ComboFix 09-09-22.02 - Ryan 09/22/2009 22:36.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1702 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\13773904
c:\documents and settings\All Users\Application Data\13773904\13773904
c:\documents and settings\All Users\Application Data\13773904\13773904.exe
c:\documents and settings\All Users\Application Data\13773904\pc13773904ins
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\fujegifu.dll
c:\windows\system32\hetibesi.dll
c:\windows\system32\hoguyovu.dll.tmp
c:\windows\system32\kutozali.exe
c:\windows\system32\logon.exe
c:\windows\system32\mefibena.dll
c:\windows\system32\merilaro.dll
c:\windows\system32\puvelepu.dll
c:\windows\system32\rafesumu.dll.tmp
c:\windows\system32\rapirapi.dll
c:\windows\system32\siweviji.dll
c:\windows\system32\wavemile.dll
c:\windows\system32\wegafuhu.dll.tmp
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wuyojogi.dll
.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.
2009-09-13 12:17 . 2009-09-13 12:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\system32\scripting
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\system32\en
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\l2schemas
2009-09-13 09:12 . 2009-09-13 09:12 -------- d-----w- c:\windows\system32\bits
2009-09-13 09:07 . 2009-09-13 09:07 -------- d-----w- c:\windows\EHome
2009-09-12 14:55 . 2009-09-12 14:55 -------- d-----w- c:\windows\Sun
2009-09-09 23:10 . 2009-09-09 23:10 127488 ----a-w- c:\windows\system32\T4 Quote Saver.scr
2009-09-09 23:10 . 2009-09-09 23:10 25600 ----a-w- c:\windows\system32\T4SIC.dll
2009-09-08 23:21 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 15:02 . 2009-09-07 15:04 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Google
2009-09-07 15:00 . 2009-09-07 15:02 -------- d-----w- c:\program files\Google
2009-09-07 14:54 . 2009-09-07 14:54 -------- d-----w- c:\documents and settings\Ryan\Application Data\Template
2009-09-07 11:20 . 2009-09-07 11:20 -------- d-sh--w- c:\documents and settings\Ryan\PrivacIE
2009-09-07 11:12 . 2009-09-07 11:12 -------- d-sh--w- c:\documents and settings\Ryan\IETldCache
2009-09-07 10:59 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-07 10:58 . 2009-09-07 10:58 -------- d-----w- c:\windows\ie8updates
2009-09-07 10:58 . 2009-07-19 23:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-09-07 10:58 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-07 10:58 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-07 10:58 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-07 10:58 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-07 10:58 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-07 10:58 . 2009-09-07 10:58 -------- dc-h--w- c:\windows\ie8
2009-09-05 03:21 . 2009-09-05 03:21 -------- d-sh--w- c:\documents and settings\Ryan\UserData
2009-09-04 03:26 . 2009-09-04 03:26 -------- d-----w- c:\documents and settings\Ryan\Application Data\AdobeUM
2009-09-04 01:25 . 2009-09-04 03:25 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Adobe
2009-08-30 11:40 . 2009-09-13 09:11 -------- d-----w- c:\windows\ServicePackFiles
2009-08-30 11:39 . 2009-08-30 11:39 -------- d-----w- c:\program files\MSXML 4.0
2009-08-29 15:01 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-08-29 15:01 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-08-29 15:01 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-08-29 15:01 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-08-29 15:01 . 2009-02-06 10:39 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-08-29 15:01 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-29 15:01 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-08-29 15:01 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-08-29 15:01 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-08-29 15:01 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-29 15:01 . 2009-02-06 11:08 2189056 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-29 15:01 . 2009-02-06 11:06 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-29 15:01 . 2009-02-06 10:32 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-29 14:59 . 2009-08-29 14:59 127 ----a-w- c:\documents and settings\Ryan\Local Settings\Application Data\fusioncache.dat
2009-08-29 14:58 . 2009-08-29 14:58 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\CTS
2009-08-29 14:58 . 2009-08-29 14:58 -------- d-----w- c:\program files\CTS
2009-08-29 14:57 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-29 14:57 . 2009-06-10 14:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-29 14:57 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-29 14:57 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-08-29 14:57 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-08-29 14:57 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-08-29 14:57 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-29 14:57 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-08-29 14:57 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-08-29 14:57 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-08-29 14:57 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-29 14:52 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 03:42 . 2009-03-07 19:23 -------- d-----w- c:\program files\Steam
2009-09-22 01:27 . 2009-06-22 01:27 49152 --sha-w- c:\windows\system32\fiwevoga.dll
2009-09-13 21:26 . 2008-06-23 18:55 37344 ----a-w- c:\documents and settings\Ryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-07 14:54 . 2009-09-07 14:54 0 ----a-w- c:\documents and settings\Ryan\Application Data\wklnhst.dat
2009-09-07 08:01 . 2009-09-07 08:01 -------- d-----w- c:\program files\MSBuild
2009-09-07 08:01 . 2009-09-07 08:01 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 05:02 . 2009-08-14 00:57 -------- d-----w- c:\program files\Warcraft III
2009-08-14 01:04 . 2009-08-14 00:59 55618 ----a-w- c:\windows\War3Unin.dat
2009-08-14 01:04 . 2009-08-14 00:59 2829 ----a-w- c:\windows\War3Unin.pif
2009-08-14 01:04 . 2009-08-14 00:59 139264 ----a-w- c:\windows\War3Unin.exe
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-10 18:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-22 01:31 . 2009-06-22 01:31 49152 --sha-w- c:\windows\system32\sapawoma.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fde32ef9-7e44-452e-8f14-322f0cbf900b}]
2009-06-22 01:31 49152 --sha-w- c:\windows\system32\sapawoma.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"Steam"="c:\program files\Steam\Steam.exe" [2009-08-29 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-07 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-08 7630848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-13 110592]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-07 122368]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2008-2-6 921704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2005-12-23 02:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2/6/2008 2:09 PM 61526]
S3 jswmidin;jswmidin;\??\c:\docume~1\Ryan\LOCALS~1\Temp\jswmidin.sys --> c:\docume~1\Ryan\LOCALS~1\Temp\jswmidin.sys [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\progra~1\SMC\POWERL~1\PLCNDIS5.SYS [9/10/2002 6:44 PM 17018]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-23 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (COMP-Ryan).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2008-02-06 00:18]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.dell.comuInternet Connection Wizard,ShellNext =
hxxp://www.dell.com/.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-13773904 - c:\documents and settings\All Users\Application Data\13773904\13773904.exe
HKLM-Run-tarosejowa - fujegifu.dll
SharedTaskScheduler-{242aa567-f336-4a40-a31f-d36e11ae69c7} - c:\windows\system32\kuribuja.dll
SSODL-nagevekog-{242aa567-f336-4a40-a31f-d36e11ae69c7} - c:\windows\system32\kuribuja.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-09-22 22:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\PRISMAPI.DLL
- - - - - - - > 'explorer.exe'(2872)
c:\windows\system32\WININET.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PRISMSVR.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2009-09-23 22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-23 03:46
Pre-Run: 173,117,886,464 bytes free
Post-Run: 173,811,388,416 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
255 --- E O F --- 2009-09-14 08:00