ComboFix 09-10-01.05 - drose 03/10/2009 9:11.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2302.1763 [GMT -5:00] Running from: c:\documents and settings\drose\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\drose\Application Data\inst.exe c:\documents and settings\drose\Local Settings\Temporary Internet Files\anti_sql_injection.txt c:\recycler\S-1-5-21-2128966716-3756490472-2679125259-2000 c:\windows\Install.txt c:\windows\Installer\1a6744bd.msi c:\windows\Installer\276c4720.msi c:\windows\Installer\d9f62.msi c:\windows\Installer\d9f63.msi c:\windows\Installer\WinRMSrv.msi c:\windows\system32\Cache c:\windows\system32\Data c:\windows\system32\drmgs.sys c:\windows\system32\Indt2.sys c:\windows\system32\uninstall.exe Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} ((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 ))))))))))))))))))))))))))))))) . 2009-10-02 02:14 . 2009-10-02 02:14 -------- d-----w- c:\documents and settings\drose\Application Data\Malwarebytes 2009-10-02 02:14 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-02 02:14 . 2009-10-02 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-02 02:14 . 2009-10-02 02:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-02 02:14 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-01 01:25 . 2009-10-02 02:56 -------- d-----w- C:\bin 2009-09-30 03:24 . 2009-09-30 03:24 -------- d-----w- c:\program files\Trend Micro 2009-09-30 03:11 . 2009-09-30 03:11 -------- d-----w- c:\program files\ERUNT 2009-09-30 02:49 . 2009-09-30 02:54 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-30 02:46 . 2009-10-01 01:20 -------- d-----w- C:\UBCD4Win 2009-09-30 02:02 . 2009-09-30 02:02 -------- d-----w- c:\program files\Photocopier 2009-09-30 02:02 . 2002-01-22 03:10 122880 ----a-w- c:\windows\system32\TWNLIB3.DLL 2009-09-30 02:02 . 2001-11-28 00:27 210200 ----a-w- c:\windows\system32\TWNPRO3.DLL 2009-09-30 01:58 . 2009-10-03 12:53 0 ----a-r- c:\windows\win32k.sys 2009-09-30 01:53 . 2009-09-30 01:55 -------- d-----w- c:\program files\CopyNook 2009-09-27 13:54 . 2009-09-27 13:54 -------- d-----w- c:\program files\Cisco 2009-09-27 13:52 . 2009-09-27 13:52 -------- d-----w- c:\documents and settings\drose\Local Settings\Application Data\Cisco 2009-09-12 01:40 . 2009-09-12 02:07 -------- d-----w- C:\UBCD4Win_old 2009-09-09 17:34 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-01 01:51 . 2007-12-23 18:20 -------- d-----w- c:\program files\Registry Clean Expert 2009-10-01 01:31 . 2004-12-07 03:51 159472 ----a-w- c:\documents and settings\drose\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-01 01:21 . 2004-12-07 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-30 01:38 . 2006-05-24 00:59 -------- d-----w- c:\documents and settings\drose\Application Data\uTorrent 2009-09-27 13:55 . 2007-06-11 00:02 -------- d-----w- c:\program files\Cisco Systems 2009-09-27 13:52 . 2009-04-10 01:56 -------- d-----w- c:\documents and settings\drose\Application Data\Cisco 2009-09-26 02:05 . 2007-12-05 18:52 -------- d-----w- c:\documents and settings\drose\Application Data\MySQL 2009-09-24 01:09 . 2005-12-23 01:49 2644 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-10 08:01 . 2004-12-29 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-09-10 01:45 . 2009-06-28 18:47 -------- d-----w- c:\program files\PKR 2009-09-04 22:32 . 2004-12-07 04:47 -------- d-----w- c:\program files\Google 2009-09-04 11:33 . 2008-03-31 11:36 -------- d-----w- c:\program files\MythTv Player 2009-08-28 14:56 . 2009-04-25 20:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-28 14:56 . 2009-04-25 20:34 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-28 14:56 . 2009-04-25 20:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-18 02:42 . 2005-03-04 02:50 -------- d-----w- c:\program files\Java 2009-08-12 01:40 . 2009-08-12 01:40 -------- d-----w- c:\program files\CPUID 2009-08-11 04:16 . 2005-04-24 01:52 -------- d-----w- c:\program files\mIRC 2009-08-07 00:24 . 2004-08-03 20:02 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-07 00:24 . 2004-08-03 19:59 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-07 00:24 . 2004-08-03 19:59 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-07 00:24 . 2004-12-07 02:38 53472 ----a-w- c:\windows\system32\wuauclt.exe 2009-08-07 00:24 . 2002-08-29 12:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-07 00:23 . 2004-08-03 20:00 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-07 00:23 . 2004-12-07 02:38 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:01 . 2002-08-29 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-25 10:23 . 2009-04-25 19:37 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-17 19:01 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-15 08:00 . 2009-07-15 08:00 229208 ----a-w- c:\windows\system32\drivers\VMM.sys 2009-07-14 04:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2007-11-08 20:40 . 2007-11-08 20:40 851968 ----a-w- c:\program files\internet explorer\plugins\libeay32.dll 2007-11-08 20:40 . 2007-11-08 20:40 348160 ----a-w- c:\program files\internet explorer\plugins\msvcr71.dll 2007-11-08 20:40 . 2007-11-08 20:40 950272 ----a-w- c:\program files\internet explorer\plugins\quickMksAx.dll 2007-11-08 20:40 . 2007-11-08 20:40 159744 ----a-w- c:\program files\internet explorer\plugins\ssleay32.dll 2007-11-08 20:39 . 2008-01-12 23:13 827392 ----a-w- c:\program files\mozilla firefox\plugins\libeay32.dll 2007-11-08 20:39 . 2008-01-12 23:13 159744 ----a-w- c:\program files\mozilla firefox\plugins\ssleay32.dll 2008-04-23 01:35 . 2008-04-23 01:35 24 --sh--w- c:\windows\SD6ADDA38.tmp 2008-06-03 04:46 . 2008-06-03 04:46 2 --shatr- c:\windows\winstart.bat 2006-01-30 01:27 . 2005-12-12 01:04 56 --sh--r- c:\windows\system32\06CE8E7C8B.sys 2004-12-29 20:09 . 2004-12-29 20:09 56 --sh--r- c:\windows\system32\B32A7E584E.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856] "COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 5803368] "Google Update"="c:\documents and settings\drose\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-22 133104] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640] "IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168] "CTSysVol"="c:\program files\Creative\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-26 1657376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2009-4-9 6144] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-28 14:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk * [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=c:\windows\pss\VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^drose^Start Menu^Programs^Startup^MagicDisc.lnk] path=c:\documents and settings\drose\Start Menu\Programs\Startup\MagicDisc.lnk backup=c:\windows\pss\MagicDisc.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=2 (0x2) "usnjsvc"=3 (0x3) "PnkBstrB"=2 (0x2) "PnkBstrA"=2 (0x2) "PDSched"=2 (0x2) "PDEngine"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\in\\utorrent-1.8.exe"= "c:\\Documents and Settings\\drose\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\drose\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/04/2009 3:34 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/04/2009 3:34 PM 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25/04/2009 3:33 PM 297752] R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [08/10/2007 5:33 PM 2368] R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [17/06/2009 3:17 PM 434864] R3 QCAbsee;Logitech QuickCam Web(PID_0801);c:\windows\system32\drivers\lvca.sys [10/03/2005 9:40 PM 31232] S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?] S2 gupdate1c9c8cfbf3b8d0a;Google Update Service (gupdate1c9c8cfbf3b8d0a);c:\program files\Google\Update\GoogleUpdate.exe [29/04/2009 8:38 AM 133104] S2 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys --> c:\windows\system32\drivers\wf88vcap.sys [?] S2 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys --> c:\windows\system32\drivers\WF88XBAR.sys [?] S2 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\WF88TUNE.sys --> c:\windows\system32\drivers\WF88TUNE.sys [?] S3 ACCSKMD;Canon Camera Storage Device;c:\windows\system32\drivers\accskmd.sys [13/05/2003 9:50 PM 32640] S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [11/08/2009 8:40 PM 12672] S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys --> c:\windows\system32\DRIVERS\CSVirtA.sys [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/11/2007 3:22 PM 34064] S3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;c:\windows\system32\drivers\MarvinAVS.sys [07/01/2009 9:42 PM 434176] S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\system32\DRIVERS\rcblan.sys --> c:\windows\system32\DRIVERS\rcblan.sys [?] S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [01/10/2006 7:37 AM 26624] S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFTVFM\WFIOCTL.SYS --> c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [?] S4 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [21/07/2004 9:21 AM 200771] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-29 13:38] 2009-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-29 13:38] 2009-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-688789844-839522115-1003Core.job - c:\documents and settings\drose\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-22 01:00] 2009-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-688789844-839522115-1003UA.job - c:\documents and settings\drose\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-22 01:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://weatheroffice.ec.gc.ca/city/pages/mb-38_metric_e.html uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: vantagemedia.com\vpn Trusted Zone: vm.local Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - hxxps://mytbb.primus.ca/webportal/plugins/VA.cab DPF: {2D0CBE69-DAFC-11D3-96D2-0020182E2E27} - hxxp://itanium2.dialcom.com/videoskype/spontania4skype083.cab DPF: {338095E4-1806-4BA3-AB51-38A3179200E9} - hxxps://vsh11.vm.local/ui/plugin/vmware-vmrc-win32-x86.cab DPF: {43E4476A-6C11-4274-AFA4-DF665B26EAE0} - hxxps://webprd21-drac.vmc.local/plugins/vkvm/ActiveXVideoViewer.cab DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - hxxp://sametime.ceridian.ca/sametime/stmeetingroomclient/STJNILoader.cab DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} - hxxp://hpqc.vm.local/sabin/Spider91.cab DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - hxxps://mytbb.primus.ca/webportal/plugins/VMPlayer.cab DPF: {CCA1618B-7D6E-4432-8FA4-3E01A1AD78A8} - hxxps://dw01-drac.vm.local/plugins/vm/rac5vm.cab DPF: {DC120706-9372-4B2E-AD15-F2135F51F30A} - hxxps://bb01-drac.vm.local/plugins/vkvm/ActiveXVideoViewer.cab FF - ProfilePath - c:\documents and settings\drose\Application Data\Mozilla\Firefox\Profiles\g9woyp9f.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.drcs.ca/mythweb/|https://www.google.com/hosted/drcs.ca/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fhosted%2Fdrcs.ca%2F<mpl=yj_blanco<mplcache=2|http://weatheroffice.ec.gc.ca/city/pages/mb-38_metric_e.html FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll FF - plugin: c:\documents and settings\drose\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\drose\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFxViewer.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmks.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - Notify-ckpNotify - (no file) AddRemove-{3CB05291-F546-458E-A796-B5BCF5A3CDC4} - c:\program files\InstallShield Installation Information\{3CB05291-F546-458E-A796-B5BCF5A3CDC4}\Setup2.exeiles\InstallShield Installation Information\{3CB05291-F546-458E-A796-B5BCF5A3CDC4}\Setup.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-03 09:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1957994488-688789844-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:38,a9,59,7f,22,13,62,a0,97,38,5c,5e,bd,51,59,c0,6f,29,b6,33,3d, 9c,3b,fc,0b,61,df,51,77,49,da,f2,ac,6e,12,b8,8e,1f,1e,75,cf,83,8e,44,12,df,\ "rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,15,cb,d6,23,cc, 14,ea,0e,e2,63,26,f1,3f,c8,ff,68,f8,21,ef,1c,5a,20,ea,d5,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,92,b3,1f,12,83, d1,ed,6d,6a,9c,d6,61,af,45,84,18,f5,27,0e,08,04,f4,44,13,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,7d,23,bd,c7,93, 09,ba,3d,ff,7c,85,e0,43,d4,0e,fe,9e,cb,c4,b5,c7,bc,c9,65,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,1e,e3,28,15,2b, 18,8f,b5,86,8c,21,01,be,91,eb,e7,b8,48,02,22,16,a8,88,1c,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,30,a8,5d,a8,2e, 82,43,a5,f5,1d,4d,73,a8,13,5c,05,d0,ed,9f,b9,7f,48,d0,bf,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,1c,74,91,29,c3, d5,63,36,df,20,58,62,78,6b,cf,c8,34,84,95,9c,86,75,d8,a7,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,05,02,90,fa,5d, cb,9d,18,fb,a7,78,e6,12,2f,9a,ea,79,bc,13,0c,84,0d,e8,b5,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,67,a4,89,71,78, d7,d3,83,01,3a,48,fc,e8,04,4a,f1,b1,4e,6f,b1,3b,ee,0f,d3,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,85,b8,3e,83,3d, a2,8a,b0,f6,0f,4e,58,98,5b,89,c9,af,59,ef,7f,dc,2d,f4,b3,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,e4,57,da,6e,e8, 5f,9c,b2,3d,ce,ea,26,2d,45,aa,78,a2,55,d8,4e,88,40,e9,91,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,bc,ae,29,68,12, 9f,4b,80,2a,b7,cc,b5,b9,7f,41,e7,fd,b1,7a,89,d9,5a,a4,9a,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,d8,c7,6f,b2,c9, 1f,ee,5f,6c,43,2d,1e,aa,22,2f,9c,15,8a,a0,c6,93,3d,7a,17,6c,43,2d,1e,aa,22,\ [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ "MaximumPlugins"=dword:0000001d "MtuAdjustment"=dword:00000000 "PacketPoolSize"=dword:00000300 "FragmentPoolSize"=dword:00000600 "FilterAttachLimit"=dword:00004e20 "VerifyBindings"=dword:00000001 "LockBinding"=dword:00000000 "MtuAdjustmentWan"=dword:00000000 "ForcePluginDetach"=dword:00000000 "DisableTaskOffload"=dword:00000000 "IndicatePacket"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1380) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3436) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\SmartFTP\smarthook.dll c:\program files\Microsoft Virtual PC\VPCShExH.DLL c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\searchindexer.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\documents and settings\drose\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe . ************************************************************************** . Completion time: 2009-10-03 9:25 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-03 14:25 Pre-Run: 31,278,014,464 bytes free Post-Run: 31,143,260,160 bytes free 363 --- E O F --- 2009-09-10 08:05