ComboFix 09-04-23.A3 - ahn 04/24/2009 4:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1256.966.1033.18.1919.1298 [GMT 3:00]
Running from: c:\documents and settings\ahn\My Documents\Downloads\Programs\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090423-0] *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\ahn\Application Data\ShoppingReport
c:\documents and settings\ahn\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\ahn\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\ahn\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\ahn\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\ahn\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\ahn\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\ahn\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
c:\program files\FunWebProducts
c:\program files\ShoppingReport
c:\program files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
c:\program files\ShoppingReport\Uninst.exe
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.
2009-04-23 23:31 . 2003-08-15 11:55 348160 ----a-w c:\windows\system32\eSellerateEngine.dll
2009-04-23 23:31 . 2009-04-23 23:31 -------- d-----w c:\program files\Acoustica MP3 Audio Mixer
2009-04-23 22:11 . 2009-04-23 22:11 -------- d-----w c:\program files\Microsoft
2009-04-23 20:08 . 2009-04-23 20:08 -------- d-----w c:\documents and settings\ahn\Local Settings\Application Data\Hotspot_Shield
2009-04-23 20:02 . 2009-04-23 20:02 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Hotspot_Shield
2009-04-23 19:59 . 2009-04-23 19:59 -------- d-----w c:\documents and settings\ahn\Local Settings\Application Data\WMTools Downloaded Files
2009-04-23 19:59 . 2009-04-23 19:59 -------- d-----w c:\program files\Common Files\xing shared
2009-04-23 19:59 . 2009-04-23 19:59 -------- d-----w c:\program files\Hotspot_Shield
2009-04-23 19:59 . 2009-04-23 19:59 -------- d-----w c:\program files\Conduit
2009-04-23 19:58 . 2009-04-23 19:58 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-23 19:58 . 2009-04-23 19:58 -------- d-----w c:\program files\Opera Software
2009-04-16 11:45 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:17 . 2009-04-15 23:17 -------- d-----w c:\documents and settings\ahn\Application Data\Ectaco
2009-03-29 01:42 . 2009-03-29 01:42 1968736 ----a-w C:\12377665455474790032281.rm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 01:18 . 2008-09-28 17:20 -------- d-----w c:\documents and settings\ahn\Application Data\DMCache
2009-04-24 00:29 . 2008-12-09 15:40 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-23 20:02 . 2008-06-20 20:21 -------- d-----w c:\program files\Java
2009-04-23 19:59 . 2008-06-20 20:16 -------- d-----w c:\program files\Common Files\Real
2009-04-23 19:58 . 2008-06-20 20:53 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-23 19:56 . 2008-09-01 18:11 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-23 15:01 . 2008-06-25 00:13 -------- d-----w c:\program files\Windows Live
2009-04-19 01:34 . 2008-06-20 04:50 99496 ----a-w c:\documents and settings\ahn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 23:17 . 2008-11-09 00:18 -------- d-----w c:\documents and settings\ahn\Application Data\Thinstall
2009-04-09 17:17 . 2008-10-15 18:50 -------- d-----w c:\program files\Recuva
2009-03-23 00:54 . 2009-02-04 15:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-12 01:02 . 2009-03-12 01:02 -------- d-----w c:\program files\Reference Assemblies
2009-03-11 20:53 . 2009-03-11 20:53 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-03-06 14:22 . 2008-04-14 11:42 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:25 . 2009-01-07 21:25 -------- d-----w c:\program files\Internet Download Manager
2009-03-03 00:18 . 2008-04-14 11:42 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-21 05:25 . 2008-12-31 14:04 691592 ----a-w c:\windows\system32\OGACheckControl.DLL
2009-02-20 18:09 . 2008-04-14 11:41 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2008-04-14 11:41 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-04-14 11:42 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-04-14 11:41 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-04-14 11:41 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2008-04-14 07:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 16:43 . 2009-02-06 16:43 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 15:52 . 2007-08-16 13:17 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2008-04-14 11:42 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-04-14 06:54 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-04-14 00:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-04-14 11:42 56832 ----a-w c:\windows\system32\secur32.dll
2008-10-17 18:59 . 2008-10-17 18:59 99496 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-27 03:39 . 2008-09-27 03:39 0 ----a-w c:\program files\Common Files\dht342126
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-03-27 21:12 1164600 ----a-w c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-03-27 1164600]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-03-27 1164600]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-01-07 2610608]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-31 68856]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"Google Update"="c:\documents and settings\ahn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-26 786521]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-20 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-23 630784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2008-06-20 33136]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2008-06-20 37232]
"Alta Sticker Light"="c:\program files\Alta Softworks\Alta Sticker Light\aslight.exe" [2008-04-18 342016]
"ACU"="c:\program files\Atheros\ACU.exe" [2007-10-16 405593]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-31 16269312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\ahn\Start Menu\Programs\Startup\
Adobe Media Player.lnk - c:\program files\Adobe Media Player\Adobe Media Player.exe [2008-12-9 261120]
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-6-20 113664]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-23 2756608]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave4"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9039:TCP"= 9039:TCP:BitComet 9039 TCP
"9039:UDP"= 9039:UDP:BitComet 9039 UDP
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-01 53248]
S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l251x86.sys [2007-08-21 30208]
S3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\Drivers\SynMini.sys [2008-06-20 1116544]
S3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\Drivers\SynScan.sys [2008-06-20 7808]
S3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2007-07-04 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28ce4514-3f0a-11dd-acf6-000ea6f33393}]
\Shell\AutoRun\command - G:\u.bat
\Shell\explore\Command - G:\u.bat
\Shell\open\Command - G:\u.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a698f7e4-ba3b-11dd-b8cc-000ea6f33393}]
\shEll\auToPlaY\comMaNd - xuma.exe
\shEll\AutoRun\command - xuma.exe
\shEll\exPLORe\COmMANd - xuma.exe
\shEll\OpEN\CoMmAnd - xuma.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]
2009-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1708537768-1417001333-1003.job
- c:\documents and settings\ahn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-10 00:18]
2009-04-23 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 14:04]
2009-04-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 14:04]
.
- - - - ORPHANS REMOVED - - - -
BHO-{c95a4e8e-816d-4655-8c79-d736da1adb6d} - (no file)
HKCU-Run-Hide IP NG - c:\program files\Hide IP NG\hideipng.exe
HKCU-Run-BitComet - c:\program files\BitComet\BitComet.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sa/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = socks=
uInternet Settings,ProxyOverride = plimus.com,
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: ت&صدير إلى Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: تحميل الكل بـ إنترنت داونلود مانيجر - c:\program files\Internet Download Manager\IEGetAll.htm
IE: تحميل بـ إنترنت داونلود مانيجر - c:\program files\Internet Download Manager\IEExt.htm
IE: تحميل محتوى فيديو (إف.إل.في) بـ إنترنت داونلود مانيجر - c:\program files\Internet Download Manager\IEGetVL.htm
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
DPF: Microsoft XML Parser for Java -
FF - ProfilePath - c:\documents and settings\ahn\Application Data\Mozilla\Firefox\Profiles\cxyz18s3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1561552&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://mystart.hiyo.com/
FF - prefs.js: keyword.URL - hxxp://mystart.hiyo.com/?loc=ff_address&search=
FF - component: c:\documents and settings\ahn\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\documents and settings\ahn\Application Data\Mozilla\Firefox\Profiles\cxyz18s3.default\extensions\{c95a4e8e-816d-4655-8c79-d736da1adb6d}\components\FFAlert.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\ahn\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-04-24 04:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1d6ad953-a367-4ae3-a567-c6a467bcfa42}]
@Denied: (Full) (Everyone)
"Model"=dword:00000047
"Therad"=dword:00000009
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,b6,5d,bc,0e,8b,a8,30,9f,63,83,49,d0,7b,27,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):6b,b0,d6,12,45,65,85,7d,c2,13,df,c3,51,fb,44,0e,02,9c,9f,ec,3c,
de,e0,d3,22,6d,8d,22,9c,4a,5e,b0,7e,23,2c,f0,2e,43,90,ee,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):4a,f0,5b,95,d1,a5,8a,be,0a,4a,ec,8f,e4,92,6c,76,9d,a4,af,59,1a,
55,fc,7b,50,65,43,41,d7,d4,f3,5b,fc,15,28,8a,a1,e0,e5,bc,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ec128013-c740-4c60-8244-8b1380c0d3c1}]
@Denied: (Full) (Everyone)
"Model"=dword:0000012d
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-24 4:20
ComboFix-quarantined-files.txt 2009-04-24 01:19
Pre-Run: 57,035,923,456 bytes free
Post-Run: 58,187,792,384 bytes free
252 --- E O F --- 2009-04-18 08:44