ComboFix 08-12-05.06 - mark hale 2008-12-06 9:50:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.413 [GMT -6:00]
Running from: c:\documents and settings\mark hale\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mark hale\Desktop\CFSCRIPT.txt
* Created a new restore point
* Resident AV is active
FILE ::
c:\windows\system32\ws.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\all users\application data\1933087776\915340387.exe
c:\windows\system32\drivers\fad.sys
c:\windows\system32\ws.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.
2008-12-04 09:15 . 2008-12-04 09:15 250 --a------ c:\windows\gmer.ini
2008-12-03 10:14 . 2008-12-06 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\1933087776
2008-11-25 11:29 . 2008-11-25 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 11:26 . 2008-11-25 11:27 <DIR> d-------- c:\program files\QuickTime
2008-11-12 22:07 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-12 22:07 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 23:12 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-25 17:29 --------- d-----w c:\program files\iTunes
2008-11-25 17:29 --------- d-----w c:\program files\iPod
2008-11-25 17:29 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 15:45 --------- d-----w c:\program files\Microsoft Location Finder
2008-11-25 02:53 --------- d-----w c:\program files\Safari
2008-11-15 18:18 --------- d-----w c:\program files\McAfee
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2004-05-19 23:08 131,072 -c--a-w c:\documents and settings\tamara hale\Application Data\sysupd.exe
2008-08-14 21:28 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008081420080815\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"IncrediMail"="c:\progra~1\INCRED~1\bin\IncMail.exe" [1724-12-25 176171]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-14 1961984]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"EPSON Stylus CX6400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [2003-06-02 99840]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-02-18 26112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"VideoraiPodConverter"="c:\program files\VideoraiPodConverter\VideoraiPodConverter.exe" [2005-11-11 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
c:\documents and settings\mark hale\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-27 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2004-02-25 36864]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-01-09 200704]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2004-02-25 36864]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-01 203280]
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-12-02 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (MARKHALE-mark hale).job
- c:\progra~1\mcafee.com\vso\mcmnhdlr.exe []
2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
2008-12-06 c:\windows\Tasks\User_Feed_Synchronization-{7444D0BC-0D3F-485B-9BB3-563AA032764A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-06 09:54:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-06 9:56:48
ComboFix-quarantined-files.txt 2008-12-06 15:55:53
Pre-Run: 3,578,036,224 bytes free
Post-Run: 3,724,210,176 bytes free
144 --- E O F --- 2008-12-01 23:38:37