ComboFix 09-07-23.02 - Dad 07/23/2009 22:06.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1515 [GMT -7:00] Running from: c:\documents and settings\Dad\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\AWDFLASH.EXE c:\windows\hosts c:\windows\msa.exe c:\windows\system32\drivers\ESQULklyavhxwbwulksrrvimpqmfoepbrmpxt.sys c:\windows\system32\ESQULfmcpxevjnsfvmejwqxwymvyrodvcbqef.dll c:\windows\system32\ESQULxufpuhfmlwqkishxjsojwevdnbxlirfx.dll c:\windows\system32\msxml71.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ESQULserv.sys ((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 ))))))))))))))))))))))))))))))) . 2009-07-24 04:04 . 2009-07-24 04:04 -------- d-----w- c:\program files\STOPzilla! 2009-07-24 03:59 . 2009-07-24 03:58 390656 ----a-w- C:\STOPzilla_Setup.exe 2009-07-24 03:46 . 2009-07-24 03:46 0 ----a-w- c:\documents and settings\Dad\settings.dat 2009-07-24 03:46 . 2009-07-24 03:26 462508 ----a-w- C:\RootRepeal.zip 2009-07-24 03:41 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-24 03:41 . 2009-07-24 03:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes 2009-07-24 03:41 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-24 03:31 . 2009-07-24 03:26 3775200 ----a-w- C:\mbam-setup.exe 2009-07-22 00:05 . 2008-08-18 13:56 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-07-21 23:59 . 2009-07-21 05:26 134656 ----a-w- c:\windows\msb.exe 2009-07-21 05:44 . 2009-07-21 05:45 -------- d-----w- c:\program files\The KMPlayer 2009-07-21 05:26 . 2009-07-21 05:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-07-21 05:26 . 2009-07-21 05:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-07-20 21:57 . 2009-07-20 21:57 17408 ----a-r- c:\windows\system32\SZIO5.dll 2009-07-20 21:56 . 2009-07-20 21:56 311296 ----a-r- c:\windows\system32\SZBase5.dll 2009-07-20 21:56 . 2009-07-20 21:56 540672 ----a-r- c:\windows\system32\SZComp5.dll 2009-07-12 21:33 . 2001-08-18 05:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll 2009-07-12 21:33 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll 2009-07-12 21:33 . 2001-08-18 05:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll 2009-07-12 21:33 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\kbdkor.dll 2009-07-12 21:33 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll 2009-07-12 21:33 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll 2009-07-12 21:33 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101c.dll 2009-07-12 21:33 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101b.dll 2009-07-12 21:33 . 2001-08-17 21:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll 2009-07-12 21:33 . 2001-08-17 21:55 5632 ----a-w- c:\windows\system32\kbd103.dll 2009-07-12 21:33 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll 2009-07-12 21:33 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll 2009-07-10 18:44 . 2009-07-10 18:44 -------- d-sh--w- c:\documents and settings\Trevor\IECompatCache 2009-07-09 22:52 . 2009-07-09 22:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll 2009-07-09 22:52 . 2009-07-09 22:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll 2009-07-09 22:51 . 2009-07-09 22:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll 2009-07-09 22:51 . 2009-07-09 22:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll 2009-07-09 22:51 . 2009-07-09 22:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll 2009-07-09 22:50 . 2009-07-09 22:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll 2009-07-09 22:50 . 2009-07-09 22:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll 2009-07-09 22:50 . 2009-07-09 22:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll 2009-07-09 22:47 . 2009-07-09 22:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll 2009-07-06 00:03 . 2009-07-06 00:03 -------- d--h--r- c:\documents and settings\Dad\Application Data\SecuROM 2009-07-05 16:55 . 2009-07-24 03:34 1197216 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-07-05 16:54 . 2009-07-06 00:03 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Rockstar Games 2009-07-05 05:16 . 2009-02-07 01:08 55152 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys 2009-07-05 05:16 . 2009-07-05 05:16 -------- d-----w- c:\program files\Microsoft Sync Framework 2009-07-05 05:16 . 2009-07-05 05:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-07-05 04:32 . 2009-07-05 04:32 -------- d-----w- c:\windows\system32\xlive 2009-07-05 04:32 . 2009-07-05 04:32 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE 2009-07-05 04:30 . 2009-07-24 03:38 -------- d-----w- c:\documents and settings\Dad\Tracing 2009-07-05 04:29 . 2009-07-05 04:29 -------- d-----w- c:\program files\Microsoft 2009-07-05 04:29 . 2009-07-05 04:29 -------- d-----w- c:\program files\Windows Live SkyDrive 2009-07-05 04:28 . 2009-07-05 05:16 -------- d-----w- c:\program files\Windows Live 2009-07-05 04:26 . 2009-07-05 04:26 -------- d-----w- c:\program files\Common Files\Windows Live 2009-07-01 04:24 . 2009-07-01 04:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ATI 2009-07-01 04:21 . 2009-02-25 22:15 593920 ------w- c:\windows\system32\ati2sgag.exe 2009-06-30 14:20 . 2009-03-09 22:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll 2009-06-30 14:20 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll 2009-06-30 14:20 . 2009-03-09 22:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll 2009-06-30 14:20 . 2009-03-16 21:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll 2009-06-30 14:20 . 2009-03-16 21:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll 2009-06-30 14:20 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll 2009-06-30 14:20 . 2009-03-16 21:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll 2009-06-30 03:53 . 2009-06-10 16:28 524288 ----a-w- c:\windows\1403.BIN 2009-06-30 03:49 . 2009-06-30 03:49 -------- d-----w- c:\program files\ASUS 2009-06-30 03:30 . 2008-10-16 20:53 524288 ----a-w- c:\windows\1301.BIN 2009-06-30 03:05 . 2009-06-30 03:05 -------- d-----w- C:\AsusUpdt_V71401 2009-06-28 03:22 . 2009-06-28 03:22 -------- d-----w- c:\documents and settings\Dad\Application Data\InstallShield Installation Information 2009-06-28 03:22 . 2009-06-28 03:06 331776 ----a-w- c:\documents and settings\Dad\Application Data\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\SetupUT3.exe 2009-06-28 03:22 . 2007-10-24 11:47 4147031 ----a-w- c:\documents and settings\Dad\Application Data\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\ISSetup.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-24 05:10 . 2009-07-24 05:10 216 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg 2009-07-24 05:04 . 2009-01-14 04:21 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\STOPzilla! 2009-07-24 02:49 . 2008-08-03 18:29 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Google Updater 2009-07-23 05:46 . 2008-07-21 13:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft 2009-07-22 04:52 . 2008-07-21 13:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-19 14:48 . 2008-07-29 00:52 68328 ----a-w- c:\documents and settings\Trevor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-14 02:48 . 2008-07-21 01:41 68328 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-05 16:53 . 2008-07-24 02:20 107888 ----a-w- c:\windows\system32\CmdLineExt.dll 2009-07-05 16:17 . 2008-07-21 03:33 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-01 04:22 . 2008-07-21 03:33 -------- d-----w- c:\program files\ATI Technologies 2009-06-28 03:07 . 2009-06-14 23:39 -------- d-----w- c:\program files\AGEIA Technologies 2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-13 16:31 . 2009-06-13 16:30 -------- d-----w- c:\program files\iTunes 2009-06-13 16:30 . 2009-06-13 16:30 -------- d-----w- c:\program files\iPod 2009-06-13 16:30 . 2008-08-28 00:18 -------- d-----w- c:\program files\Common Files\Apple 2009-06-13 16:29 . 2008-12-25 17:19 -------- d-----w- c:\program files\QuickTime 2009-06-10 13:46 . 2008-07-21 13:40 -------- d-----w- c:\program files\Java 2009-06-10 13:45 . 2009-06-10 13:45 152576 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-05 18:42 . 2009-03-23 04:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-06-05 18:42 . 2008-08-28 00:19 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-06-04 02:52 . 2009-04-08 01:41 -------- d-----w- c:\documents and settings\Dad\Application Data\Move Networks 2009-06-03 19:09 . 2001-08-23 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-06-02 22:26 . 2009-06-02 22:26 726008 ----a-w- c:\documents and settings\Dad\gotomypc_438.exe 2009-05-30 20:53 . 2009-05-30 20:53 127877 ----a-w- c:\documents and settings\Dad\Application Data\Move Networks\uninstall.exe 2009-05-30 20:53 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\Dad\Application Data\Move Networks\plugins\npqmp071500000347.dll 2009-05-30 20:53 . 2009-05-30 20:53 1685856 ----a-w- c:\documents and settings\Dad\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe 2009-05-21 18:33 . 2008-11-27 18:04 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-13 05:15 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-12 21:13 . 2009-05-12 21:13 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys 2009-05-07 15:32 . 2001-08-23 12:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\Dad\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe 2009-06-12 05:26 . 2008-07-21 03:51 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Steam"="e:\l4d\Steam.exe" [2009-07-01 1217784] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-03 68856] "RGSC"="e:\grand theft 4\Rockstar Games Social Club\RGSCLauncher.exe" [2009-07-05 306088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928] "JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-08-15 352256] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144] c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "f:\\rainbow vegas\\Binaries\\R6Vegas_Game.exe"= "f:\\rainbow vegas\\Binaries\\R6Vegas_Launcher.exe"= "e:\\Ubisoft\\Binaries\\R6Vegas2_Game.exe"= "e:\\Ubisoft\\Binaries\\R6Vegas2_Launcher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "e:\\TwoWorlds\\TwoWorlds.exe"= "e:\\TwoWorlds\\TwoWorlds_RADEON.exe"= "f:\\UT3\\Binaries\\UT3.exe"= "f:\\cohof\\RelicDownloader\\RelicDownloader.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "e:\\Grand theft 4\\Rockstar Games Social Club\\RGSCLauncher.exe"= "e:\\Grand theft 4\\Grand Theft Auto IV\\LaunchGTAIV.exe"= "e:\\L4D\\steamapps\\common\\left 4 dead\\left4dead.exe"= R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [7/4/2009 10:16 PM 55152] R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [5/12/2009 2:13 PM 61328] S3 Alpham;Ideazon Fang Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [12/4/2005 1:55 PM 34944] S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360] --- Other Services/Drivers In Memory --- *NewlyCreated* - SZSERVER [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . - - - - ORPHANS REMOVED - - - - HKLM-Run-Verizon_McciTrayApp - c:\program files\Verizon\McciTrayApp.exe . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll FF - ProfilePath - c:\docume~1\Dad\APPLIC~1\Mozilla\Firefox\Profiles\gg5nvc8x.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q= FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157 FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q= FF - plugin: c:\documents and settings\Dad\Application Data\Move Networks\plugins\npqmp071500000347.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-23 22:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1935655697-1844237615-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:72,34,49,15,85,88,19,e0,30,38,58,2f,69,55,39,d7,0c,80,e8,f7,81, 78,ae,6d,0e,57,b5,56,27,30,42,dd,c1,7d,9c,1c,3c,4b,4b,84,de,b8,31,94,42,b0,\ "rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(708) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(764) c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll . Completion time: 2009-07-24 22:11 ComboFix-quarantined-files.txt 2009-07-24 05:11 Pre-Run: 117,600,718,848 bytes free Post-Run: 117,632,471,040 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 232 --- E O F --- 2009-07-15 01:21