Tech Support Forum - View Single Post - Possible Trojan

Nothintolose · 10-08-2007, 11:13 PM

This it? Sorry.

ComboFix 07-10-08.3 - Zach 2007-10-08 17:52:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1521 [GMT -4:00]
Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zach\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\drivers\fee
C:\WINDOWS\system32\pgd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Bhmoxunj
C:\Program Files\Gwzlwfym
C:\Program Files\Isebbczd
C:\Program Files\Pfpkguqy
C:\Program Files\qnanojwt
C:\Program Files\qnanojwt\uvihgbsp.dll
C:\Program Files\Qoswziws
C:\Program Files\Tyzhnddw
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\pgd.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 17:36 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-08 01:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 01:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 01:09 <DIR> d-------- C:\BackUpMSNCleaner
2007-10-06 18:43 <DIR> d-------- C:\Deckard
2007-09-30 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-16 01:26 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-16 01:22 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-09-16 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 11:42 --------- d-------- C:\Program Files\Warcraft III
2007-10-06 16:14 --------- d-------- C:\Program Files\Rogers
2007-10-03 23:08 --------- d-------- C:\Program Files\World of Warcraft
2007-09-30 23:47 --------- d-------- C:\Program Files\Steam
2007-09-23 21:56 --------- d-------- C:\Program Files\BitLord
2007-09-12 22:02 --------- d-------- C:\Program Files\MSN Messenger
2007-09-08 22:22 --------- d-------- C:\Program Files\WC3Banlist
2007-09-07 23:57 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-07 23:57 --------- d-------- C:\Program Files\Creative
2007-09-07 23:20 --------- d-------- C:\Documents and Settings\Zach\Application Data\Creative
2007-09-07 22:58 --------- d--h----- C:\Program Files\Creative Installation Information
2007-09-07 22:58 --------- d-------- C:\Program Files\Common Files\Creative
2007-09-06 19:19 --------- d-------- C:\Documents and Settings\Zach\Application Data\Google
2007-09-06 18:09 --------- d-------- C:\Documents and Settings\Zach\Application Data\Real
2007-09-06 18:03 --------- d-------- C:\Program Files\Google
2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\xing shared
2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\Real
2007-09-06 18:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-06 17:37 --------- d-------- C:\Program Files\Xilisoft
2007-09-06 17:37 --------- d-------- C:\Program Files\QuickTime
2007-09-06 17:22 --------- d-------- C:\Program Files\Avex
2007-09-06 06:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 06:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 06:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 06:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 06:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-29 14:02 --------- d-------- C:\Program Files\Alwil Software
2007-08-23 10:24 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-23 08:40 77312 --a------ C:\WINDOWS\ua2.dll
2007-08-15 18:03 --------- d-------- C:\Documents and Settings\Zach\Application Data\Apple Computer
2007-08-15 18:02 --------- d-------- C:\Program Files\Apple Software Update
2007-08-15 18:01 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-15 18:01 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-07-15 03:21 196608 --a------ C:\BNCSutil.dll
2006-03-06 05:03 456 --a------ C:\Program Files\INSTALL.LOG
2006-02-04 01:49 251 --a------ C:\Program Files\wt3d.ini
2006-02-03 22:23:15 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-08_ 1.25.52.99 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-28 02:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 4,038,656 2007-10-08 21:36:17 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 143,360 2007-10-08 21:36:18 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-28 02:03:23 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 4,038,656 2007-10-08 21:36:16 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
----a-w 143,360 2007-10-08 21:36:16 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----atw 16,384 2007-10-08 21:54:44 C:\WINDOWS\Temp\Perflib_Perfdata_604.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 19:03]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-04 19:03]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-06 18:03]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 01:00]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-07 23:48]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 23:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
"C:\Program Files\DISC\DISCover.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
"C:\Program Files\DISC\DiscUpdateMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
"c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
C:\WINDOWS\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSP Notifier]
"C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IAANTMON"=2 (0x2)
"CCALib8"=2 (0x2)
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Pml Driver HPZ12"=0 (0x0)
"NVSvc"=2 (0x2)
"NMSAccess"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"ELService"=2 (0x2)
"AresChatServer"=3 (0x3)
"NtmlSvc"=2 (0x2)
"aspimgr"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys
S3 GENERICDRV;GENERICDRV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pftF9.tmp\amifldrv.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-05 15:04:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-24 04:00:28 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 17:56:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\tcpip_patcher]
"ImagePath"="\??\C:\Program Files\Ares\tcpip_patcher.sys"
.
Completion time: 2007-10-08 17:58:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 17:58
C:\ComboFix2.txt ... 2007-10-08 01:26
.
--- E O F ---

10-08-2007, 11:13 PM	#13 (permalink)
Nothintolose Registered User Join Date: Oct 2007 Posts: 8 OS: Win Xp SP2	Re: Possible Trojan - PLS Help! This it? Sorry. ComboFix 07-10-08.3 - Zach 2007-10-08 17:52:07.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1521 [GMT -4:00] Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Zach\Desktop\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\drivers\fee C:\WINDOWS\system32\pgd.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Bhmoxunj C:\Program Files\Gwzlwfym C:\Program Files\Isebbczd C:\Program Files\Pfpkguqy C:\Program Files\qnanojwt C:\Program Files\qnanojwt\uvihgbsp.dll C:\Program Files\Qoswziws C:\Program Files\Tyzhnddw C:\WINDOWS\system32\n.ini C:\WINDOWS\system32\pgd.dll . ((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 ))))))))))))))))))))))))))))))) . 2007-10-08 17:36 <DIR> d-------- C:\WINDOWS\ERUNT 2007-10-08 01:30 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-08 01:19 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-08 01:09 <DIR> d-------- C:\BackUpMSNCleaner 2007-10-06 18:43 <DIR> d-------- C:\Deckard 2007-09-30 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-09-16 01:26 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint 2007-09-16 01:22 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro 2007-09-16 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-08 11:42 --------- d-------- C:\Program Files\Warcraft III 2007-10-06 16:14 --------- d-------- C:\Program Files\Rogers 2007-10-03 23:08 --------- d-------- C:\Program Files\World of Warcraft 2007-09-30 23:47 --------- d-------- C:\Program Files\Steam 2007-09-23 21:56 --------- d-------- C:\Program Files\BitLord 2007-09-12 22:02 --------- d-------- C:\Program Files\MSN Messenger 2007-09-08 22:22 --------- d-------- C:\Program Files\WC3Banlist 2007-09-07 23:57 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-09-07 23:57 --------- d-------- C:\Program Files\Creative 2007-09-07 23:20 --------- d-------- C:\Documents and Settings\Zach\Application Data\Creative 2007-09-07 22:58 --------- d--h----- C:\Program Files\Creative Installation Information 2007-09-07 22:58 --------- d-------- C:\Program Files\Common Files\Creative 2007-09-06 19:19 --------- d-------- C:\Documents and Settings\Zach\Application Data\Google 2007-09-06 18:09 --------- d-------- C:\Documents and Settings\Zach\Application Data\Real 2007-09-06 18:03 --------- d-------- C:\Program Files\Google 2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\xing shared 2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\Real 2007-09-06 18:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google 2007-09-06 17:37 --------- d-------- C:\Program Files\Xilisoft 2007-09-06 17:37 --------- d-------- C:\Program Files\QuickTime 2007-09-06 17:22 --------- d-------- C:\Program Files\Avex 2007-09-06 06:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-09-06 06:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-09-06 06:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-09-06 06:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-09-06 06:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-08-29 14:02 --------- d-------- C:\Program Files\Alwil Software 2007-08-23 10:24 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-08-23 08:40 77312 --a------ C:\WINDOWS\ua2.dll 2007-08-15 18:03 --------- d-------- C:\Documents and Settings\Zach\Application Data\Apple Computer 2007-08-15 18:02 --------- d-------- C:\Program Files\Apple Software Update 2007-08-15 18:01 --------- d-------- C:\Program Files\Common Files\Apple 2007-08-15 18:01 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple 2007-07-15 03:21 196608 --a------ C:\BNCSutil.dll 2006-03-06 05:03 456 --a------ C:\Program Files\INSTALL.LOG 2006-02-04 01:49 251 --a------ C:\Program Files\wt3d.ini 2006-02-03 22:23:15 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys . ((((((((((((((((((((((((((((( snapshot@2007-10-08_ 1.25.52.99 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 163,328 2007-09-28 02:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 4,038,656 2007-10-08 21:36:17 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT ----a-w 143,360 2007-10-08 21:36:18 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-09-28 02:03:23 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 4,038,656 2007-10-08 21:36:16 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT ----a-w 143,360 2007-10-08 21:36:16 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat ----atw 16,384 2007-10-08 21:54:44 C:\WINDOWS\Temp\Perflib_Perfdata_604.dat . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 19:03] "nwiz"="nwiz.exe" [] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-04 19:03] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-06 18:03] "itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08] "IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 01:00] "msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] "ares"="C:\Program Files\Ares\Ares.exe" [2007-05-07 23:48] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 23:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP] ARPWRMSG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] "C:\Program Files\Ares\Ares.exe" -h [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover] "C:\Program Files\DISC\DISCover.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager] "C:\Program Files\DISC\DiscUpdateMgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] C:\WINDOWS\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] C:\HP\KBD\KBD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /installquiet /keeploaded /nodetect [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2] C:\WINDOWS\vsnpstd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSP Notifier] "C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "C:\Program Files\Steam\Steam.exe" -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "IAANTMON"=2 (0x2) "CCALib8"=2 (0x2) "iPodService"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "Viewpoint Manager Service"=2 (0x2) "Pml Driver HPZ12"=0 (0x0) "NVSvc"=2 (0x2) "NMSAccess"=2 (0x2) "MDM"=2 (0x2) "LightScribeService"=2 (0x2) "ELService"=2 (0x2) "AresChatServer"=3 (0x3) "NtmlSvc"=2 (0x2) "aspimgr"=2 (0x2) "Apple Mobile Device"=2 (0x2) R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys S3 GENERICDRV;GENERICDRV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pftF9.tmp\amifldrv.sys S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys S3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys . Contents of the 'Scheduled Tasks' folder "2007-10-05 15:04:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2007-09-24 04:00:28 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job" . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-08 17:56:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\tcpip_patcher] "ImagePath"="\??\C:\Program Files\Ares\tcpip_patcher.sys" . Completion time: 2007-10-08 17:58:08 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-08 17:58 C:\ComboFix2.txt ... 2007-10-08 01:26 . --- E O F ---