ComboFix 09-09-14.02 - wArDeQ 15/09/2009 21:03.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.763 [GMT 4:00]
Running from: c:\documents and settings\wArDeQ\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Admin\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
c:\documents and settings\Admin\Application Data\Microsoft\Installer\{E9757890-7EC5-46C8-99AB-B00F07B6525C}\NewShortcut2_E97578907EC546C899ABB00F07B6525C.exe
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\Installer\56b775d.msp
c:\windows\Installer\58e55.msp
c:\windows\Installer\5b1202e.msp
c:\windows\Installer\6670159.msi
c:\windows\Installer\84d05.msi
c:\windows\Installer\99ef3.msi
c:\windows\Installer\99ef8.msi
c:\windows\Installer\d069e3.msp
c:\windows\Installer\d069e4.msp
c:\windows\Installer\d069e5.msp
c:\windows\Installer\d069e6.msp
c:\windows\Installer\d069e7.msp
c:\windows\Installer\d069e8.msp
c:\windows\Installer\d069e9.msp
c:\windows\Installer\d069ea.msp
c:\windows\Installer\d069eb.msp
c:\windows\kb913800.exe
c:\windows\Winhjps.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_gaopdxserv.sys
-------\Service_gaopdxserv.sys
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.
2009-09-10 15:47 . 2009-09-10 15:47 -------- d-----w- c:\documents and settings\wArDeQ\Application Data\Octoshape
2009-09-04 09:51 . 2009-09-04 09:51 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 10:15 . 2008-12-02 04:36 10 ----a-w- c:\windows\popcinfo.dat
2009-07-25 01:23 . 2008-12-04 06:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-06-25 17:26 . 2006-08-17 16:48 165464 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
1999-04-30 12:00 . 2008-02-17 10:54 98304 ----a-w- c:\program files\internet explorer\plugins\UPjpeg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-10-08 173368]
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-10-08 08:22 1172792 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-10-08 1172792]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2009-09-09 653104]
"Octoshape Streaming Services"="c:\documents and settings\wArDeQ\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"d:\software\NetMeter\NetMeter.exe"="d:\software\NetMeter\NetMeter.exe" [2004-03-05 266240]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2006-04-20 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2006-04-20 86016]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-01-20 3080192]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-14 124656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2006-06-14 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-02-15 111928]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-04-14 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-12-19 15797248]
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-5-15 479232]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\wArDeQ\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office 2002\Office10\OSA.EXE [2001-2-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-2-14 118784]
Watch.lnk - c:\program files\DV Series\Console\Watch.exe [2008-2-17 217088]
Ulead Photo Express Calendar Checker For My Custom Edition.lnk - c:\program files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe [2008-2-17 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\JustVoip.com\\JustVoip\\JustVoip.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\Groove.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\onenote.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\wArDeQ\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\pmb.exe"=
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/02/2009 11:53 102448]
S1 mailKmd;mailKmd; [x]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [24/11/2008 22:22 27904]
S3 PAC7311;LIFE CAM 330;c:\windows\system32\drivers\PA707UCM.SYS [18/10/2005 11:48 154752]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [15/06/2006 01:40 115952]
S3 SI15CI;SI15CI;\??\c:\elements\1stboot\Blueth\SI15CI.SYS --> c:\elements\1stboot\Blueth\SI15CI.SYS [?]
.
Contents of the 'Scheduled Tasks' folder
2009-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:34]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://en.my.acer.yahoo.com/mStart Page =
hxxp://www.yahoo.com/mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.comFF - ProfilePath - c:\documents and settings\wArDeQ\Application Data\Mozilla\Firefox\Profiles\urlw4fx9.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://search.yahoo.com/search?fr=ffsp1&p=FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
hxxp://www.yahoo.com/FF - prefs.js: keyword.URL -
hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\wArDeQ\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
AddRemove-Adobe PageMaker 7.0 - c:\windows\ISUNINST.EXE -fc:\program files\Adobe\PageMaker 7.0\Uninst.isu
AddRemove-HP Color LaserJet CM1015_CM1017 - c:\program files\HP\Digital Imaging\{102D2FC6-F041-4D89-80BE-47CD9080850D}\setup\hpzscr01.exe -datfile hppscr06.dat
AddRemove-Ulead COOL 360 1.0 - c:\windows\IsUninst.exe -fc:\program files\Ulead Systems\Ulead COOL 360\Uninst.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-09-15 21:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3236)
c:\program files\SweetIM\Messenger\mgAdaptersProxy.dll
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.922_x-ww_92403109\MFC80ENU.DLL
c:\progra~1\WINDOW~3\wmpband.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
c:\acer\EMPOWERING TECHNOLOGY\ADMSERV.EXE
c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\program files\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
c:\windows\EHOME\EHRECVR.EXE
c:\windows\EHOME\EHSCHED.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\program files\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
c:\windows\EHOME\MCRDSVC.EXE
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\wArDeQ\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-09-15 21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 17:17
ComboFix2.txt 2008-12-03 20:45
ComboFix3.txt 2008-12-03 19:40
Pre-Run: 16,514,449,408 bytes free
Post-Run: 16,411,099,136 bytes free
227 --- E O F --- 2009-03-21 17:02