ComboFix 10-01-26.02 - liouelletgaston 26/01/2010 23:27:54.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1022.637 [GMT -5:00] Running from: c:\documents and settings\liouelletgaston\Desktop\ComboFix.exe AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-1088421979-2555689845-2326010705-1014 c:\recycler\S-1-5-21-1088421979-2555689845-2326010705-500 c:\recycler\S-1-5-21-1384774318-2894534337-4110577765-1005 c:\recycler\S-1-5-21-1384774318-2894534337-4110577765-500 c:\recycler\S-1-5-21-1833052360-195330638-4110363572-500 c:\recycler\S-1-5-21-2418045438-1593985875-241923415-500 c:\recycler\S-1-5-21-2488082858-439565203-1885533334-500 c:\recycler\S-1-5-21-2574226421-899625278-1321991626-500 c:\recycler\S-1-5-21-3482046334-1836464788-3015233268-1005 c:\recycler\S-1-5-21-3511619756-2365060635-1710076828-500 c:\recycler\S-1-5-21-3626424941-3382791230-172334229-1019 c:\recycler\S-1-5-21-3626424941-3382791230-172334229-500 c:\recycler\S-1-5-21-482331640-420107610-754275865-500 c:\windows\Fonts\MyriadPro-Regular.otf c:\windows\system32\twain_32.dll . ((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 ))))))))))))))))))))))))))))))) . 2010-01-25 04:12 . 2010-01-25 04:12 -------- d-----w- C:\_OTL 2010-01-23 14:51 . 2010-01-19 11:42 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2010-01-23 14:51 . 2010-01-19 13:13 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys 2010-01-23 14:51 . 2010-01-19 11:43 23248 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-01-23 14:50 . 2010-01-19 11:46 46544 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-01-23 14:50 . 2010-01-19 11:43 100304 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-01-23 14:50 . 2010-01-19 11:43 94672 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-01-23 14:50 . 2010-01-19 11:42 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-01-23 14:44 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr 2010-01-23 14:44 . 2010-01-19 11:57 152672 ----a-w- c:\windows\system32\aswBoot.exe 2010-01-23 14:44 . 2010-01-23 14:44 -------- d-----w- c:\program files\Alwil Software 2010-01-23 14:44 . 2010-01-23 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2010-01-23 14:36 . 2010-01-23 14:36 -------- d-----w- c:\documents and settings\liouelletgaston\Local Settings\Application Data\Threat Expert 2010-01-23 14:24 . 2010-01-23 14:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-01-23 13:02 . 2010-01-23 13:02 -------- d-----w- c:\windows\system32\wbem\Repository 2010-01-23 12:54 . 2010-01-23 12:54 -------- d-----w- c:\documents and settings\liouelletgaston\Application Data\Sonic 2010-01-17 23:29 . 2010-01-17 23:29 -------- d-----w- c:\documents and settings\liouelletgaston\Application Data\Leadertech 2010-01-16 14:19 . 2010-01-23 12:54 -------- d-----w- c:\documents and settings\liouelletgaston\Application Data\BitTorrent 2010-01-16 01:42 . 2010-01-16 01:42 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-15 02:32 . 2010-01-15 02:33 -------- d-----w- c:\windows\system32\Adobe 2010-01-12 23:35 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll 2009-12-28 22:44 . 2009-12-28 22:44 -------- d-sh--w- c:\documents and settings\liouelletgaston\IECompatCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-23 03:44 . 2010-01-23 12:52 185504 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2010-01-20 02:37 . 2006-05-20 05:06 98327 ----a-w- c:\windows\system32\nvModes.dat 2010-01-16 01:42 . 2009-11-15 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-08 02:28 . 2008-01-18 21:42 -------- d-----w- c:\documents and settings\liouelletgaston\Application Data\LimeWire 2010-01-07 21:07 . 2009-11-15 22:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 21:07 . 2009-11-15 22:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-22 01:29 . 2009-12-22 01:29 0 ----a-w- c:\windows\nsreg.dat 2009-12-21 19:14 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-11-29 22:00 . 2009-11-29 22:00 -------- d-----w- c:\program files\BitTorrent 2009-11-23 03:58 . 2006-06-28 13:22 81808 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-15 19:39 . 2009-11-15 19:39 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-15 19:38 . 2009-11-15 19:38 152576 ----a-w- c:\documents and settings\liouelletgaston\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-15 19:37 . 2009-11-15 19:37 79488 ----a-w- c:\documents and settings\liouelletgaston\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-15 03:17 . 2004-08-11 22:14 88247 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-10-29 07:45 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet(3).dll 2009-10-29 07:45 . 2004-08-11 22:00 1208832 ----a-w- c:\windows\system32\urlmon(3).dll 2007-01-27 16:50 . 2007-01-27 16:50 223730 ----a-w- c:\program files\setuplog.txt 2007-01-27 16:48 . 2007-01-27 16:47 184 ----a-w- c:\program files\install.txt 2002-08-07 18:53 . 2002-08-07 18:53 2488 ----a-w- c:\program files\Readme.txt 2002-07-24 10:08 . 2002-07-24 10:08 59124 ----a-w- c:\program files\router.dxr 2002-07-15 13:27 . 2002-07-15 13:27 180616 ----a-w- c:\program files\router_translation.cst 2002-05-08 08:08 . 2002-05-08 08:08 2893958 ----a-w- c:\program files\Robolab.exe 2002-01-05 03:26 . 2002-01-05 03:26 5833 ----a-w- c:\program files\License.txt 2007-10-26 05:47 . 2009-12-22 01:28 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll 2007-10-26 05:47 . 2009-12-22 01:28 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2007-10-26 05:47 . 2009-12-22 01:28 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll 2007-10-26 05:47 . 2009-12-22 01:28 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll 2007-10-26 05:47 . 2009-12-22 01:28 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-15 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-08 176128] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472] "NVHotkey"="nvHotkey.dll" [2006-01-19 73728] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-15 149280] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\liouelletgaston\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - d:\erunt\AUTOBACK.EXE [2005-10-20 38912] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-20 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-13677\Scripts\Logoff\0\0] "Script"=lgf-std.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-13677\Scripts\Logon\0\0] "Script"=pushprinterconnections.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-13677\Scripts\Logon\1\0] "Script"=lgn-std.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-14498\Scripts\Logoff\0\0] "Script"=lgf-stf.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-14498\Scripts\Logon\0\0] "Script"=pushprinterconnections.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-14498\Scripts\Logon\1\0] "Script"=lgn-stf.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-14498\Scripts\Logon\2\0] "Script"=pushprinterconnections.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-17896\Scripts\Logoff\0\0] "Script"=lgf-stf.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-17896\Scripts\Logon\0\0] "Script"=pushprinterconnections.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-816728033-1264349987-922709458-17896\Scripts\Logon\1\0] "Script"=lgn-stf.bat [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk backup=c:\windows\pss\SMART Board Tools.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] 2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-09-26 18:42 267064 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2007-01-19 16:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2006-01-19 20:14 1519616 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Bonjour Service"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [23/01/2010 9:51 AM 162640] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [23/01/2010 9:51 AM 19024] R2 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [19/04/2007 5:42 AM 759312] S2 SynchronEyes Software 7.0 Helper Service;SynchronEyes Software 7.0 Helper Service;c:\program files\SynchronEyes Student 7.0\synchroneyessrv.exe --> c:\program files\SynchronEyes Student 7.0\synchroneyessrv.exe [?] S3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\DRIVERS\smrtdrv.sys --> c:\windows\system32\DRIVERS\smrtdrv.sys [?] S3 Synnetdrv;SynchronEyes network Service;c:\windows\system32\DRIVERS\Synnetdrv.sys --> c:\windows\system32\DRIVERS\Synnetdrv.sys [?] S3 SynnetdrvMP;SynnetdrvMP;c:\windows\system32\DRIVERS\Synnetdrv.sys --> c:\windows\system32\DRIVERS\Synnetdrv.sys [?] . Contents of the 'Scheduled Tasks' folder 2009-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html FF - ProfilePath - c:\documents and settings\liouelletgaston\Application Data\Mozilla\Firefox\Profiles\n8yqeo5a.default\ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-A00F126993C - c:\docume~1\LIOUEL~1\LOCALS~1\Temp\_A00F126993C.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-26 23:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(772) c:\windows\system32\SEGina.dll . Completion time: 2010-01-26 23:35:20 ComboFix-quarantined-files.txt 2010-01-27 04:35 Pre-Run: 4,716,679,168 bytes free Post-Run: 4,677,148,672 bytes free - - End Of File - - 81F0684CE8783BBAE9745EC6C74C8538