ComboFix 09-10-11.01 - HP_Owner 10/11/2009 15:44.15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.353 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FILE ::
"c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe"
"c:\program files\Weemi\weemi.dll"
.
((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.
2009-10-10 06:45 . 2009-10-10 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\WeatherBug
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\WeatherBug
2009-10-09 16:18 . 2009-10-10 12:55 -------- d-----w- c:\program files\Weemi
2009-10-09 16:18 . 2009-10-10 22:53 -------- d-----w- c:\program files\Free Offers from Freeze.com
2009-10-09 05:26 . 2009-10-09 05:26 -------- d-----w- c:\program files\Games
2009-09-22 08:07 . 2009-09-22 08:07 691420 ----a-w- c:\windows\system32\Client.exe
2009-09-21 02:11 . 2009-09-21 02:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\V-Games
2009-09-18 21:19 . 2009-09-18 21:22 -------- d-----w- c:\program files\Nancy Drew Dossier - Resorting to Danger
2009-09-18 03:36 . 2009-10-03 04:01 45 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences2.dat
2009-09-18 03:36 . 2009-10-03 04:06 38 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 04:24 . 2009-03-01 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 22:18 . 2009-03-01 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-10 09:46 . 2008-12-09 01:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 22:58 . 2008-12-09 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-10-09 05:29 . 2008-10-05 22:01 -------- d-----w- c:\program files\Diablo II
2009-10-09 02:23 . 2008-12-09 01:19 -------- d-----w- c:\program files\bfgclient
2009-10-09 02:22 . 2008-12-09 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-10-09 00:43 . 2009-04-06 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 10:47 . 2009-04-02 09:55 -------- d-----w- c:\program files\support.com
2009-09-20 02:51 . 2009-07-01 00:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\ERS G-Studio
2009-09-18 07:26 . 2009-01-06 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-09-17 23:32 . 2009-08-29 22:39 -------- d-----w- c:\program files\Princess Isabella A Witch's Curse
2009-09-10 21:54 . 2009-04-06 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-06 06:05 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 00:47 . 2009-03-03 01:22 -------- d-----w- c:\program files\Google
2009-09-07 02:00 . 2009-01-07 02:06 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Big Fish Games
2009-09-05 00:44 . 2009-09-17 23:38 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-09-17 23:38 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-26 11:13 . 2005-02-22 00:34 33968 -c--a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 04:27 . 2004-12-29 22:03 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-08-26 04:26 . 2008-08-29 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-26 04:24 . 2009-08-26 04:23 -------- d-----w- c:\program files\iTunes
2009-08-26 04:24 . 2009-08-26 04:24 -------- d-----w- c:\program files\iPod
2009-08-26 04:24 . 2008-08-29 22:01 -------- d-----w- c:\program files\Common Files\Apple
2009-08-26 04:21 . 2009-08-26 04:20 -------- d-----w- c:\program files\QuickTime
2009-08-25 03:08 . 2009-08-25 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella
2009-08-22 03:20 . 2009-08-22 03:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Batovi
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\MSBuild
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 03:45 . 2009-08-14 03:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\she_is_a_shadow
2009-08-13 01:12 . 2009-08-13 01:12 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SulusGames
2009-08-13 01:12 . 2009-08-13 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2009-08-07 02:24 . 2004-09-20 02:21 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-09-20 02:21 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-12-30 03:09 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-09-20 02:21 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-09-20 03:11 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-09-20 02:21 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-06-10 02:37 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-06-10 02:37 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2004-09-20 02:21 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 20:12 . 2009-04-14 18:57 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-09-20 02:19 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2008-12-22 15:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-09-20 03:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-09-20 02:21 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w- c:\program files\aolsetup.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-05-28 02:15 . 2005-05-28 02:15 0 -csha-w- c:\windows\SMINST\HPCD.sys
.
(((((((((((((((((((((((((((((
SnapShot@2009-10-11_12.04.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-11 22:54 . 2009-10-11 22:54 16384 c:\windows\temp\Perflib_Perfdata_7d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/14/2009 12:10 PM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [5/12/2006 11:33 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [5/12/2006 11:33 PM 3904]
S2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2009 6:22 PM 133104]
S2 Weemi Service;Weemi Service;"c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe" "c:\program files\Weemi\weemi.dll" Service --> c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe [?]
S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\drivers\bcm42u.sys [4/4/2008 1:04 AM 66557]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\RTL8180.sys [3/18/2004 1:26 PM 185216]
.
Contents of the 'Scheduled Tasks' folder
2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2009-10-11 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/mSearch Bar =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktopuInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.comFF - prefs.js: keyword.URL -
hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-10-11 15:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2528)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
.
**************************************************************************
.
Completion time: 2009-10-11 16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 23:03
ComboFix2.txt 2009-10-11 12:12
ComboFix3.txt 2009-04-13 23:03
Pre-Run: 8,782,032,896 bytes free
Post-Run: 8,743,329,792 bytes free
209 --- E O F --- 2009-09-10 05:02