ComboFix 09-05-31.06 - Janet Duross 06/01/2009 23:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.565 [GMT -4:00]
Running from: c:\documents and settings\Janet Duross\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Janet Duross\Desktop\CFScript.txt
AV: Defender Pro Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Defender Pro Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Janet Duross\Application Data\tgbqnoae
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\profiles.ini
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\cert8.db
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\compatibility.ini
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\compreg.dat
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\cookies.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\formhistory.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\key3.db
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\localstore.rdf
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\parent.lock
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\permissions.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\places.sqlite-journal
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\places.sqlite-stmtjrnl
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\places.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\pluginreg.dat
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\prefs.js
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\secmod.db
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\webappsstore.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\xpti.dat
c:\documents and settings\Janet Duross\Local Settings\Application Data\tgbqnoae
c:\documents and settings\Janet Duross\Local Settings\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\urlclassifier3.sqlite
c:\documents and settings\Janet Duross\Local Settings\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\tgbqnoae
c:\documents and settings\NetworkService\Application Data\tgbqnoae\profiles.ini
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\cert8.db
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\key3.db
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\prefs.js
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\secmod.db
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\tgbqnoae
c:\documents and settings\NetworkService\Local Settings\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\XPC.mfl
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MWFMFIBC
((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.
2009-06-01 21:00 . 2009-06-01 21:47 81984 ----a-w- c:\windows\system32\bdod.bin
2009-06-01 20:12 . 2009-06-01 20:12 -------- d-----w- c:\windows\system32\LogFiles
2009-06-01 16:48 . 2009-06-01 16:48 -------- d-----w- c:\program files\Trend Micro
2009-06-01 04:11 . 2009-06-01 21:48 -------- d-----w- c:\program files\Common Files\BitDefender
2009-05-31 23:59 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-05-31 23:59 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-05-31 21:11 . 2009-05-31 21:11 -------- d-----w- c:\documents and settings\Janet Duross\Application Data\Template
2009-05-31 20:59 . 2009-05-31 20:59 -------- d-----w- c:\documents and settings\Janet Duross\Local Settings\Application Data\Mozilla
2009-05-31 20:56 . 2009-05-31 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-31 19:21 . 2009-05-31 19:21 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-31 01:37 . 2004-12-07 14:11 258352 ----a-w- c:\windows\system32\unicows.dll
2009-05-31 01:37 . 2006-09-11 15:56 526184 ----a-w- c:\windows\system32\XceedCry.dll
2009-05-31 01:37 . 2006-12-21 19:18 497496 ----a-w- c:\windows\system32\XceedZip.dll
2009-05-31 01:37 . 2006-09-11 15:53 276352 ----a-w- c:\windows\system32\XceedSco.dll
2009-05-30 18:41 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 18:41 . 2009-05-30 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 18:41 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 17:35 . 2009-05-30 17:35 -------- d-----w- c:\documents and settings\Janet Duross\Option
2009-05-30 03:07 . 2009-05-30 03:07 193 ----a-w- c:\documents and settings\Janet Duross\Application Data\asd.bat
2009-05-23 04:13 . 2009-05-23 04:13 -------- d-----w- c:\documents and settings\Janet Duross\Local Settings\Application Data\Identities
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 20:22 . 2008-10-29 01:22 -------- d-----w- c:\program files\Java
2009-06-01 20:06 . 2009-03-29 04:21 -------- d-----w- c:\documents and settings\Janet Duross\Application Data\Symantec
2009-06-01 20:06 . 2008-10-29 01:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 20:04 . 2008-10-29 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-01 19:47 . 2008-10-29 01:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-01 07:01 . 2008-10-29 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-31 21:11 . 2009-05-31 21:11 0 ----a-w- c:\documents and settings\Janet Duross\Application Data\wklnhst.dat
2009-05-31 21:05 . 2008-10-29 01:17 -------- d-----w- c:\program files\Microsoft.NET
2009-05-31 20:20 . 2008-10-29 01:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2009-03-30 23:35 . 2008-10-29 00:51 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-29 05:20 . 2009-03-29 05:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-29 04:47 . 2009-03-29 04:46 57261736 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\
0.4337.29.1\setup.exe
2009-03-29 04:46 . 2009-03-29 04:46 335 ----a-w- c:\windows\nsreg.dat
2009-03-29 04:22 . 2009-03-29 04:22 60664 ----a-w- c:\documents and settings\Janet Duross\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2008-04-14 22:00 284160 ----a-w- c:\windows\system32\pdh.dll
.
(((((((((((((((((((((((((((((
SnapShot@2009-06-01_22.03.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-02 03:17 . 2009-06-02 03:17 16384 c:\windows\temp\Perflib_Perfdata_70.dat
+ 2008-10-29 01:34 . 2009-06-01 22:07 63016 c:\windows\system32\perfc009.dat
- 2008-10-29 01:34 . 2009-06-01 21:14 63016 c:\windows\system32\perfc009.dat
+ 2008-10-29 01:34 . 2009-06-01 22:07 402406 c:\windows\system32\perfh009.dat
- 2008-10-29 01:34 . 2009-06-01 21:14 402406 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-09-25 210216]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-07-10 421888]
"HostManager"="c:\program files\Common Files\AOL\1238302172\ee\AOLSoftware.exe" [2008-11-06 41264]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-02-25 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1238302172\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 5:11 PM 16384]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 2:42 AM 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 7:03 AM 131072]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - UBHELPER
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://news.yahoo.com/mStart Page =
hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0309&m=el1200-06wIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -
hxxp://download.eset.com/special/eos/OnlineScanner.cab.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-06-01 23:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SAVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SNDSrvc]
"ImagePath"="-"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\aol\acs\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-02 23:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-02 03:19
ComboFix2.txt 2009-06-01 22:05
Pre-Run: 64,958,488,576 bytes free
Post-Run: 64,997,990,400 bytes free
192 --- E O F --- 2009-06-01 07:01