ComboFix 10-01-27.06 - Compaq_Administrator 01/28/2010 12:30:32.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.509 [GMT -5:00] Running from: c:\documents and settings\Compaq_Administrator\Desktop\george.exe AV: avast! antivirus 4.8.1368 [VPS 100128-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\tjfchb c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\tjfchb\ncgjsysguard.exe c:\documents and settings\Compaq_Administrator\Local Settings\Temp\IadHide5.dll c:\windows\kb913800.exe c:\windows\unins000.dat c:\windows\unins000.exe D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 ))))))))))))))))))))))))))))))) . 2010-01-20 18:12 . 2010-01-20 18:12 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes 2010-01-20 18:12 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-20 18:12 . 2010-01-20 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-01-20 18:12 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-20 18:12 . 2010-01-20 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-20 18:07 . 2010-01-25 18:59 -------- d-----w- c:\program files\ERUNT 2010-01-12 22:55 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-25 19:20 . 2006-08-07 23:01 -------- d-----w- c:\program files\Java 2010-01-25 19:19 . 2010-01-25 19:19 152576 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2010-01-25 19:19 . 2009-11-11 08:26 79488 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2010-01-25 13:17 . 2006-08-07 23:57 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-12-21 19:14 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-12-21 13:26 . 2007-12-24 19:47 -------- d-----w- c:\program files\Google 2009-12-10 01:26 . 2009-03-29 14:13 -------- d-----w- c:\program files\Norton PC Checkup 2009-12-10 01:26 . 2009-12-10 01:26 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Tific 2009-12-10 01:25 . 2009-12-10 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-12-10 01:25 . 2009-12-10 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-12-10 01:25 . 2009-12-10 01:25 -------- d-----w- c:\program files\NortonInstaller 2009-11-24 23:54 . 2009-02-12 16:51 1280480 ----a-w- c:\windows\system32\aswBoot.exe 2009-11-24 23:51 . 2009-02-12 16:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-11-24 23:50 . 2009-02-12 16:51 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-11-24 23:50 . 2009-02-12 16:51 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-11-24 23:50 . 2009-02-12 16:51 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-11-24 23:49 . 2009-02-12 16:52 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-11-24 23:48 . 2009-02-12 16:52 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-11-24 23:47 . 2009-02-12 16:52 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-11-24 23:47 . 2009-02-12 16:52 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-11-21 15:51 . 2004-08-10 04:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-06 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584] "ftutil2"="ftutil2.dll" [2004-06-07 106496] "RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360] "nwiz"="nwiz.exe" [2006-05-09 1519616] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706] "YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344] "Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-07 180269] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-8-7 36903] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-10-19 217088] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\DISC\\myFTP.exe"= "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/12/2009 11:51 AM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/12/2009 11:51 AM 20560] R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [12/9/2009 8:25 PM 103280] R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [12/9/2009 8:25 PM 126392] S2 gupdate1c9dbad80ef9a82;Google Update Service (gupdate1c9dbad80ef9a82);c:\program files\Google\Update\GoogleUpdate.exe [5/23/2009 8:50 AM 133104] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder 2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-23 13:50] 2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-23 13:50] . . ------- Supplementary Scan ------- . uStart Page = hxxp://att.net uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html Trusted Zone: trymedia.com DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) HKLM-Run-PCDrProfiler - (no file) Notify-WgaLogon - (no file) AddRemove-{D7DBA21A-CDE5-42EC-BB1C-AE4B3E616B9A}_is1 - c:\windows\unins000.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-28 12:41 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr] "ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(820) c:\windows\system32\WININET.dll c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\windows\RTHDCPL.EXE c:\progra~1\Yahoo!\browser\ycommon.exe c:\program files\SBC Self Support Tool\bin\mpbtn.exe c:\windows\arservice.exe c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\HPZipm12.exe c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\system32\dllhost.exe c:\windows\eHome\ehmsas.exe c:\program files\Symantec\LiveUpdate\AUpdate.exe c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE . ************************************************************************** . Completion time: 2010-01-28 12:48:10 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-28 17:48 Pre-Run: 168,386,117,632 bytes free Post-Run: 168,502,329,344 bytes free - - End Of File - - 6A319AC813B6E01167C58F97C69B5E14