ComboFix 10-11-03.04 - Owner 05/11/2010 15:06:36.2.2 - x86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.2038.1779 [GMT -7:00] Running from: d:\documents and settings\Owner\Desktop\ComboFix.exe AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . d:\documents and settings\All Users\Documents\Adobe PDF\Desktop_.ini d:\documents and settings\All Users\Documents\Adobe PDF\Extras\Desktop_.ini d:\documents and settings\All Users\Documents\Adobe PDF\Settings\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\232labs\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\232labs\exmples\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\238\238\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\238\238\MattLansdowne\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\238\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\306\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\306\my fun\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\lab1\306disk\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\lab1\306disk\my fun\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\lab1\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\lab2\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\lab3\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\last\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\306\last\jeanlab\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\362\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\362\lab1\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\362\lab1\resource\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\362\Lab2\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\362\Lab3\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\362\last\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\415 policy\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\415 policy\syllabus FORESTRY 415 Fall 2002_files\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\424\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\424\mgmt plan\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\canterbury\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\carbon\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\Cutworms (Noctuidae)_files\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\davieswildfireCV2006\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\haleynomics\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\important\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\mgmt plan\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\morphology\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\morphology\morphology\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\morphology\morphology\mo'stavern\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\morphology\morphology\mo'stavern\pizzapieguy\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\morphology\morphology\mo'stavern\rootdata\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\new zealand\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\recipes\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\Student Loan\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\tab\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\TIPSY\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\treeID\dend\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\treeID\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\treeID\Forestry\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\treeID\ID\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\UBC\Desktop_.ini d:\documents and settings\All Users\Documents\Jed Documents\wildfire\Desktop_.ini d:\documents and settings\All Users\Documents\My Videos\Desktop_.ini d:\documents and settings\All Users\Documents\New Documents on Dad's computer\Davies wildfire\Desktop_.ini d:\documents and settings\All Users\Documents\New Documents on Dad's computer\Davies wildfire\temp work\Desktop_.ini d:\documents and settings\All Users\Documents\New Documents on Dad's computer\Desktop_.ini d:\documents and settings\All Users\Documents\New Documents on Dad's computer\Grad Paper Temp\Desktop_.ini d:\documents and settings\All Users\Documents\New Documents on Dad's computer\Grad Paper Temp\new reference\Desktop_.ini d:\windows\system32\dmlconf.dat d:\windows\system32\spool\prtprocs\w32x86\CNMPP58.DLL . ((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 ))))))))))))))))))))))))))))))) . 2010-11-04 01:32 . 2010-09-18 06:53 974848 -c----w- d:\windows\system32\dllcache\mfc42.dll 2010-11-04 01:32 . 2010-09-18 06:53 953856 -c----w- d:\windows\system32\dllcache\mfc40u.dll 2010-11-04 01:32 . 2010-08-23 16:12 617472 -c----w- d:\windows\system32\dllcache\comctl32.dll 2010-11-04 01:31 . 2010-06-14 14:31 744448 -c----w- d:\windows\system32\dllcache\helpsvc.exe 2010-11-04 01:30 . 2010-09-10 05:58 743424 -c----w- d:\windows\system32\dllcache\iedvtool.dll 2010-11-04 01:22 . 2009-08-07 02:23 274288 ----a-w- d:\windows\system32\mucltui.dll 2010-11-03 22:34 . 2010-11-04 23:24 -------- d-----w- d:\documents and settings\Owner\DoctorWeb 2010-11-03 22:15 . 2010-11-03 22:15 -------- d-----w- D:\_OTL 2010-11-03 17:07 . 2010-11-03 17:07 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\ICS 2010-11-03 04:39 . 2010-11-03 21:47 -------- d-----w- d:\program files\Microsoft 2010-10-17 07:16 . 2007-11-27 10:24 14640 ------w- d:\windows\system32\spmsgXP_2k3.dll 2010-10-17 04:41 . 2010-10-17 04:41 -------- d-----w- d:\documents and settings\El Musico\Application Data\Teleca 2010-10-17 04:41 . 2010-10-17 04:41 -------- d-----w- d:\documents and settings\El Musico\Local Settings\Application Data\Apple Computer 2010-10-17 04:41 . 2010-10-17 04:41 -------- d-sh--w- d:\documents and settings\El Musico\IETldCache 2010-10-17 01:44 . 2010-10-17 07:17 -------- d-----w- d:\documents and settings\Owner\Application Data\Teleca 2010-10-17 01:44 . 2010-10-17 01:44 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\HTC 2010-10-17 01:44 . 2010-10-17 01:44 -------- d-----w- d:\documents and settings\All Users\Application Data\HTC 2010-10-17 01:43 . 2010-10-17 01:44 -------- d-----w- d:\program files\Common Files\Teleca Shared 2010-10-17 01:43 . 2010-10-17 01:44 -------- d-----w- d:\documents and settings\All Users\Application Data\Teleca 2010-10-17 01:43 . 2009-06-10 07:49 24576 ----a-w- d:\windows\system32\drivers\ANDROIDUSB.sys 2010-10-17 01:43 . 2009-06-09 21:41 1122664 ----a-w- d:\windows\system32\WdfCoInstaller01007.dll 2010-10-17 01:43 . 2010-10-17 01:43 -------- d-----w- d:\program files\Spirent Communications 2010-10-17 01:43 . 2010-10-17 01:43 -------- d-----w- d:\program files\HTC 2010-10-17 01:41 . 2010-10-17 01:41 -------- d-----w- d:\windows\Downloaded Installations . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 19:23 . 2004-08-04 10:00 974848 ----a-w- d:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- d:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- d:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- d:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- d:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-04 10:00 43520 ----a-w- d:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-04 10:00 1469440 ------w- d:\windows\system32\inetcpl.cpl 2010-09-07 15:12 . 2010-06-30 18:31 38848 ----a-w- d:\windows\avastSS.scr 2010-09-07 15:11 . 2006-10-14 19:24 167592 ----a-w- d:\windows\system32\aswBoot.exe 2010-09-07 14:52 . 2006-10-14 19:24 46672 ----a-w- d:\windows\system32\drivers\aswTdi.sys 2010-09-07 14:52 . 2008-04-02 23:41 165584 ----a-w- d:\windows\system32\drivers\aswSP.sys 2010-09-07 14:47 . 2006-10-14 19:24 23376 ----a-w- d:\windows\system32\drivers\aswRdr.sys 2010-09-07 14:47 . 2006-10-14 19:24 100176 ----a-w- d:\windows\system32\drivers\aswmon2.sys 2010-09-07 14:47 . 2006-10-14 19:24 94544 ----a-w- d:\windows\system32\drivers\aswmon.sys 2010-09-07 14:47 . 2008-04-02 23:41 17744 ----a-w- d:\windows\system32\drivers\aswFsBlk.sys 2010-09-07 14:46 . 2006-10-14 19:24 28880 ----a-w- d:\windows\system32\drivers\aavmker4.sys 2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- d:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2008-11-27 22:41 1852800 ----a-w- d:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- d:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2008-11-27 22:41 99840 ----a-w- d:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2008-11-27 22:41 357248 ----a-w- d:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-04-26 19:22 5120 ----a-w- d:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2008-11-27 22:41 617472 ----a-w- d:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- d:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2004-08-04 10:00 590848 ----a-w- d:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="d:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-22 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624] "SynTPEnh"="d:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2006-11-02 1392640] "igfxtray"="d:\windows\system32\igfxtray.exe" [2006-07-15 94208] "igfxhkcmd"="d:\windows\system32\hkcmd.exe" [2006-07-15 77824] "igfxpers"="d:\windows\system32\igfxpers.exe" [2006-07-15 118784] "SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280] "DLA"="d:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940] "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "Mobile Connectivity Suite"="d:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-20 598016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360] d:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk] path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk backup=d:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup [HKLM\~\startupfolder\D:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=d:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=d:\windows\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ose"=3 (0x3) "gusvc"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "d:\\Program Files\\Messenger\\msmsgs.exe"= "d:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "d:\\Program Files\\Mozilla Firefox\\firefox.exe"= "d:\\WINDOWS\\system32\\sessmgr.exe"= "d:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "%windir%\\system32\\sessmgr.exe"= "d:\\Program Files\\iTunes\\iTunes.exe"= "d:\\WINDOWS\\system32\\dpvsetup.exe"= "d:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "d:\\Program Files\\Skype\\Phone\\Skype.exe"= "d:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "d:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 "5057:TCP"= 5057:TCP:WWW S1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [02/04/2008 4:41 PM 165584] S1 oreans32;oreans32;d:\windows\system32\drivers\oreans32.sys [15/10/2006 10:15 PM 33824] S2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [02/04/2008 4:41 PM 17744] S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [13/05/2010 7:16 AM 136176] S3 HTCAND32;HTC Device Driver;d:\windows\system32\drivers\ANDROIDUSB.sys [16/10/2010 6:43 PM 24576] S3 ps_1394;ps_1394;d:\windows\system32\drivers\ps_1394.sys [14/10/2006 7:35 PM 97152] S3 ps_avs;ps_avs;d:\windows\system32\drivers\ps_avs.sys [14/10/2006 7:35 PM 24576] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs tuhsg ddigw . Contents of the 'Scheduled Tasks' folder 2010-11-05 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job - d:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 14:16] 2010-11-05 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job - d:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 14:16] 2010-11-05 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-789336058-725345543-1003Core1cb668fc6642740.job - d:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-22 21:47] 2010-11-05 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-789336058-725345543-1003UA.job - d:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-22 21:47] 2010-11-05 d:\windows\Tasks\User_Feed_Synchronization-{60208E93-38E5-48D3-87A5-A4ABA6A99286}.job - d:\windows\system32\msfeedssync.exe [2006-10-17 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ IE: &ieSpell Options - d:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM IE: Check &Spelling - d:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Lookup on Merriam Webster - file://d:\program files\ieSpell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://d:\program files\ieSpell\wikipedia.HTM Trusted Zone: netflix.ca\www FF - ProfilePath - d:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rkentt2s.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - plugin: d:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: d:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: d:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: d:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - Notify-WgaLogon - (no file) MSConfigStartUp-D-Link AirPlus G - d:\program files\D-Link\AirPlus G\AirGCFG.exe MSConfigStartUp-QuickTime Task - d:\program files\QuickTime\qttask.exe AddRemove-Adobe SVG Viewer - d:\program files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe AddRemove-Broadcom 802.11b Network Adapter - d:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3 - d:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE AddRemove-HP Color LaserJet CP1210 Series - d:\program files\Hewlett-Packard\HP Color LaserJet CP1210 Series\UnInstall.exe AddRemove-InstallShield_{2B7E4354-0492-460A-BDB1-1F59EE141025} - d:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe AddRemove-IrfanView - d:\program files\IrfanView\iv_uninstall.exe AddRemove-Lexmark Printer Software Uninstall - d:\program files\Lexmark\Install\Uninstall.exe AddRemove-PreSonus 1394 Audio Driver V1.20.0 (FIREBox) Setup - d:\program files\PreSonus\1394AudioDriver_FIREBox\uninst.exe Software\PreSonus\1394AudioDriver_FIREBox\Setup AddRemove-Steinberg Cubase LE - d:\program files\Steinberg\Cubase LE\Uninstall.exe AddRemove-Windows Media Format Runtime - d:\program files\Windows Media Player\wmsetsdk.exe AddRemove-{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31} - d:\program files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-05 15:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(244) d:\windows\System32\BCMLogon.dll - - - - - - - > 'explorer.exe'(968) d:\windows\system32\WININET.dll d:\windows\system32\ieframe.dll . Completion time: 2010-11-05 15:15:51 ComboFix-quarantined-files.txt 2010-11-05 22:15 Pre-Run: 1,118,486,528 bytes free Post-Run: 1,074,728,960 bytes free - - End Of File - - 96D0BBB6137123AB2DA4DE7DDB5D59CA