys
2008-08-31 01:16 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083020080831\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-09 323216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-06 282624]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"WMP110"="c:\program files\Linksys\WMP110\WMP110.exe" [2008-02-27 962560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\
0sprecovr \SystemRoot\sprecovr.txt
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-01-01 57344]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R3 WMP110;Linksys WMP110 RangePlus Wireless PCI Adapter Service;c:\windows\system32\drivers\WMP110.sys [2009-01-01 1299520]
R4 GTWPSService;GTWPSSRV;c:\program files\Linksys\WMP110\gtwpssrv.exe [2009-01-01 34816]
R4 WLSng Service;WLSng Service;c:\program files\Linksys\WMP110\WLSngS.exe [2009-01-01 233472]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Linksys\WMP110\jswpsapi.exe [2009-01-01 352338]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e3929e-40ed-11dc-8707-001372233781}]
\Shell\AutoRun\command - e:\jdsecure\Windows\JDSecure20.exe
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.wildblue.net
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: partypoker.com\www
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Gary Hamlett\Application Data\Mozilla\Firefox\Profiles\yd6w8dcv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.wildblue.net/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\wildblue.js - pref("network.proxy.type", 2);
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-23 08:53:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-23 8:56:22
ComboFix-quarantined-files.txt 2009-01-23 13:56:10
Pre-Run: 217,746,849,792 bytes free
Post-Run: 217,732,108,288 bytes free
186 --- E O F --- 2009-01-18 08:02:13