ComboFix 10-06-25.04 - Matthew Woodward 06/28/2010 22:09:01.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1695 [GMT -4:00] Running from: c:\documents and settings\Matthew Woodward\Desktop\ComboFix.exe AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Matthew Woodward\pev.exe c:\windows\system32\tmp.reg Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 ))))))))))))))))))))))))))))))) . 2010-06-28 22:33 . 2010-06-28 22:33 52432 ----a-w- c:\windows\system32\drivers\klmdb.sys 2010-06-27 17:30 . 2010-06-27 17:31 -------- d-----w- c:\program files\ERUNT 2010-06-26 22:20 . 2010-06-26 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner 2010-06-26 22:20 . 2010-06-26 22:20 -------- d-----w- c:\program files\Frontline Registry Cleaner 2010-06-26 03:36 . 2010-06-26 03:36 -------- d-----w- c:\program files\CCleaner 2010-06-23 02:10 . 2010-06-23 02:10 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb30E.tmp.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-29 01:36 . 2009-11-26 01:04 -------- d-----w- c:\program files\Spyware Doctor 2010-06-29 01:35 . 2009-11-25 20:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-06-28 22:20 . 2010-03-23 00:14 439816 ----a-w- c:\documents and settings\Matthew Woodward\Application Data\Real\Update\setup3.10\setup.exe 2010-06-25 15:10 . 2009-10-31 04:18 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-23 00:11 . 2009-10-25 03:51 -------- d-----w- c:\program files\World of Warcraft 2010-06-22 23:41 . 2009-10-25 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment 2010-06-09 06:05 . 2010-01-20 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-06-09 00:14 . 2009-10-31 04:18 -------- d-----w- c:\documents and settings\Matthew Woodward\Application Data\AdobeUM 2010-06-09 00:02 . 2010-06-09 00:02 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ 2010-05-25 01:53 . 2010-05-25 01:06 -------- d-----w- c:\program files\SC4PIM 2010-05-21 01:06 . 2009-11-01 22:14 1 ----a-w- c:\documents and settings\Matthew Woodward\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-05-19 18:00 . 2010-05-19 16:38 -------- d-----w- c:\program files\Traffic Simulator Configuration Tool 2010-05-14 23:45 . 2010-05-14 23:45 -------- d-----w- c:\program files\Ilives 2010-05-02 05:56 . 2004-08-05 04:00 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:51 . 2004-08-05 04:00 285696 ----a-w- c:\windows\system32\atmfd.dll 2010-04-16 15:36 . 2004-08-05 04:00 662016 ----a-w- c:\windows\system32\wininet.dll 2010-04-16 15:36 . 2004-08-05 04:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2010-04-03 05:26 . 2009-12-25 03:47 64040 ---ha-w- c:\windows\system32\mlfcache.dat 2009-10-22 21:55 . 2009-11-22 03:27 43937024 ------w- c:\program files\Final Draft.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2009-11-06 19:14 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-25 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RUNFBI"="c:\windows\regedit.exe" [2004-08-05 146432] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 86016] "nwiz"="c:\windows\system32\nwiz.exe" [2009-01-30 1657376] "High Definition Audio Property Page Shortcut"="c:\windows\system32\CHDAudPropShortcut.exe" [2006-04-18 61952] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-02 40960] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-07 198160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768] "SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784] c:\documents and settings\Matthew Woodward\Start Menu\Programs\Startup\ OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000] Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-30 73728] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808] R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [3/23/2010 6:00 PM 1201640] R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [5/10/2006 2:02 AM 61952] S2 gupdate1ca8f58bb18dec6;Google Update Service (gupdate1ca8f58bb18dec6);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 1:17 AM 133104] . Contents of the 'Scheduled Tasks' folder 2010-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2010-06-26 c:\windows\Tasks\FrontLine Registry Cleaner Scheduled Scan - Matthew Woodward.job - c:\program files\Frontline Registry Cleaner\REGCLEANER.exe [2010-05-08 20:06] 2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 05:17] 2010-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 05:17] 2010-06-25 c:\windows\Tasks\wrSpySweeper_LDAA7929206F64476A2EB2573BA30A081.job - c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-03-23 19:19] 2010-06-25 c:\windows\Tasks\wrSpySweeper_LDAA7929206F64476A2EB2573BA30A081.job - c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-03-23 19:19] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html FF - ProfilePath - c:\documents and settings\Matthew Woodward\Application Data\Mozilla\Firefox\Profiles\wgx05n7v.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - URLSearchHooks-HookURL - (no file) URLSearchHooks-Rank - (no file) HKLM-Run-RecGuard - c:\windows\SMINST\RecGuard.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-28 22:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2010-06-28 22:17:55 ComboFix-quarantined-files.txt 2010-06-29 02:17 Pre-Run: 55,709,364,224 bytes free Post-Run: 55,675,461,632 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer - - End Of File - - 07033AEE7CDF15572C4EFF1AE8715A4C