ComboFix 08-06-01.3 - HP_Owner 2008-06-01 16:23:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.623 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\My Stuff\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\302.exe
C:\deskbar_e34.exe
C:\Documents and Settings\HP_Owner\Application Data\apphash.dat
C:\WINDOWS\Duce6.exe
C:\WINDOWS\keyboard41.dat
C:\WINDOWS\system32\__c008070E.exe
C:\WINDOWS\system32\__c00D96D9.exe
C:\WINDOWS\system32\__c00DA288.exe
C:\WINDOWS\system32\__c00E52F7.dat
.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.
2008-05-31 16:48 . 2008-05-31 16:48 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-31 16:40 . 2008-05-31 17:13 <DIR> d-------- C:\SDFix
2008-05-30 22:15 . 2008-05-30 22:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 22:44 . 2008-05-31 16:40 5,120 --a------ C:\Documents and Settings\HP_Owner\ftp34.dll
2008-05-27 22:40 . 2008-05-31 16:40 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-27 22:40 . 2008-05-31 16:24 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-27 21:42 . 2008-05-29 11:54 34,329 --ahs---- C:\WINDOWS\system32\iewmainx.ini
2008-05-23 20:47 . 2008-05-25 16:17 <DIR> d-------- C:\Program Files\LiveAntispy
2008-05-17 20:50 . 2008-05-17 20:50 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-11 21:29 . 2001-06-20 10:04 21 --a------ C:\WINDOWS\VI_setup.ini
2008-05-11 21:28 . 2001-10-16 10:23 163,840 --a------ C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2008-05-11 21:27 . 2008-05-11 21:29 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-11 21:27 . 1999-05-26 09:46 212,480 --a------ C:\WINDOWS\pcdlib32.dll
2008-05-11 21:27 . 2002-03-25 10:12 21 --a------ C:\WINDOWS\PI4_setup.ini
2008-05-11 21:05 . 2005-07-13 11:08 33,890 --a------ C:\WINDOWS\system32\drivers\Capt905c.sys
2008-05-11 21:05 . 2005-04-13 15:21 24,605 --a------ C:\WINDOWS\system32\drivers\Camd905c.sys
2008-05-03 16:16 . 2008-01-14 16:58 19,840 --a------ C:\WINDOWS\system32\drivers\StMp3Rec.sys
2008-05-03 16:15 . 2008-05-03 16:16 <DIR> d-------- C:\Program Files\Philips
2008-05-03 16:14 . 2008-05-03 16:14 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\InstallShield
2008-05-02 18:26 . 2008-06-01 16:29 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\mjusbsp
2008-05-02 18:18 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-05-02 18:18 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-05-02 18:18 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-02 18:18 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 11:05 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Azureus
2008-05-28 04:32 --------- d-----w C:\Program Files\SpeedFan
2008-05-28 04:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-28 00:19 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-05-24 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 12:47 --------- d-----w C:\Program Files\IEPro
2008-05-23 12:46 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\IEPro
2008-05-23 00:38 --------- d-----w C:\Program Files\Diablo II
2008-05-15 10:54 --------- d-----w C:\Program Files\Microsoft Games
2008-05-12 01:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 07:51 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\LimeWire
2008-04-28 16:55 --------- d-----w C:\Program Files\Microsoft Works
2008-04-27 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-04-21 04:18 --------- d-----w C:\Program Files\Azureus
2008-04-09 02:29 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\InterVideo
2008-04-02 02:43 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\DivX
2008-04-02 00:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-01 23:12 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-04-01 02:23 --------- d-----w C:\Program Files\DivX
2008-04-01 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DFX
2008-04-01 02:22 --------- d-----w C:\Program Files\DFX
2008-04-01 02:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 01:21 --------- d-----w C:\Program Files\LimeWire
2006-07-27 12:43 22 ----a-w C:\Program Files\AOL Compressed (zipped) Folder.zip
2005-09-13 18:02 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-01_16.13.19.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 20:06:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 20:26:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-04 12:00:00 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:59:50 294,912 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-04 12:00:00 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"cdloader"="C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" [2007-12-21 10:39 50520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 16:45 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 08:31:38 241664]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-12 00:20:09 16423]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlliji]
pmnlliji.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00E52F7]
C:\WINDOWS\system32\__c00E52F7.dat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\mIRC(2)\\mirc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Wesnoth 1.3.19\\wesnothd.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=
"C:\\Documents and Settings\\HP_Owner\\Application Data\\mjusbsp\\magicJack.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\directx\command - E:\DirectX9\dxsetup.exe
\Shell\setup\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\autorun.exe
\Shell\phone\command - J:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 20:00:00 C:\WINDOWS\Tasks\AC2BF16091846440.job"
- c:\docume~1\hp_owner\applic~1\helpth~1\holdcreativedrv.exe
"2008-05-19 01:23:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-01 20:14:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2004-08-12 06:16:38 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-06-01 16:27:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\ar00000\mjsetup.exe
C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2008-06-01 16:33:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 20:33:03
ComboFix2.txt 2008-06-01 20:13:41
Pre-Run: 3,143,061,504 bytes free
Post-Run: 3,115,077,632 bytes free
166 --- E O F --- 2008-06-01 20:23:21
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:08 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onec...lscbase9563.cab
O20 - Winlogon Notify: pmnlliji - pmnlliji.dll (file missing)
O20 - Winlogon Notify: __c00E52F7 - C:\WINDOWS\system32\__c00E52F7.dat (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 5568 bytes