ComboFix 09-09-18.02 - DYS Administrator 09/20/2009 17:47.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1518 [GMT -4:00] Running from: c:\documents and settings\DYS Administrator\My Documents\Downloads\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\jestertb.dll . ((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 ))))))))))))))))))))))))))))))) . 2009-09-20 21:07 . 2009-09-20 21:07 -------- d-----w- c:\program files\Trend Micro 2009-09-14 21:27 . 2009-09-14 21:27 -------- d-----w- c:\program files\StorageSync 2009-09-14 21:20 . 2009-09-14 21:20 -------- d-----w- C:\Win98 Driver 2009-09-14 19:10 . 2009-09-20 20:32 -------- d-----w- c:\windows\system32\NtmsData 2009-09-09 00:31 . 2009-09-09 00:31 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\AVG8 2009-09-02 12:41 . 2009-09-02 12:41 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\U3 2009-08-31 16:54 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-08-31 16:54 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2009-08-31 16:54 . 2009-08-31 16:54 -------- d-----w- c:\program files\iPod 2009-08-31 16:54 . 2009-08-31 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-08-31 16:54 . 2009-08-31 16:54 -------- d-----w- c:\program files\iTunes 2009-08-31 16:54 . 2009-08-31 16:54 -------- d-----w- c:\program files\Bonjour 2009-08-31 16:54 . 2009-07-09 16:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-31 16:54 . 2009-07-09 16:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-08-31 16:54 . 2009-08-31 16:54 -------- d-----w- c:\program files\Common Files\Apple 2009-08-31 13:47 . 2009-08-31 13:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2009-08-31 13:30 . 2009-08-31 13:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-08-31 13:30 . 2009-08-31 13:30 -------- d-----w- c:\documents and settings\DYS Administrator\Local Settings\Application Data\Google 2009-08-31 13:29 . 2009-08-31 13:30 -------- d-----w- c:\program files\Google 2009-08-31 13:29 . 2009-08-31 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-08-31 13:17 . 2009-08-31 13:19 -------- d-----w- c:\windows\system32\Adobe 2009-08-28 20:58 . 2009-08-28 20:58 -------- d-----w- c:\windows\Sun 2009-08-28 12:37 . 2009-08-28 12:37 -------- d-----w- c:\program files\Photo Story 3 for Windows 2009-08-28 12:30 . 2009-08-28 12:30 -------- d-----w- c:\program files\Windows Media Connect 2 2009-08-27 13:15 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll 2009-08-26 19:26 . 2009-07-25 09:23 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-08-26 19:26 . 2009-09-03 00:45 -------- d-----w- c:\program files\Java 2009-08-24 15:37 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys 2009-08-24 15:37 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2009-08-23 23:50 . 2009-08-23 23:50 -------- d-----w- c:\program files\Common Files\Skype 2009-08-23 23:22 . 2009-08-23 23:22 -------- d-----w- c:\documents and settings\DYS Administrator\Local Settings\Application Data\WMTools Downloaded Files 2009-08-23 18:13 . 2009-08-23 18:13 -------- d-----w- c:\program files\FLV Player 2009-08-22 01:40 . 2009-08-22 01:40 -------- d-----w- c:\documents and settings\DYS Staff\Application Data\PFU . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-20 21:37 . 2009-07-16 21:58 -------- d-----w- c:\program files\Mozilla Thunderbird 2009-08-31 16:54 . 2009-08-17 21:25 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\Apple Computer 2009-08-29 13:26 . 2009-08-17 21:24 -------- d-----w- c:\program files\QuickTime 2009-08-28 19:06 . 2009-08-18 15:02 180057 ----a-w- c:\windows\hpwins14.dat 2009-08-26 00:48 . 2009-08-20 20:06 -------- d-----w- c:\program files\AVS4YOU 2009-08-26 00:48 . 2009-08-20 20:07 -------- d-----w- c:\program files\Common Files\AVSMedia 2009-08-25 19:08 . 2009-07-30 19:57 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\Skype 2009-08-25 12:11 . 2009-07-30 19:58 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\skypePM 2009-08-23 23:50 . 2009-07-16 22:00 -------- d-----r- c:\program files\Skype 2009-08-23 23:50 . 2009-07-16 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-08-20 20:09 . 2009-08-20 20:09 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\AVS4YOU 2009-08-20 20:09 . 2009-08-20 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU 2009-08-20 17:30 . 2009-07-16 22:15 -------- d-----w- c:\program files\Common Files\Adobe 2009-08-20 17:29 . 2009-08-20 17:29 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\Fujitsu 2009-08-20 17:24 . 2009-08-20 17:19 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\PFU 2009-08-20 17:19 . 2009-08-20 17:14 -------- d-----w- c:\program files\Common Files\PFU 2009-08-20 17:19 . 2009-07-16 21:34 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-20 17:13 . 2009-08-20 17:13 -------- d-----w- c:\program files\PFU 2009-08-20 17:13 . 2009-08-20 17:13 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\InstallShield 2009-08-20 17:09 . 2009-08-20 17:09 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\Leadertech 2009-08-18 15:12 . 2009-08-18 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\HP 2009-08-18 15:11 . 2009-08-18 15:11 -------- d-----w- c:\program files\Common Files\HP 2009-08-18 15:11 . 2009-08-18 15:11 -------- d-----w- c:\program files\Common Files\Hewlett-Packard 2009-08-18 15:11 . 2009-08-18 15:11 -------- d-----w- c:\program files\Hewlett-Packard 2009-08-18 15:10 . 2009-08-18 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard 2009-08-18 15:06 . 2009-08-18 15:06 -------- d-----w- c:\program files\HP 2009-08-18 14:07 . 2009-08-18 14:01 -------- d-----w- c:\program files\Common Files\eSellerate 2009-08-18 14:02 . 2009-08-18 14:02 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\Memeo 2009-08-18 14:01 . 2009-08-18 14:01 -------- d-----w- c:\program files\Western Digital 2009-08-18 14:01 . 2009-08-18 14:01 -------- d-----w- c:\program files\Western Digital Corporation 2009-08-17 21:24 . 2009-08-17 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-08-17 21:23 . 2009-08-17 21:23 -------- d-----w- c:\program files\Apple Software Update 2009-08-17 21:23 . 2009-08-17 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-08-07 12:47 . 2009-08-07 12:47 -------- d-----w- c:\documents and settings\DYS Staff\Application Data\Skype 2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-31 16:15 . 2009-07-31 16:15 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\Talkback 2009-07-30 21:16 . 2009-07-30 21:16 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\SecondLife 2009-07-30 19:58 . 2009-07-30 19:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-07-30 18:14 . 2009-07-30 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith 2009-07-30 18:14 . 2009-07-30 18:11 -------- d-----w- c:\program files\TechSmith 2009-07-30 18:13 . 2009-07-30 18:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-30 18:11 . 2009-07-30 18:11 -------- d-----w- c:\program files\Common Files\TechSmith Shared 2009-07-30 14:29 . 2009-07-30 14:29 -------- d-----w- c:\documents and settings\DYS Administrator\Application Data\Thunderbird 2009-07-30 14:28 . 2009-07-30 14:28 46056 ----a-w- c:\documents and settings\DYS Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-27 23:04 . 2009-07-27 23:04 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2009-07-27 22:09 . 2009-07-27 22:09 -------- d-----w- c:\documents and settings\DYS Staff\Application Data\Thunderbird 2009-07-27 18:36 . 2009-07-27 18:36 46056 ----a-w- c:\documents and settings\DYS Staff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-21 06:52 . 2009-07-21 06:52 499712 ----a-w- c:\windows\system32\msvcp71.dll 2009-07-21 06:52 . 2009-07-21 06:52 348160 ----a-w- c:\windows\system32\msvcr71.dll 2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-17 15:03 . 2009-07-16 20:27 46056 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-17 15:03 . 2009-07-16 20:13 46056 ----a-w- c:\documents and settings\DYS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-16 21:58 . 2009-07-16 21:58 0 ----a-w- c:\windows\nsreg.dat 2009-07-15 15:44 . 2009-07-15 15:44 21640 ----a-w- c:\windows\system32\emptyregdb.dat 2009-07-03 17:09 . 2008-04-14 12:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-25 08:25 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-03-21 14:06 . 2008-04-14 12:00 162155 --sha-r- c:\windows\system32\hzsjzy.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-31 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-15 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-15 178712] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-15 150040] "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-11-19 483420] "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-27 471040] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-25 2220032] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2009-8-20 24576] FOGTray.exe.lnk - c:\windows\Installer\{51250BB7-F5E5-4A3C-B322-A9D2899C18BD}\_C25BE279FDDD602A651DDD.exe [2009-7-16 10134] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2009-8-20 1159168] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"= "c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3194:TCP"= 3194:TCP:xheaomi R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [1/22/2009 1:19 PM 808296] R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [1/22/2009 1:19 PM 20840] R2 Fog Service;FOG Service;c:\program files\FOG\FOGService.exe [9/11/2008 9:39 AM 24576] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [7/16/2009 5:45 PM 112128] R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [7/16/2009 5:36 PM 32808] R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [7/16/2009 4:02 PM 244368] R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [7/16/2009 5:42 PM 110080] R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [7/16/2009 5:46 PM 148056] R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [7/16/2009 5:46 PM 144672] R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [7/16/2009 5:46 PM 277440] S0 cerc6;cerc6; [x] S2 gupdate1ca2a3f39db6ece;Google Update Service (gupdate1ca2a3f39db6ece);c:\program files\Google\Update\GoogleUpdate.exe [8/31/2009 9:30 AM 133104] S2 xvbkkkkpt;Boot Monitor;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 8:00 AM 14336] S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/16/2009 6:10 PM 66056] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs xvbkkkkpt [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-20 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-31 13:29] 2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-31 13:30] 2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-31 13:30] 2009-08-31 c:\windows\Tasks\NSSstub.job - c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-08-31 13:17] 2009-09-20 c:\windows\Tasks\User_Feed_Synchronization-{EB5C220C-E74F-4BD5-B518-93817EF361CF}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {89242969-422B-46BF-B0D5-6A7B7DC4D0E0} - file:///C:/Documents%20and%20Settings/DYS%20Administrator/My%20Documents/Downloads/SimpleShare_NASFinder/NASFinder-050809/html/nafcom.cab FF - ProfilePath - c:\documents and settings\DYS Administrator\Application Data\Mozilla\Firefox\Profiles\wo568rxg.default\ FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-20 17:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\DYSADM~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable scan completed successfully hidden files: 1 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xvbkkkkpt] "ServiceDll"="c:\windows\system32\hzsjzy.dll" . Completion time: 2009-09-20 17:52 ComboFix-quarantined-files.txt 2009-09-20 21:52 Pre-Run: 63,547,052,032 bytes free Post-Run: 63,644,405,760 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS [operating systems] d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 228 --- E O F --- 2009-08-16 17:53