ComboFix 08-10-14.07 - mirage 10/15/2008 19:07:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.1.1033.18.762 [GMT 3:00]
Running from: C:\Documents and Settings\mirage\Desktop\ComboFix.exe
* Created a new restore point
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Programs\ADSTechnology
C:\Documents and Settings\All Users\Start Menu\Programs\ADSTechnology\ADSTechnology.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\ADSTechnology\Uninstall.lnk
C:\Documents and Settings\mirage\Desktop\LABS\mohe\antenna\Desktop_.ini
C:\Documents and Settings\mirage\My Documents\My Documents.url
C:\Documents and Settings\mirage\My Documents\My Music\My Music.url
C:\Documents and Settings\mirage\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\mirage\My Documents\My Videos\My Video.url
C:\Program Files\ActivationManager
C:\Program Files\ActivationManager\Uninstall.exe
C:\Program Files\ADSTechnology
C:\Program Files\ADSTechnology\Uninstall.exe
C:\Program Files\Applications\iebt.dll
C:\Program Files\Applications\myd.ico
C:\Program Files\Applications\mym.ico
C:\Program Files\Applications\myp.ico
C:\Program Files\Applications\myv.ico
C:\Program Files\Applications\ot.ico
C:\Program Files\Applications\ts.ico
C:\Program Files\Applications\wcm.exe
C:\Program Files\internet explorer\iekey.dll
C:\WINDOWS\system32\wav.cpl
.
((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 16:17 --------- d-----w C:\Documents and Settings\mirage\Application Data\DMCache
2008-10-15 16:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-15 16:12 --------- d-----w C:\Program Files\FlashGet
2008-10-15 16:07 --------- d-----w C:\Program Files\Applications
2008-10-15 15:47 --------- d-----w C:\Program Files\Internet Download Manager
2008-10-15 15:30 --------- d-----w C:\Documents and Settings\mirage\Application Data\IDM
2008-10-15 15:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-15 06:49 --------- d-----w C:\Program Files\Norton AntiVirus
2008-10-15 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-10-15 06:03 --------- d-----w C:\Program Files\Kaspersky Lab
2008-10-14 21:11 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-14 21:11 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-14 21:11 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-14 21:11 --------- d-----w C:\Program Files\Symantec
2008-10-14 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-13 10:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-10-12 17:45 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-10-12 17:17 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-10-12 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-11 15:32 --------- d-----w C:\Program Files\Your Uninstaller 2008
2008-10-11 13:11 --------- d-----w C:\Documents and Settings\mirage\Application Data\URSoft
2008-10-10 15:14 --------- d-----w C:\Documents and Settings\mirage\Application Data\AvaFind Data
2008-10-10 14:11 --------- d-----w C:\Program Files\iTunes
2008-10-03 11:14 39,984 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-10-03 11:14 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-10-03 11:14 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-10-03 11:14 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-10-03 11:14 187,952 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-10-03 11:14 146,096 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-10-03 11:14 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-10-03 11:14 10,804 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-10-03 11:14 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-09-18 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-17 23:50 --------- d-----w C:\Program Files\JetAudio
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 PM 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" [12/19/2006 04:53 PM 310792]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07/16/2007 03:17 PM 4670704]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [09/12/2008 01:44 PM 2606512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/08/2005 01:36 PM 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/08/2005 01:32 PM 126976]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [03/29/2005 02:45 PM 233534]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 01:24 PM 290816]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [05/04/2005 10:59 AM 794624]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM 33648]
"BigDogPath"="C:\WINDOWS\VM_STI.EXE" [01/22/2003 01:04 PM 40960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/16/2007 07:11 PM 84640]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [03/16/2007 07:11 PM 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM 583048]
"AGRSMMSG"="AGRSMMSG.exe" [04/13/2005 01:12 PM 88209 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 03:00 PM 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [06/19/2007 10:17 AM 1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-05-31 577597]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^mirage^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\mirage\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 01/11/2008 10:16 PM 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AvaFind]
--a------ 01/06/2004 05:57 AM 660992 C:\Program Files\AvaFind\AvaFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
--a------ 11/19/2007 12:51 AM 3032800 C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 04/29/2007 11:26 AM 1974354 C:\Program Files\FlashGet\flashget.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 01/02/2007 12:22 AM 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 02/16/2005 11:11 PM 49152 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 08/04/2004 03:00 PM 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 10/13/2004 04:04 PM 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 08/04/2004 03:00 PM 59392 C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 03/01/2007 03:57 PM 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 10/11/2006 12:45 PM 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 08/04/2004 03:00 PM 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 08/04/2004 03:00 PM 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 08/07/2007 03:05 AM 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 06/18/2007 03:21 PM 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 08/06/2004 08:27 AM 860160 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 10/14/2004 09:11 AM 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 09/28/2006 01:16 PM 185896 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 03/14/2007 03:43 AM 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 07/16/2007 03:17 PM 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [08/04/2004 03:00 PM 14336]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [04/30/2008 06:06 PM 24592]
S3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys [11/01/2006 06:01 AM 3328]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2116595f-2a67-11dd-92d2-0015004d93ee}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48aca912-1a0c-11dd-92b2-0015004d93ee}]
\Shell\Auto\command - sunny.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sunny.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bb1c7c6-97bf-11dd-8401-806d6172696f}]
\Shell\Auto\command - sunny.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sunny.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9544e3d7-fd9c-11dc-927c-0015004d93ee}]
\Shell\AutoRun\command - E:\kinza.exe
\Shell\explore\Command - E:\kinza.exe
\Shell\open\Command - E:\kinza.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9544e4f4-fd9c-11dc-927c-0015004d93ee}]
\Shell\Auto\command - sunny.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sunny.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7511976-69c7-11dc-b501-0015004d93ee}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe
.
s of the 'Scheduled Tasks' folder
2008-10-10 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [06/20/2007 08:45 PM]
2008-10-15 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - mirage.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [03/16/2007 07:11 PM]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0DCD4F35-9FD5-420b-A9AA-FED0E2AECEE0} - (no file)
BHO-{BE1A344F-9FF5-4024-949B-52205E6DB2D0} - C:\Program Files\Applications\iebt.dll
MSConfigStartUp-Acrobat Assistant 8 - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
MSConfigStartUp-Device Detector - DevDetect.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\mirage\Application Data\Mozilla\Firefox\Profiles\[u]0[/u]nr0hodp.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 19:16:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????0?2?2?6??????? ???B?????????????hLC? ??????
scanning hidden files ...
C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\lulock.dat
C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\tmp4e37.tmp
C:\Program Files\Common Files\Symantec Shared\VirusDefs\lulock.dat 0 bytes
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp2945.tmp
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp4ea0.tmp
scan completed successfully
hidden files: 5
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\HPQ\shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 10/15/2008 19:27:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-15 16:26:52
Pre-Run: 27,023,966,208 bytes free
Post-Run: 27,105,099,776 bytes free
249 --- E O F --- 2008-09-18 00:15:57
