ComboFix 09-11-07.02 - Owner 11/07/2009 14:48.1.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.466 [GMT -6:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\INSTALL.LOG c:\program files\QUAD Utilities c:\recycler\S-1-5-21-3439069515-923161970-3086684005-1003 c:\recycler\S-1-5-21-417589418-2803876157-246302942-1003 c:\windows\a3kebook.ini c:\windows\akebook.ini c:\windows\ANS2000.INI c:\windows\desktop c:\windows\desktop\EZTOUCH\_INST32I.EX_ c:\windows\desktop\EZTOUCH\_ISDEL.EXE c:\windows\desktop\EZTOUCH\_SETUP.DLL c:\windows\desktop\EZTOUCH\_SETUP.LIB c:\windows\desktop\EZTOUCH\DATA.1 c:\windows\desktop\EZTOUCH\DATA.2 c:\windows\desktop\EZTOUCH\DATA.3 c:\windows\desktop\EZTOUCH\DISK1.ID c:\windows\desktop\EZTOUCH\DISK2.ID c:\windows\desktop\EZTOUCH\DISK3.ID c:\windows\desktop\EZTOUCH\SETUP.EXE c:\windows\desktop\EZTOUCH\SETUP.INI c:\windows\desktop\EZTOUCH\SETUP.INS c:\windows\desktop\EZTOUCH\SETUP.PKG c:\windows\desktop\EZTOUCH\SETUPCHK.EXE c:\windows\desktop\EZTOUCH\SETUPCHK.INI c:\windows\system32\_003361_.tmp.dll c:\windows\system32\_003362_.tmp.dll c:\windows\system32\_003363_.tmp.dll c:\windows\system32\_003364_.tmp.dll c:\windows\system32\_003368_.tmp.dll c:\windows\system32\_003369_.tmp.dll c:\windows\system32\_003370_.tmp.dll c:\windows\system32\_003371_.tmp.dll c:\windows\system32\_003372_.tmp.dll c:\windows\system32\_003373_.tmp.dll c:\windows\system32\_003374_.tmp.dll c:\windows\system32\_003375_.tmp.dll c:\windows\system32\_003376_.tmp.dll c:\windows\system32\_003377_.tmp.dll c:\windows\system32\_003380_.tmp.dll c:\windows\system32\_003381_.tmp.dll c:\windows\system32\_003383_.tmp.dll c:\windows\system32\_003384_.tmp.dll c:\windows\system32\_003385_.tmp.dll c:\windows\system32\_003387_.tmp.dll c:\windows\system32\_003388_.tmp.dll c:\windows\system32\_003390_.tmp.dll c:\windows\system32\_003391_.tmp.dll c:\windows\system32\_003393_.tmp.dll c:\windows\system32\_003394_.tmp.dll c:\windows\system32\_003395_.tmp.dll c:\windows\system32\_003396_.tmp.dll c:\windows\system32\_003397_.tmp.dll c:\windows\system32\_003398_.tmp.dll c:\windows\system32\_003399_.tmp.dll c:\windows\system32\_003401_.tmp.dll c:\windows\system32\_003402_.tmp.dll c:\windows\system32\_003403_.tmp.dll c:\windows\system32\_003404_.tmp.dll c:\windows\system32\_003405_.tmp.dll c:\windows\system32\_003406_.tmp.dll c:\windows\system32\_003407_.tmp.dll c:\windows\system32\_003408_.tmp.dll c:\windows\system32\_003410_.tmp.dll c:\windows\system32\_003411_.tmp.dll c:\windows\system32\_003412_.tmp.dll c:\windows\system32\_003413_.tmp.dll c:\windows\system32\_003414_.tmp.dll c:\windows\system32\_003416_.tmp.dll c:\windows\system32\_003417_.tmp.dll c:\windows\system32\_003419_.tmp.dll c:\windows\system32\_003420_.tmp.dll c:\windows\system32\_003421_.tmp.dll c:\windows\system32\_003422_.tmp.dll c:\windows\system32\_003423_.tmp.dll c:\windows\system32\_003424_.tmp.dll c:\windows\system32\_003426_.tmp.dll c:\windows\system32\_003429_.tmp.dll c:\windows\system32\_003430_.tmp.dll c:\windows\system32\_003434_.tmp.dll c:\windows\system32\_003435_.tmp.dll c:\windows\system32\_003437_.tmp.dll c:\windows\system32\_003440_.tmp.dll c:\windows\system32\_003442_.tmp.dll c:\windows\system32\_003443_.tmp.dll c:\windows\system32\_003444_.tmp.dll c:\windows\system32\_003445_.tmp.dll c:\windows\system32\_003448_.tmp.dll c:\windows\system32\_003449_.tmp.dll c:\windows\system32\_003450_.tmp.dll c:\windows\system32\_003451_.tmp.dll c:\windows\system32\_003452_.tmp.dll c:\windows\system32\_003457_.tmp.dll c:\windows\system32\_003459_.tmp.dll c:\windows\system32\2287865271.dat D:\Autorun.inf Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it :p . ((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 ))))))))))))))))))))))))))))))) . 2009-11-04 15:53 . 2009-11-04 15:53 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-04 15:52 . 2009-11-04 15:52 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-10-30 19:37 . 2009-10-30 19:37 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2009-10-30 19:37 . 2009-10-30 19:37 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys 2009-10-30 19:37 . 2009-10-30 19:37 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll 2009-10-30 19:37 . 2009-10-30 19:37 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-10-30 19:36 . 2009-10-30 19:36 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll 2009-10-30 19:36 . 2009-10-30 19:36 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll 2009-10-30 19:36 . 2009-10-30 19:36 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll 2009-10-30 19:36 . 2009-10-30 19:36 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll 2009-10-30 19:36 . 2009-10-30 19:36 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-10-29 12:48 . 2009-10-29 12:48 -------- d-----w- c:\program files\Trend Micro 2009-10-29 12:34 . 2009-10-11 10:17 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-29 12:33 . 2009-10-29 12:33 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_16\lzma.dll 2009-10-29 02:55 . 2009-10-29 15:16 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-10-29 02:53 . 2009-10-29 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-10-29 02:53 . 2009-10-29 02:53 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-10-29 02:53 . 2009-10-29 02:53 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2009-10-29 02:53 . 2009-10-29 02:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-10-29 00:49 . 2009-10-29 00:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-10-29 00:49 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-29 00:49 . 2009-10-29 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-29 00:49 . 2009-10-29 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-29 00:49 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-28 18:15 . 2006-06-04 02:29 48640 ----a-w- c:\windows\system32\hpzll4pi.dll 2009-10-28 18:13 . 2006-03-04 02:03 282680 ----a-w- c:\windows\system32\HPZidr12.dll 2009-10-28 18:13 . 2006-03-04 02:03 65536 ----a-w- c:\windows\system32\HPZinw12.exe 2009-10-28 18:13 . 2006-03-04 02:03 69632 ----a-w- c:\windows\system32\HPZipm12.exe 2009-10-28 18:13 . 2006-03-04 02:02 204800 ----a-w- c:\windows\system32\HPZipr12.dll 2009-10-28 18:13 . 2006-03-04 02:02 94208 ----a-w- c:\windows\system32\HPZipt12.dll 2009-10-28 18:13 . 2006-03-04 02:02 57344 ----a-w- c:\windows\system32\HPZisn12.dll 2009-10-28 18:11 . 2009-10-28 18:20 124152 ----a-w- c:\windows\HPHins12.dat 2009-10-28 18:11 . 2006-07-07 05:42 14916 ------w- c:\windows\hphmdl12.dat 2009-10-28 18:07 . 2006-06-22 03:03 56 ----a-w- C:\ut9x.bat 2009-10-28 18:07 . 2006-06-19 21:08 54 ----a-w- C:\ut.bat 2009-10-27 21:26 . 2009-10-27 21:26 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe 2009-10-27 20:35 . 2009-10-27 20:35 -------- d-----w- c:\program files\CCleaner 2009-10-27 16:15 . 2009-10-27 16:15 456680 ----a-w- c:\windows\system32\AppHardT.dll 2009-10-25 02:03 . 2009-10-25 02:03 -------- d-----w- c:\program files\Abexo 2009-10-24 02:09 . 2009-09-03 09:17 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-10-24 00:37 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-10-24 00:37 . 2009-10-24 00:37 -------- dc----w- c:\windows\system32\DRVSTORE 2009-10-24 00:36 . 2009-10-30 19:37 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-10-24 00:36 . 2009-10-30 19:37 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-10-24 00:36 . 2009-10-30 19:37 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-10-24 00:36 . 2009-10-30 19:36 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll 2009-10-24 00:36 . 2009-10-30 19:36 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-10-24 00:36 . 2009-10-30 19:36 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-10-24 00:36 . 2009-10-30 19:36 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll 2009-10-24 00:34 . 2009-10-30 19:36 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-10-24 00:34 . 2009-10-30 19:36 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-10-24 00:34 . 2009-10-30 19:36 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-10-24 00:34 . 2009-10-30 19:36 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2009-10-24 00:34 . 2009-10-30 19:35 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-10-24 00:34 . 2009-10-30 19:35 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-10-24 00:34 . 2009-10-30 19:34 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-10-24 00:34 . 2009-10-30 19:34 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-10-24 00:34 . 2009-10-30 19:34 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2009-10-24 00:30 . 2009-10-24 00:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-10-24 00:30 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe 2009-10-24 00:30 . 2009-10-24 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-10-23 23:46 . 2009-10-23 23:46 -------- d-----w- c:\documents and settings\Owner\Downloads 2009-10-10 16:13 . 2009-11-07 20:14 -------- d-----w- c:\documents and settings\Owner\Application Data\#ISW.FS# 2009-10-10 15:33 . 2009-03-17 19:57 38200 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-10-09 18:16 . 2009-10-09 18:16 -------- d-----w- c:\program files\SonicWallES 2009-10-09 18:10 . 2009-10-09 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK 2009-10-09 18:05 . 2009-10-09 18:16 -------- d-----w- c:\documents and settings\Owner\Application Data\MailFrontier 2009-10-09 18:05 . 2009-10-23 23:48 -------- d-----w- c:\documents and settings\Owner\Application Data\CheckPoint 2009-10-09 17:58 . 2009-11-07 22:38 144 ----a-w- c:\windows\system32\pdfl.dat 2009-10-09 17:58 . 2009-10-09 17:58 80 ----a-w- c:\windows\system32\ibfl.dat 2009-10-09 17:58 . 2009-10-09 17:58 144 ----a-w- c:\windows\system32\lkfl.dat 2009-10-09 17:58 . 2009-10-09 17:58 -------- d-----w- c:\program files\CheckPoint 2009-10-09 17:58 . 2009-11-07 14:43 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2009-10-09 17:58 . 2009-08-27 02:09 72584 ----a-w- c:\windows\zllsputility.exe 2009-10-09 17:57 . 2009-08-27 02:08 69000 ----a-w- c:\windows\system32\zlcomm.dll 2009-10-09 17:57 . 2009-08-27 02:08 103816 ----a-w- c:\windows\system32\zlcommdb.dll 2009-10-09 17:57 . 2009-10-10 12:22 -------- d-----w- c:\windows\system32\ZoneLabs 2009-10-09 17:57 . 2009-08-27 02:08 1238408 ----a-w- c:\windows\system32\zpeng25.dll 2009-10-09 17:57 . 2009-10-09 17:57 -------- d-----w- c:\program files\Zone Labs 2009-10-09 17:56 . 2009-11-07 22:39 -------- d-----w- c:\windows\Internet Logs . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-07 14:25 . 2009-11-07 14:26 101376 ----a-w- c:\windows\Internet Logs\xDBC.tmp 2009-11-05 16:06 . 2009-11-05 16:10 315904 ----a-w- c:\windows\Internet Logs\xDBB.tmp 2009-11-05 11:50 . 2009-10-26 15:50 6701711 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2009-11-04 15:54 . 2005-12-04 15:01 -------- d-----w- c:\program files\Java 2009-11-02 20:09 . 2006-02-20 16:46 -------- d-----w- c:\documents and settings\Owner\Application Data\WeatherBug 2009-11-02 19:16 . 2007-03-27 19:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Wal-Mart Digital Photo Manager 2009-11-02 19:15 . 2009-01-14 21:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Image Zone Express 2009-11-02 13:37 . 2009-11-02 13:38 4753408 ----a-w- c:\windows\Internet Logs\xDBA.tmp 2009-10-29 11:02 . 2009-10-29 11:03 2197504 ----a-w- c:\windows\Internet Logs\xDB9.tmp 2009-10-29 01:12 . 2009-10-29 01:13 2193920 ----a-w- c:\windows\Internet Logs\xDB8.tmp 2009-10-28 18:20 . 2007-03-27 00:01 -------- d-----w- c:\program files\HP 2009-10-28 18:18 . 2007-03-27 00:01 -------- d-----w- c:\program files\Common Files\HP 2009-10-28 18:17 . 2005-12-18 22:24 -------- d-----w- c:\program files\Hewlett-Packard 2009-10-27 20:22 . 2009-10-27 20:23 3618304 ----a-w- c:\windows\Internet Logs\xDB7.tmp 2009-10-27 19:39 . 2009-06-25 18:46 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2 2009-10-27 19:26 . 2009-10-27 19:27 2139136 ----a-w- c:\windows\Internet Logs\xDB6.tmp 2009-10-27 19:26 . 2009-10-27 19:27 4103680 ----a-w- c:\windows\Internet Logs\xDB5.tmp 2009-10-27 18:26 . 2009-10-27 18:27 2137088 ----a-w- c:\windows\Internet Logs\xDB4.tmp 2009-10-24 00:40 . 2009-10-24 00:41 1919488 ----a-w- c:\windows\Internet Logs\xDB3.tmp 2009-10-24 00:40 . 2009-10-24 00:41 1005568 ----a-w- c:\windows\Internet Logs\xDB2.tmp 2009-10-24 00:30 . 2007-05-22 14:00 -------- d-----w- c:\program files\Lavasoft 2009-10-15 08:32 . 2009-10-15 08:33 382976 ----a-w- c:\windows\Internet Logs\xDB1.tmp 2009-10-10 15:27 . 2007-10-19 21:33 -------- d-----w- c:\program files\Norman 2009-10-10 15:27 . 2007-10-20 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Norman 2009-10-09 20:59 . 2008-04-20 13:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Webroot 2009-10-09 20:59 . 2008-04-20 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot 2009-09-11 14:18 . 2009-02-04 18:27 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 08:14 . 2009-05-20 20:59 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-04 21:03 . 2005-03-23 16:52 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 07:36 . 2005-03-23 16:53 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 07:36 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-29 07:36 . 2005-03-23 16:52 17408 ----a-w- c:\windows\system32\corpol.dll 2009-08-26 08:00 . 2005-03-23 16:53 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- c:\windows\system32\FM20.DLL 2004-08-04 19:00 . 2005-03-23 16:52 94784 --sh--w- c:\windows\twain.dll 2005-10-16 22:49 . 2005-10-16 22:49 0 --sha-w- c:\windows\SMINST\HPCD.sys 2008-04-14 00:12 . 2009-02-04 18:27 551936 --sh--w- c:\windows\system32\oleaut32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2009-02-09 20:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296] [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296] [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-01-06 1343488] "Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-17 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-08-27 1011080] "Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-02-27 45056] "FlashIcon"="c:\program files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe" [2004-11-26 40960] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 339968] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-01 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^CacheSentry.lnk] backup=c:\windows\pss\CacheSentry.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDSwitchAgent HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/23/2009 6:37 PM 64288] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480] R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [8/26/2009 10:20 AM 25208] R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [8/26/2009 10:20 AM 435568] R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [4/20/2008 9:19 AM 598856] R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [8/26/2009 10:20 AM 35448] S2 gupdate1c9eee484c01aca;Google Update Service (gupdate1c9eee484c01aca);c:\program files\Google\Update\GoogleUpdate.exe [6/16/2009 6:39 PM 133104] S3 filter;filter;c:\windows\system32\drivers\filter.sys [11/26/2004 12:32 AM 8832] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1179232] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408] S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 6:28 PM 47128] S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 1:49 AM 242712] S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 6:28 PM 369688] --- Other Services/Drivers In Memory --- *NewlyCreated* - MBR *Deregistered* - mbr . Contents of the 'Scheduled Tasks' folder 2009-11-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:35] 2009-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 20:42] 2009-11-07 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-17 00:33] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 00:38] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 00:38] 2009-11-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2009-02-09 20:06] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com/ IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html Trusted Zone: turbotax.com DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB . - - - - ORPHANS REMOVED - - - - SharedTaskScheduler-IPC Configuration Utility - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-07 16:47 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(636) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\program files\CheckPoint\ZAForceField\AK\icsak.dll - - - - - - - > 'lsass.exe'(692) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\program files\CheckPoint\ZAForceField\AK\icsak.dll - - - - - - - > 'explorer.exe'(2536) c:\windows\system32\WININET.dll c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll c:\program files\CheckPoint\ZAForceField\AK\icsak.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll - - - - - - - > 'csrss.exe'(608) c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\brss01a.exe c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\mnmsrvc.exe c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe c:\windows\system32\rundll32.exe c:\windows\system32\HPZipm12.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\Ati2evxx.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-11-07 16:54 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-07 22:54 Pre-Run: 62,994,071,552 bytes free Post-Run: 62,924,554,240 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - D315201FD6B195437F1CAA617E3C6BEE