ComboFix 09-06-13.01 - Owner 06/13/2009 14:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.504.166 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall 9.1.0.38 *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
D:\Desktop.ini
.
((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.
2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-13 17:32 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 17:32 . 2009-06-13 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-13 17:32 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 00:59 . 2003-04-10 10:53 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\interMute
2009-06-12 00:59 . 2003-04-10 10:49 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\Sonic
2009-06-12 00:58 . 2009-06-13 14:45 -------- d-----w- c:\documents and settings\Administrator.SHAMMY
2009-06-11 23:54 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-11 23:54 . 2009-06-13 14:45 -------- d-----w- c:\program files\Spyware Doctor
2009-06-10 22:54 . 2009-06-10 22:54 -------- d-----w- C:\qrnt
2009-06-10 22:54 . 2009-06-10 22:54 -------- d-----w- C:\CA
2009-06-08 20:18 . 2009-06-08 20:18 -------- d-----w- c:\windows\Windows Update Setup Files
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 18:26 . 2008-03-21 00:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-13 18:22 . 2007-11-24 22:51 70380 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-06-13 18:22 . 2007-11-24 22:51 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-06-13 14:46 . 2009-06-13 14:46 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\Symantec
2009-06-13 14:46 . 2009-06-13 14:46 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\SampleView
2009-06-13 14:46 . 2009-06-13 14:46 -------- d-----w- c:\documents and settings\Administrator.SHAMMY\Application Data\InterTrust
2009-06-13 14:45 . 2009-06-13 14:45 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-13 14:45 . 2009-06-13 14:45 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-06-13 14:45 . 2009-06-13 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-09 19:27 . 2005-12-25 14:04 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2009-05-07 15:44 . 2008-11-15 15:09 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-06-18 03:49 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2008-11-15 15:09 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-10-16 21:18 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-19 22:58 . 2009-03-14 22:57 225 ----a-w- c:\windows\PowerReg.dat
2009-03-15 22:07 . 2009-03-15 22:07 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2007-10-29 23:26 . 2007-10-29 23:27 774144 ----a-w- c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 22:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"Simple Star PhotoShow Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2006-01-13 233472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"mSpotAlltelRemix"="c:\program files\Alltel Jump Music\Remix\msptcmd.exe" [2008-06-05 1531904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-02 77887]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-05 180269]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-11 136600]
"CAVRID"="c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-08-20 230664]
"SSP Notifier"="c:\program files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 20480]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-3-14 256000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2004-11-28 172032]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-9-20 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 19:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:websrvx
"8085:TCP"= 8085:TCP:podmena
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [7/24/2007 6:00 PM 92176]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [5/18/2007 3:30 PM 61960]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [5/18/2007 3:30 PM 45064]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [7/24/2007 6:00 PM 114704]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [7/24/2007 6:00 PM 134160]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [5/18/2007 3:30 PM 63496]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [7/24/2007 6:00 PM 1034768]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [7/24/2007 6:37 PM 813840]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [5/18/2007 3:30 PM 275976]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [5/18/2007 3:30 PM 89096]
S2 mrtRate;mrtRate; [x]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-_Windows - c:\windows\WinSecurity\services.exe
HKLM-Run-Reminder - c:\windows\Creator\Remind_XP.exe
HKLM-Run-eTrustPPAP - c:\program files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
HKLM-Run-cctray - c:\documents and settings\all users\_qbothome\_qbotinj.exe
Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
uDefault_Search_URL =
hxxp://srch-qus8.hpwis.com/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar =
hxxp://srch-qus8.hpwis.com/uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: plexonline.com\www
DPF: DirectAnimation Java Classes -
file://c:\windows\Java\classes\dajava.cabDPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cab.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-06-13 14:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(408)
c:\program files\Softex\OmniPass\opxpgina.dll
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
- - - - - - - > 'lsass.exe'(464)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
- - - - - - - > 'explorer.exe'(1924)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Softex\OmniPass\omniServ.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\windows\system32\CF11272.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-06-13 14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 18:37
Pre-Run: 88,169,947,136 bytes free
Post-Run: 88,692,457,472 bytes free
221 --- E O F --- 2009-06-12 01:48