ComboFix 08-03-20.2 - Sharon 2008-03-20 19:16:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.984 [GMT -5:00]
Running from: C:\Users\Sharon\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-20 21:53 2,260 ----a-w C:\Users\Sharon\AppData\Roaming\wklnhst.dat
2008-03-20 13:00 --------- d-----w C:\ProgramData\avg7
2008-03-16 14:28 --------- d---a-w C:\ProgramData\TEMP
2008-03-16 14:28 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-13 13:41 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-12 12:24 --------- d-----w C:\Program Files\Windows Mail
2008-03-06 00:57 --------- d-----w C:\Program Files\Java
2008-03-06 00:03 --------- d-----w C:\Program Files\Common Files\Java
2008-03-03 21:52 --------- d-----w C:\Program Files\CleanUp!
2008-03-01 04:39 --------- d-----w C:\Users\Sharon\AppData\Roaming\WinBatch
2008-02-29 12:46 --------- d-----w C:\Program Files\Trend Micro
2008-02-23 23:03 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-13 16:16 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 16:16 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 16:16 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 16:16 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 16:16 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 16:16 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 15:51 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 15:49 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 15:49 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-13 15:49 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-13 15:49 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 15:49 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 15:49 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 15:49 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-13 15:49 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys
2008-02-13 15:47 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-13 15:47 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-13 15:47 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 15:47 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-13 15:47 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-13 15:42 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-09 01:46 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-09 01:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 12:50 --------- d-----w C:\Users\Sharon\AppData\Roaming\Grisoft
2008-02-01 12:48 --------- d-----w C:\ProgramData\Grisoft
2008-01-31 17:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 11:42 --------- d-----w C:\Program Files\Google
2007-08-29 11:31 174 --sha-w C:\Program Files\desktop.ini
2007-04-02 22:25 22 --sha-w C:\Windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2008-01-30 20:34 171448]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2005-02-16 20:15 221184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-10 18:02 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 08:42 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 10:16 65536]
"ATICCC"="c:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 20:12 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 06:52 4702208 C:\Windows\RtHDVCpl.exe]
"DPService"="C:\Program Files\HP\DVDPlay\DPService.exe" [2006-11-08 02:52 81920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:37 579072]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 09:04 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-05-21 18:29 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1925650744-2817293247-260502016-1000]
"EnableNotificationsRef"=dword:00000002
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{12BF8921-9B8D-466C-B0F1-643B65412963}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{24B9FCBD-B393-4379-B8BE-A58A16430EA2}"= Profile=Private|C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{52E05E6F-F5DE-4E4E-8392-832B1C19FB76}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{1CB6A675-5CBB-4160-944B-30E70D88D9E0}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{9B4C4B1C-3BBE-4F28-9CA5-B464E55596A4}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0D1ED38A-DA50-43E6-84C9-FDC60A2B9DB1}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F34996C1-9727-455D-BEA6-8BA77EE0F3D0}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A7228EED-0CCF-4702-B47D-B98B611AC286}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1F6B5D47-348D-455F-AA1B-9AD9DED45919}"= Disabled:UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F715E5F2-8AFE-49D4-B436-01B9D38330D9}"= Disabled:TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A65FCD18-131C-4A43-BB86-3BDE718AEB0E}"= Disabled:UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C9D63C3B-D14B-494C-B8A1-61FDFA4A3227}"= Disabled:TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7E4B6C7F-850B-4B0B-9AC9-521566071239}"= Disabled:C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{FFCD0C8F-7AD1-40DA-A2FE-290ADF04CFC6}"= Disabled:UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{F68D33E1-C4DF-40C4-B135-B37517A4B8D1}"= Disabled:TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A11176A8-BA04-47E7-8BFB-26C30F27B29F}"= Disabled:UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C738BFDC-A81B-49F6-9519-3E9E1E625198}"= Disabled:TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2B97359F-79AE-40F0-8CCC-710BCA227ADD}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{AD1FBD97-05C0-4788-9858-2FD3C20AFDCD}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{78F86F2C-E662-437C-8C40-01BFE2B7116E}"= UDP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"{6EE75342-707C-4038-A91E-77DC82DCFFC8}"= TCP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"{B0459409-B99C-40A7-904E-D6A10580EAF9}"= UDP:C:\Program Files\Grisoft\AVG7\avgvv.exe:AVG Virus Vault
"{2F520A35-D8BC-4C37-9399-2DDD9AECFBD5}"= TCP:C:\Program Files\Grisoft\AVG7\avgvv.exe:AVG Virus Vault
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Configurable\System]
"Rip-Listener-1"= TCP:520|%SystemRoot%\System32\svchost.exe|Svc=ipri p:@iprip.dll,-200|
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|
"SNMP-1"= TCP:%SystemRoot%\system32\snmp.exe|Svc=SNMP:@%Syst emRoot%\system32\snmp.exe,-5|
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-11-03 10:29]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.s ys [2007-08-07 06:26]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atik mdag.sys [2007-06-13 20:28]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 08:41]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-06-13 20:28]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc
ipripsvc REG_MULTI_SZ iprip
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{48bf4476-cead-11dc-9f1f-e25ab51505b4}]
\shell\AutoRun\command - H:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-21 00:10:55 C:\Windows\Tasks\User_Feed_Synchronization-{4A322068-0DD0-40F9-A585-52DB6EEF200B}.job"
- C:\Windows\system32\msfeedssync.exe
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-03-20 19:21:23
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Windows\system32\DRIVERS\xaudio.exe
c:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\hp\kbd\kbd.exe
.
************************************************** ************************
.
Completion time: 2008-03-20 19:23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-21 00:23:29
Reply With Quote