ComboFix 08-03-10.1 - HP_Owner 2008-03-13 19:28:47.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.606 [GMT 10:00] Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Program Files\SmartVideoCodec C:\WINDOWS\alofkmn.dll C:\WINDOWS\bxlrvps.dll C:\WINDOWS\dat.txt C:\WINDOWS\ekvgsnw.dll D:\Autorun.inf ----- BITS: Possible infected sites ----- hxxp://194.126.174.124 hxxp://77.91.228.184 hxxp://77.91.228.188 hxxp://onsafepro.com . ((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 ))))))))))))))))))))))))))))))) . 2008-03-02 09:54 . 2008-03-02 09:54 d-------- C:\Program Files\Trend Micro 2008-02-26 19:39 . 2008-02-26 19:39 0 --a------ C:\WINDOWS\nsreg.dat 2008-02-25 14:03 . 2008-03-13 19:03 5,842 --a------ C:\WINDOWS\system32\tmp.reg 2008-02-25 13:37 . 2008-02-25 13:37 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-02-25 13:37 . 2008-02-25 13:37 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-02-25 12:34 . 2008-02-25 12:34 d-------- C:\Documents and Settings\HP_Owner\Application Data\SpywareStop 2008-02-18 13:13 . 2008-02-18 13:13 d-------- C:\Program Files\ANI 2008-02-15 07:50 . 2006-06-23 08:29 720,176 -ra------ C:\WINDOWS\system32\drivers\LV302AV.SYS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-13 09:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-03-13 09:16 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Skype 2008-03-13 09:14 --------- d-----w C:\Program Files\SP2 Connection Patcher 2008-02-18 03:13 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-02 14:01 --------- d-----w C:\Program Files\Ventrilo 2008-02-02 14:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-22 23:24 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM 2008-01-16 11:56 --------- d-----w C:\Program Files\Sony Ericsson 2005-11-20 07:09 18,384 ----a-w C:\Program Files\Warez P2P ClientIPGUARD.LOG . ------- Sigcheck ------- 2005-05-26 05:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys 2006-01-14 03:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys 2006-04-20 22:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys 2007-10-31 02:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2004-08-04 22:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys 2005-06-18 03:42 359808 14143695e27b2718dee96ea2e50428b3 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys 2006-02-17 03:09 359808 eb98d5e55321cefd803e8173dbb000db C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 2006-06-18 03:10 359808 ba57942c0029b0878afba052a3e33689 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2008-01-10 03:08 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360] "SP2ConnPatcher"="C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" [2005-05-11 01:41 409600] "SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-05-11 01:41 409600] "Acme.PCHButton"="C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\PCHButton.exe" [2004-08-25 21:08 159744] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 05:00 455168] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-25 19:10 32881] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736] "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 02:21 50176 C:\WINDOWS\ALCXMNTR.EXE] "HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 20:44 49152] "HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 20:38 659456] "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-25 20:34 180269] "Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-07-30 10:34 155648] "WINREMOTE"="C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" [2004-07-30 10:41 192512] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 11:47 71328] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe] "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57 81920] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-24 21:10 339968] "CnxTrApp"="C:\Program Files\NetComm\NetComm USB Network\CnxTrApp.dll" [2003-07-19 10:32 247296] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-10 23:52 100056] "SoundMan"="SOUNDMAN.EXE" [2005-04-06 18:57 90112 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-04-06 18:53 2805248 C:\WINDOWS\ALCWZRD.EXE] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648] "QABclyU"="C:\WINDOWS\speksqpx.exe" [ ] "NI.UWFX5_0001_N57M2112"="C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\4V1ZQYF9\WinFixerScannerInstall[1].exe" [ ] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14 270648] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984] "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792] "SMSERIAL"="sm56hlpr.exe" [2004-12-29 06:01 544768 C:\WINDOWS\sm56hlpr.exe] "D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 10:42 1519616] "ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152] C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\ StripSaver2.lnk - C:\Program Files\StripSaver2\StripSaver2.exe [2005-07-30 23:08:57 1249280] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 16:05:26 29696] BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-10-31 15:07:41 1183744] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 05:31:38 241664] Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-25 21:06:15 16423] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "WinRunOnce"= {4c6511a9-0210-4b9f-aed1-ad6719aed4b8} - C:\WINDOWS\Installer\{4c6511a9-0210-4b9f-aed1-ad6719aed4b8}\WinRunOnce.dll [2008-02-25 07:50 17958] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer] C:\winstall.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"= "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "16095:TCP"= 16095:TCP:BitComet 16095 TCP "16095:UDP"= 16095:UDP:BitComet 16095 UDP R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-06-23 20:34] R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-05-27 18:49] S3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2004-03-03 16:27] . Contents of the 'Scheduled Tasks' folder "2008-02-25 03:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-02-25 14:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - HP_Owner.job" - c:\PROGRA~1\NORTON~1\Navw32.exeh/task: "2008-02-29 17:00:00 C:\WINDOWS\Tasks\SpywareStop Scheduled Scan.job" - C:\Program Files\SpywareStop\SpywareStop.ex - C:\Program Files\SpywareStop . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-13 19:31:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-13 19:31:49 ComboFix-quarantined-files.txt 2008-03-13 09:31:47 . 2008-02-13 17:02:37 --- E O F ---