Tech Support Forum - View Single Post

jimdd · 08-18-2008, 07:14 PM

ComboFix 08-08-18.01 - Jim 2008-08-18 20:51:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.62 [GMT -4:00]
Running from: C:\Documents and Settings\Jim\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\995937
C:\WINDOWS\SYSTEM32\995937\995937.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\9KEY2RBE\interclick.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\9KEY2RBE\interclick.com\ud.sol
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\9KEY2RBE\www.broadcaster.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Christopher\Cookies\christopher@myspace[2].txt
C:\Documents and Settings\Christopher\UserData
C:\Documents and Settings\Christopher\UserData\F2WNBX4H\DraftMsgData[1].xml
C:\Documents and Settings\Christopher\UserData\index.dat
C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\#SharedObjects\8B3ZMU6W\interclick.com
C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\#SharedObjects\8B3ZMU6W\interclick.com\ud.sol
C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Jim\My Documents\My Documents.url
C:\Documents and Settings\Jim\My Documents\My Music\My Music.url
C:\Documents and Settings\Jim\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\Jim\My Documents\My Videos\My Video.url
C:\Documents and Settings\Jim\UserData
C:\Documents and Settings\Jim\UserData\0HMNO1IN\oWindowsUpdate[1].xml
C:\Documents and Settings\Jim\UserData\0HMNO1IN\oWindowsUpdate[2].xml
C:\Documents and Settings\Jim\UserData\G9Q3GDMB\oWindowsUpdate[1].xml
C:\Documents and Settings\Jim\UserData\G9Q3GDMB\oWindowsUpdate[2].xml
C:\Documents and Settings\Jim\UserData\index.dat
C:\Documents and Settings\Jim\UserData\WPYVGHI3\oWindowsUpdate[1].xml
C:\Program Files\Applications\myd.ico
C:\Program Files\Applications\mym.ico
C:\Program Files\Applications\myp.ico
C:\Program Files\Applications\myv.ico
C:\Program Files\Applications\ot.ico
C:\Program Files\Applications\ts.ico
C:\Program Files\ASpyC
C:\Program Files\ASpyC\ASpyC.exe
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\WINDOWS\SYSTEM32\995937
C:\WINDOWS\SYSTEM32\995937\995937.dll
C:\WINDOWS\system32\AutoRun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Legacy_VSPF
-------\Legacy_VSPF_HK

((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-18 20:55 . 2008-08-18 20:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\995937
2008-08-16 19:13 . 2008-08-16 19:13 276 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-08-16 19:07 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-16 19:06 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2008-08-10 17:46 . 2008-08-10 17:46 <DIR> d-------- C:\Deckard
2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-10 16:28 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-08-10 16:27 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-08-10 15:53 . 2008-08-10 15:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-10 15:52 . 2008-08-10 15:52 <DIR> d-------- C:\ie-spyad_zo
2008-08-10 14:11 . 2008-08-10 14:11 <DIR> d-------- C:\Program Files\Panda Security
2008-08-10 14:11 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-08-09 01:42 . 2008-08-18 20:35 <DIR> d-------- C:\Program Files\Applications
2008-08-09 01:42 . 2008-08-09 01:42 27,648 --a------ C:\WINDOWS\SYSTEM32\ubpr01.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 00:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\temp
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-20 03:04 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk
2005-09-22 22:37 81,216 ----a-w C:\Documents and Settings\Jim\Application Data\GDIPFONTCACHEV1.DAT
2005-03-01 17:16 81,216 ----a-w C:\Documents and Settings\Christopher\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E1465F3-56CF-4FC4-8684-1BD6245AA30D}]
2008-08-18 20:57 15360 --a------ C:\WINDOWS\system32\995937\995937.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"wblogon"="C:\WINDOWS\system32\ubpr01.exe" [2008-08-09 01:42 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 15:16 49152]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 14:12 2061816]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 09:52 218232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2008-04-13 20:12 78848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{2f199d0e-f3e7-41a7-a060-816c24cceea0}"= "C:\WINDOWS\system32\zgyhw.dll" [2008-08-08 12:51 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 PrtSeqRd;PrtSeqRd;C:\WINDOWS\system32\drivers\PrtSeqRd.sys [2001-05-15 17:48]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

BHO-{C7FF97C5-161B-4E80-A8B6-98A75BA9A9B1} - C:\WINDOWS\system32\ir4ess.dll
HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe
HKCU-Run-ASpyC - C:\Program Files\ASpyC\ASpyC.exe
HKU-Default-Run-Symantec Network Driver Update Warning - C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
HKU-Default-Run-ALUAlert - C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
Notify-ir4ess - ir4ess.dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.bingpage.com/?cm=710735&lt=2&it=2008-08-09%2001%3A42%3A00&dt=2008-08-18%2020%3A21%3A06&q=http://home.bellsouth.net/
R0 -: HKCU-Main,SearchMigratedDefaultUrl = hxxp://internetsearchservice.com/search?q={searchTerms}
R0 -: HKCU-Main,Default_Search_URL = hxxp://internetsearchservice.com
R0 -: HKLM-Main,Search Bar = hxxp://internetsearchservice.com/ie6.html
R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
R1 -: HKLM-Internet Explorer,SearchURL = hxxp://internetsearchservice.com
O8 -: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 -: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 -: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 -: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 20:57:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-08-18 21:05:34 - machine was rebooted [Jim]
ComboFix-quarantined-files.txt 2008-08-19 01:05:28

Pre-Run: 13,794,721,792 bytes free
Post-Run: 13,773,266,944 bytes free

187 --- E O F --- 2008-08-19 00:05:07

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: hypoch - {2f199d0e-f3e7-41a7-a060-816c24cceea0} - C:\WINDOWS\system32\zgyhw.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6484 bytes

08-18-2008, 07:14 PM	#4 (permalink)
jimdd Registered User Join Date: Aug 2008 Posts: 12 OS: XP service pack 2	Re: Multiple pop ups and spyware problems ComboFix 08-08-18.01 - Jim 2008-08-18 20:51:31.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.62 [GMT -4:00] Running from: C:\Documents and Settings\Jim\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\SYSTEM32\995937 C:\WINDOWS\SYSTEM32\995937\995937.dll . ---- Previous Run ------- . C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\9KEY2RBE\interclick.com C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\9KEY2RBE\interclick.com\ud.sol C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\#SharedObjects\9KEY2RBE\www.broadcaster.com C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Christopher\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Documents and Settings\Christopher\Cookies\christopher@myspace[2].txt C:\Documents and Settings\Christopher\UserData C:\Documents and Settings\Christopher\UserData\F2WNBX4H\DraftMsgData[1].xml C:\Documents and Settings\Christopher\UserData\index.dat C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\#SharedObjects\8B3ZMU6W\interclick.com C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\#SharedObjects\8B3ZMU6W\interclick.com\ud.sol C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Jim\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Jim\My Documents\My Documents.url C:\Documents and Settings\Jim\My Documents\My Music\My Music.url C:\Documents and Settings\Jim\My Documents\My Pictures\My Pictures.url C:\Documents and Settings\Jim\My Documents\My Videos\My Video.url C:\Documents and Settings\Jim\UserData C:\Documents and Settings\Jim\UserData\0HMNO1IN\oWindowsUpdate[1].xml C:\Documents and Settings\Jim\UserData\0HMNO1IN\oWindowsUpdate[2].xml C:\Documents and Settings\Jim\UserData\G9Q3GDMB\oWindowsUpdate[1].xml C:\Documents and Settings\Jim\UserData\G9Q3GDMB\oWindowsUpdate[2].xml C:\Documents and Settings\Jim\UserData\index.dat C:\Documents and Settings\Jim\UserData\WPYVGHI3\oWindowsUpdate[1].xml C:\Program Files\Applications\myd.ico C:\Program Files\Applications\mym.ico C:\Program Files\Applications\myp.ico C:\Program Files\Applications\myv.ico C:\Program Files\Applications\ot.ico C:\Program Files\Applications\ts.ico C:\Program Files\ASpyC C:\Program Files\ASpyC\ASpyC.exe C:\Program Files\Common Files\companion wizard C:\Program Files\Common Files\companion wizard\WapCHK.dll C:\WINDOWS\SYSTEM32\995937 C:\WINDOWS\SYSTEM32\995937\995937.dll C:\WINDOWS\system32\AutoRun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FOPN -------\Legacy_VSPF -------\Legacy_VSPF_HK ((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 ))))))))))))))))))))))))))))))) . 2008-08-18 20:55 . 2008-08-18 20:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\995937 2008-08-16 19:13 . 2008-08-16 19:13 276 --a------ C:\WINDOWS\SYSTEM32\MRT.INI 2008-08-16 19:07 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll 2008-08-16 19:06 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll 2008-08-10 17:46 . 2008-08-10 17:46 <DIR> d-------- C:\Deckard 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\en 2008-08-10 16:55 . 2008-08-10 16:55 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-10 16:28 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll 2008-08-10 16:27 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll 2008-08-10 15:53 . 2008-08-10 15:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-10 15:52 . 2008-08-10 15:52 <DIR> d-------- C:\ie-spyad_zo 2008-08-10 14:11 . 2008-08-10 14:11 <DIR> d-------- C:\Program Files\Panda Security 2008-08-10 14:11 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-08-09 01:42 . 2008-08-18 20:35 <DIR> d-------- C:\Program Files\Applications 2008-08-09 01:42 . 2008-08-09 01:42 27,648 --a------ C:\WINDOWS\SYSTEM32\ubpr01.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-19 00:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\temp 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-04-20 03:04 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk 2005-09-22 22:37 81,216 ----a-w C:\Documents and Settings\Jim\Application Data\GDIPFONTCACHEV1.DAT 2005-03-01 17:16 81,216 ----a-w C:\Documents and Settings\Christopher\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E1465F3-56CF-4FC4-8684-1BD6245AA30D}] 2008-08-18 20:57 15360 --a------ C:\WINDOWS\system32\995937\995937.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] "wblogon"="C:\WINDOWS\system32\ubpr01.exe" [2008-08-09 01:42 27648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 15:16 49152] "ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 14:12 2061816] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 23:32 53248] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152] "nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 09:52 218232] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2008-04-13 20:12 78848] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{2f199d0e-f3e7-41a7-a060-816c24cceea0}"= "C:\WINDOWS\system32\zgyhw.dll" [2008-08-08 12:51 13312] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R0 PrtSeqRd;PrtSeqRd;C:\WINDOWS\system32\drivers\PrtSeqRd.sys [2001-05-15 17:48] S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 14:52] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . - - - - ORPHANS REMOVED - - - - BHO-{C7FF97C5-161B-4E80-A8B6-98A75BA9A9B1} - C:\WINDOWS\system32\ir4ess.dll HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe HKCU-Run-ASpyC - C:\Program Files\ASpyC\ASpyC.exe HKU-Default-Run-Symantec Network Driver Update Warning - C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE HKU-Default-Run-ALUAlert - C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe Notify-ir4ess - ir4ess.dll . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.bingpage.com/?cm=710735&lt=2&it=2008-08-09%2001%3A42%3A00&dt=2008-08-18%2020%3A21%3A06&q=http://home.bellsouth.net/ R0 -: HKCU-Main,SearchMigratedDefaultUrl = hxxp://internetsearchservice.com/search?q={searchTerms} R0 -: HKCU-Main,Default_Search_URL = hxxp://internetsearchservice.com R0 -: HKLM-Main,Search Bar = hxxp://internetsearchservice.com/ie6.html R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms} R1 -: HKLM-Internet Explorer,SearchURL = hxxp://internetsearchservice.com O8 -: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 -: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 -: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 -: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 -: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-18 20:57:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\nvsvc32.exe C:\WINDOWS\SYSTEM32\wdfmgr.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe . ************************************************************************ . Completion time: 2008-08-18 21:05:34 - machine was rebooted [Jim] ComboFix-quarantined-files.txt 2008-08-19 01:05:28 Pre-Run: 13,794,721,792 bytes free Post-Run: 13,773,266,944 bytes free 187 --- E O F --- 2008-08-19 00:05:07 O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195659550187 O20 - AppInit_DLLs: O22 - SharedTaskScheduler: hypoch - {2f199d0e-f3e7-41a7-a060-816c24cceea0} - C:\WINDOWS\system32\zgyhw.dll O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6484 bytes