ComboFix 08-05-21.2 - Leland Fecher 2008-05-23 16:39:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.656 [GMT -4:00]
Running from: C:\Documents and Settings\Leland Fecher\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Leland Fecher\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Leland Fecher\err.log
.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.
2008-05-23 13:14 . 2008-05-23 13:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-23 12:51 . 2008-05-23 12:51 <DIR> d-------- C:\Program Files\backups
2008-05-21 14:03 . 2008-05-21 14:03 <DIR> d-------- C:\Program Files\CleanUp!
2008-05-21 13:49 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-21 13:49 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-21 13:49 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-21 13:49 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-21 13:49 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-21 13:49 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-21 13:49 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-21 13:49 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-21 13:49 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-21 13:26 . 2005-08-25 19:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-21 13:26 . 2005-08-25 19:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-05-21 13:26 . 2005-08-25 19:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-05-21 13:26 . 2008-05-21 13:26 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-21 13:21 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-21 13:21 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-21 13:21 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-21 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-21 13:21 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-21 13:21 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-21 13:21 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-21 13:21 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-21 12:45 . 2008-05-21 12:45 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2008-05-20 23:25 . 2008-05-23 13:15 <DIR> d-------- C:\Program Files\Trojan Remover
2008-05-20 23:25 . 2008-05-20 23:25 <DIR> d-------- C:\Documents and Settings\Leland Fecher\Application Data\Simply Super Software
2008-05-20 23:25 . 2008-05-20 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-20 23:25 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-20 23:25 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-05-20 23:25 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-20 23:25 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-20 23:25 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-20 22:42 . 2008-05-20 22:42 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-05-20 22:18 . 2008-05-20 22:18 <DIR> d-------- C:\Program Files\CCleaner
2008-05-20 17:27 . 2008-05-20 17:27 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-05-20 16:59 . 2008-05-20 19:16 <DIR> d-------- C:\VundoFix Backups
2008-05-20 14:32 . 2008-05-20 23:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-20 14:26 . 2008-05-20 14:26 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-20 14:26 . 2008-05-20 14:26 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-20 14:25 . 2008-05-20 14:53 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-20 14:25 . 2008-05-20 14:25 <DIR> d-------- C:\Program Files\AVG
2008-05-20 14:25 . 2008-05-20 14:55 <DIR> d-------- C:\Documents and Settings\Leland Fecher\Application Data\AVGTOOLBAR
2008-05-20 14:25 . 2008-05-20 14:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-05 22:36 . 2008-05-23 16:34 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-04 22:02 . 2008-05-04 22:02 <DIR> d-------- C:\Logs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 17:47 --------- d-----w C:\Program Files\Sportsbook Poker
2008-07-05 17:43 --------- d-----w C:\Program Files\Steam
2008-05-23 16:48 4,971 ----a-w C:\Program Files\hijackthis.log
2008-05-22 19:21 --------- d-----w C:\Program Files\PokerStars
2008-05-21 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-21 04:46 401,720 ----a-w C:\Program Files\HijackThis.exe
2008-05-20 21:28 --------- d-----w C:\Program Files\PowerISO
2008-05-14 00:41 --------- d-----w C:\Program Files\Full Tilt Poker
2008-05-13 16:13 --------- d-----w C:\Program Files\World of Warcraft
2008-05-06 02:42 --------- d-----w C:\Program Files\iTunes
2008-04-16 20:41 --------- d-----w C:\Documents and Settings\Leland Fecher\Application Data\BitTorrent
2008-04-13 22:27 --------- d-----w C:\Documents and Settings\Leland Fecher\Application Data\U3
2008-04-10 21:15 --------- d-----w C:\Documents and Settings\Leland Fecher\Application Data\Wizards of the Coast
2008-04-10 18:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-10 18:38 --------- d-----w C:\Program Files\Wizards of the Coast
2008-04-01 18:53 --------- d-----w C:\Program Files\Java
2008-03-30 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\CCP
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-01-05 01:50 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-02-14 22:20 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.
((((((((((((((((((((((((((((( snapshot@2008-05-21_23.53.40.91 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 03:47:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 20:30:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 20:31:00 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_410.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-20 14:25 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-20 14:25 2050816]
[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-05-20 14:25 1177368 C:\PROGRA~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147121880\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1147121880\\ee\\aim6.exe"=
"C:\\Program Files\\Sierra On-Line\\sigspat.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP
eer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-20 14:26]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-20 14:25]
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2004-05-21 20:18]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 17:10]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-05 16:54:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-05-23 16:43:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-23 16:45:10
ComboFix-quarantined-files.txt 2008-05-23 20:44:23
ComboFix2.txt 2008-05-23 16:45:55
ComboFix3.txt 2008-05-22 03:53:59
Pre-Run: 4,455,710,720 bytes free
Post-Run: 4,438,085,632 bytes free
177 --- E O F --- 2008-05-21 17:53:05