ComboFix 08-05-07.1 - Valencia 2008-05-09 14:21:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.244 [GMT -4:00]
Running from: C:\Documents and Settings\Valencia\Desktop\ComboFix.exe
* Resident AV is active
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.
2008-05-09 13:47 . 2008-05-09 13:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-09 10:39 . 2008-05-09 10:39 <DIR> d-------- C:\Documents and Settings\Valencia\Application Data\Malwarebytes
2008-05-09 10:38 . 2008-05-09 10:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-09 10:38 . 2008-05-09 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-09 10:38 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-09 10:38 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-09 10:32 . 2008-05-09 10:32 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-09 10:31 . 2008-05-09 10:32 <DIR> d-------- C:\Program Files\CCleaner
2008-05-09 00:03 . 2008-05-09 00:04 144 --a------ C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2008-05-08 20:59 . 2008-05-08 20:59 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-08 20:56 . 2008-05-08 20:56 <DIR> d-------- C:\WINDOWS\system32\vdTMP
2008-05-08 20:56 . 2008-05-08 20:56 <DIR> d-------- C:\WINDOWS\system32\hNF
2008-05-08 20:56 . 2008-05-08 20:56 <DIR> d-------- C:\WINDOWS\system32\2033b
2008-05-08 20:55 . 2008-05-08 20:55 <DIR> d-------- C:\WINDOWS\system32\bkEur18
2008-05-08 20:55 . 2008-05-08 20:56 <DIR> d-------- C:\Temp\maxsv15
2008-05-08 20:55 . 2008-05-09 10:01 <DIR> d-------- C:\Temp
2008-05-08 20:55 . 2008-05-08 20:55 28,672 --------- C:\WINDOWS\system32\opnmJCrS.dll
2008-05-03 15:34 . 2008-05-09 14:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-03 15:34 . 2008-05-03 15:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-03 15:33 . 2008-05-03 15:33 <DIR> d-------- C:\Program Files\iTunes
2008-05-03 15:33 . 2008-05-03 15:33 <DIR> d-------- C:\Program Files\iPod
2008-05-03 15:29 . 2008-05-03 15:30 <DIR> d-------- C:\Program Files\QuickTime
2008-05-03 15:21 . 2008-05-03 15:21 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-14 20:51 . 2008-04-14 23:42 <DIR> d-------- C:\Program Files\Invoice by Click
2008-04-14 20:50 . 2008-04-14 20:50 299,008 --------- C:\WINDOWS\Setup1.exe
2008-04-14 20:50 . 2008-04-14 20:50 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-14 20:49 . 2008-04-14 20:49 23,048,192 --a------ C:\invoice trial.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 18:10 --------- d-----w C:\Program Files\Plaxo
2008-05-09 16:56 --------- d-----w C:\Program Files\Trend Micro
2008-05-09 01:56 --------- d-----w C:\Program Files\LimeWire
2008-05-08 15:04 15,908 ----a-w C:\Documents and Settings\Valencia\Application Data\wklnhst.dat
2008-04-16 13:55 --------- d-----w C:\Program Files\Coupons
2008-04-15 00:40 --------- d-----w C:\Program Files\Microsoft Money 2006
2008-03-25 23:36 --------- d-----w C:\Documents and Settings\Valencia\Application Data\AVS4YOU
2008-03-25 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-03-25 23:33 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-03-25 23:33 --------- d-----w C:\Program Files\AVS4YOU
2008-03-24 23:13 --------- d-----w C:\Documents and Settings\Valencia\Application Data\Apple Computer
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-03 17:43 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-09_10.23.10.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 14:10:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 18:08:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7E81B89-DF38-40C8-A767-6FBECB65B862}]
2008-05-08 20:55 28672 --------- C:\WINDOWS\system32\opnmJCrS.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39 176201]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 18:21 227914]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 08:13 176128]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 22:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 22:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 22:50 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48 36975]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 05:12 94208]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 19:24 684032]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-02-25 17:45 26112]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 14:46 8192]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-09-18 14:46 110592]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 18:36 823362]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-25 17:58 169472]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 13:06 106496]
"HostManager"="C:\Program Files\Common Files\AOL\1145216436\ee\AOLSoftware.exe" [2006-04-20 13:10 50792]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59 124520]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-08-15 16:59 374688]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"dbar_starter"="C:\Documents and Settings\Valencia\Application Data\Deskbar_{C1A09F6A-7164-488c-9F49-3EA7CB2BFE39}\starter.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-02-25 17:45:30 156784]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-02-25 17:42:59 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A7E81B89-DF38-40C8-A767-6FBECB65B862}"= C:\WINDOWS\system32\opnmJCrS.dll [2008-05-08 20:55 28672]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmJCrS]
opnmJCrS.dll 2008-05-08 20:55 28672 C:\WINDOWS\system32\opnmJCrS.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145216436\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1145216436\\ee\\aim6.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]
S3 SeratoUsb;SeratoUsb driver;C:\WINDOWS\system32\Drivers\SeratoUsb.sys [2004-01-14 20:49]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8be35893-616f-11dc-83de-00038a000015}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3daa4b6-fde4-11dc-847e-00038a000015}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 19:21:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 14:32:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\opnmJCrS.dll
.
Completion time: 2008-05-09 14:35:53
ComboFix-quarantined-files.txt 2008-05-09 18:35:35
ComboFix2.txt 2008-05-09 17:13:21
ComboFix3.txt 2008-05-09 14:24:10
Pre-Run: 37,810,053,120 bytes free
Post-Run: 37,792,333,824 bytes free
192 --- E O F --- 2008-04-10 03:46:23
