second half
((((((((((((((((((((((((((((( SnapShot@2009-02-08_ 0.22.52.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-08 00:18:37 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-02-08 00:26:37 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-02-08 00:18:37 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-02-08 00:26:37 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-02-08 00:22:36 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-08 00:27:42 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-08 00:27:42 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-02-08 00:22:13 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-08 00:31:39 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-08 00:31:39 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-08 00:19:04 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-08 00:26:49 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-08 00:19:04 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-08 00:26:49 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-08 00:19:04 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-08 00:26:49 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-07 23:54:56 105,448 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-08 00:25:34 105,448 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-07 23:54:56 599,942 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-08 00:25:34 599,942 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-08 00:20:39 4,250 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2281326815-2613409842-3194628472-1000_UserData.bin
+ 2009-02-08 00:28:34 4,274 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2281326815-2613409842-3194628472-1000_UserData.bin
- 2009-02-08 00:20:39 70,452 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-08 00:28:34 70,532 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-08 00:20:37 38,548 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-08 00:28:33 38,858 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\program files\PACKARD BELL\SetUpMyPC\SmpSys.exe" [2008-07-07 1038136]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-19 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-04-20 894464]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\program files\Packard Bell\SetupMyPC\SmpSys.exe" [2008-07-07 1038136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-23 30192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-29 1601304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"InkSaver"="c:\program files\InkSaver\InkSaver.exe" [2006-08-28 589824]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-26 c:\windows\RtHDVCpl.exe]
c:\users\Reg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpeedTester.lnk - c:\users\Reg\AppData\Roaming\Microsoft\Installer\{32729FF3-AD6A-45CC-8E55-E1916420F7F1}\_7EA94809FE219030A883C8.exe [2009-01-29 33610]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E54729E8-BB3D-4270-9D49-7389EA579090}"= "c:\windows\system32\EZUPBH~1.DLL" [2009-01-19 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL avgrsstx.dll c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mjpg"= pvmjpg30.dll
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FDB8CDD3-8D5A-4259-84DF-B48EEAD94B67}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{B2C899D1-332C-465D-9D99-2B9334545E45}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{14DF0DC8-6864-43F5-A2AA-45D80107B642}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F90DED55-3F1D-41B2-A5D1-FB82BB7E844F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{15AE5B2B-8FC8-4208-826B-D87FF9BC1A05}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{AA264E32-AF85-4FF1-AADF-0F1597D65916}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{15F0C08A-1539-4A2A-AB00-81CF19B7B237}c:\\program files\\packard bell\\updator\\pbupdator.exe"= UDP:c:\program files\packard bell\updator\pbupdator.exe:Packard Bell Updator
"UDP Query User{5CA246E7-771C-4702-92F2-2ABA6185EC6D}c:\\program files\\packard bell\\updator\\pbupdator.exe"= TCP:c:\program files\packard bell\updator\pbupdator.exe:Packard Bell Updator
"{5EC5DDF1-95CC-4009-921B-0ED29428A0C7}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{C03CC9F1-0852-4324-BCC2-CF9B853499E9}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{C51224E4-36A0-462D-9012-EF2441104508}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{C87D04F8-C94D-4753-829A-223E3D5D9B2C}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{0EA94986-3389-4BBA-8DA8-E3425609E9AE}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{CDED82D2-EA22-4DEA-A787-F83CD10007A1}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [2009-02-07 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-01-19 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-01-29 107272]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-19 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-19 298264]
R2 ETService;Empowering Technology Service;c:\program files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe [2008-10-30 24576]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-01-21 21504]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [2008-07-31 44576]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-10-30 30192]
S3 Partner Service;Partner Service;c:\programdata\Partner\partner.exe [2009-01-19 110576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{436c037e-e62b-11dd-b0fd-0021979ea0e6}]
\shell\AutoRun\command - I:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-01-26 c:\windows\Tasks\EasyShare Registration Task.job
- c:\progra~2\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.30.1.sxt _RegistrationOffer@16 []
2009-02-08 c:\windows\Tasks\Recovery DVD Creator-Reg.job
- c:\program files\Packard Bell\SetupMyPc\MCDCheck.exe [2008-07-07 15:25]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.orange.co.uk/mStart Page =
hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-08 00:31:49
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-02-08 0:33:13
ComboFix-quarantined-files.txt 2009-02-08 00:33:11
ComboFix2.txt 2009-02-08 00:24:03
Pre-Run: 404,573,351,936 bytes free
Post-Run: 404,540,284,928 bytes free
328 --- E O F --- 2009-02-05 20:16:59