ComboFix 10-11-05.05 - Owner 05/11/2010 18:57:30.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.2038.1630 [GMT -7:00] Running from: d:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: d:\documents and settings\Owner\Desktop\CFScript.txt AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DDIGW -------\Legacy_TUHSG ((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 ))))))))))))))))))))))))))))))) . 2010-11-04 01:32 . 2010-09-18 06:53 974848 -c----w- d:\windows\system32\dllcache\mfc42.dll 2010-11-04 01:32 . 2010-09-18 06:53 953856 -c----w- d:\windows\system32\dllcache\mfc40u.dll 2010-11-04 01:32 . 2010-08-23 16:12 617472 -c----w- d:\windows\system32\dllcache\comctl32.dll 2010-11-04 01:31 . 2010-06-14 14:31 744448 -c----w- d:\windows\system32\dllcache\helpsvc.exe 2010-11-04 01:30 . 2010-09-10 05:58 743424 -c----w- d:\windows\system32\dllcache\iedvtool.dll 2010-11-04 01:22 . 2009-08-07 02:23 274288 ----a-w- d:\windows\system32\mucltui.dll 2010-11-03 22:34 . 2010-11-04 23:24 -------- d-----w- d:\documents and settings\Owner\DoctorWeb 2010-11-03 22:15 . 2010-11-03 22:15 -------- d-----w- D:\_OTL 2010-11-03 17:07 . 2010-11-03 17:07 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\ICS 2010-11-03 04:39 . 2010-11-03 21:47 -------- d-----w- d:\program files\Microsoft 2010-10-17 07:16 . 2007-11-27 10:24 14640 ------w- d:\windows\system32\spmsgXP_2k3.dll 2010-10-17 04:41 . 2010-10-17 04:41 -------- d-----w- d:\documents and settings\El Musico\Application Data\Teleca 2010-10-17 04:41 . 2010-10-17 04:41 -------- d-----w- d:\documents and settings\El Musico\Local Settings\Application Data\Apple Computer 2010-10-17 04:41 . 2010-10-17 04:41 -------- d-sh--w- d:\documents and settings\El Musico\IETldCache 2010-10-17 01:44 . 2010-10-17 07:17 -------- d-----w- d:\documents and settings\Owner\Application Data\Teleca 2010-10-17 01:44 . 2010-10-17 01:44 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\HTC 2010-10-17 01:44 . 2010-10-17 01:44 -------- d-----w- d:\documents and settings\All Users\Application Data\HTC 2010-10-17 01:43 . 2010-10-17 01:44 -------- d-----w- d:\program files\Common Files\Teleca Shared 2010-10-17 01:43 . 2010-10-17 01:44 -------- d-----w- d:\documents and settings\All Users\Application Data\Teleca 2010-10-17 01:43 . 2009-06-10 07:49 24576 ----a-w- d:\windows\system32\drivers\ANDROIDUSB.sys 2010-10-17 01:43 . 2009-06-09 21:41 1122664 ----a-w- d:\windows\system32\WdfCoInstaller01007.dll 2010-10-17 01:43 . 2010-10-17 01:43 -------- d-----w- d:\program files\Spirent Communications 2010-10-17 01:43 . 2010-10-17 01:43 -------- d-----w- d:\program files\HTC 2010-10-17 01:41 . 2010-10-17 01:41 -------- d-----w- d:\windows\Downloaded Installations . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 19:23 . 2004-08-04 10:00 974848 ----a-w- d:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- d:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- d:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- d:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- d:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-04 10:00 43520 ----a-w- d:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-04 10:00 1469440 ------w- d:\windows\system32\inetcpl.cpl 2010-09-07 15:12 . 2010-06-30 18:31 38848 ----a-w- d:\windows\avastSS.scr 2010-09-07 15:11 . 2006-10-14 19:24 167592 ----a-w- d:\windows\system32\aswBoot.exe 2010-09-07 14:52 . 2006-10-14 19:24 46672 ----a-w- d:\windows\system32\drivers\aswTdi.sys 2010-09-07 14:52 . 2008-04-02 23:41 165584 ----a-w- d:\windows\system32\drivers\aswSP.sys 2010-09-07 14:47 . 2006-10-14 19:24 23376 ----a-w- d:\windows\system32\drivers\aswRdr.sys 2010-09-07 14:47 . 2006-10-14 19:24 100176 ----a-w- d:\windows\system32\drivers\aswmon2.sys 2010-09-07 14:47 . 2006-10-14 19:24 94544 ----a-w- d:\windows\system32\drivers\aswmon.sys 2010-09-07 14:47 . 2008-04-02 23:41 17744 ----a-w- d:\windows\system32\drivers\aswFsBlk.sys 2010-09-07 14:46 . 2006-10-14 19:24 28880 ----a-w- d:\windows\system32\drivers\aavmker4.sys 2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- d:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2008-11-27 22:41 1852800 ----a-w- d:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- d:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2008-11-27 22:41 99840 ----a-w- d:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2008-11-27 22:41 357248 ----a-w- d:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-04-26 19:22 5120 ----a-w- d:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2008-11-27 22:41 617472 ----a-w- d:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- d:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2004-08-04 10:00 590848 ----a-w- d:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((( SnapShot@2010-11-05_22.13.10 ))))))))))))))))))))))))))))))))))))))))) . + 2010-11-06 02:02 . 2010-11-06 02:02 16384 d:\windows\temp\Perflib_Perfdata_620.dat + 2004-08-04 10:00 . 2010-11-06 01:51 69008 d:\windows\system32\perfc009.dat + 2004-08-04 10:00 . 2010-11-06 01:51 436470 d:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="d:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-22 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624] "SynTPEnh"="d:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2006-11-02 1392640] "igfxtray"="d:\windows\system32\igfxtray.exe" [2006-07-15 94208] "igfxhkcmd"="d:\windows\system32\hkcmd.exe" [2006-07-15 77824] "igfxpers"="d:\windows\system32\igfxpers.exe" [2006-07-15 118784] "SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280] "DLA"="d:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940] "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "Mobile Connectivity Suite"="d:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-20 598016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360] d:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk] path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk backup=d:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup [HKLM\~\startupfolder\D:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=d:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=d:\windows\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ose"=3 (0x3) "gusvc"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "d:\\Program Files\\Messenger\\msmsgs.exe"= "d:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "d:\\Program Files\\Mozilla Firefox\\firefox.exe"= "d:\\WINDOWS\\system32\\sessmgr.exe"= "d:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "%windir%\\system32\\sessmgr.exe"= "d:\\Program Files\\iTunes\\iTunes.exe"= "d:\\WINDOWS\\system32\\dpvsetup.exe"= "d:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "d:\\Program Files\\Skype\\Phone\\Skype.exe"= "d:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "d:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [02/04/2008 4:41 PM 165584] R1 oreans32;oreans32;d:\windows\system32\drivers\oreans32.sys [15/10/2006 10:15 PM 33824] R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [02/04/2008 4:41 PM 17744] S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [13/05/2010 7:16 AM 136176] S3 HTCAND32;HTC Device Driver;d:\windows\system32\drivers\ANDROIDUSB.sys [16/10/2010 6:43 PM 24576] S3 ps_1394;ps_1394;d:\windows\system32\drivers\ps_1394.sys [14/10/2006 7:35 PM 97152] S3 ps_avs;ps_avs;d:\windows\system32\drivers\ps_avs.sys [14/10/2006 7:35 PM 24576] . Contents of the 'Scheduled Tasks' folder 2010-11-06 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job - d:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 14:16] 2010-11-06 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job - d:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 14:16] 2010-11-05 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-789336058-725345543-1003Core1cb668fc6642740.job - d:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-22 21:47] 2010-11-06 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-789336058-725345543-1003UA.job - d:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-22 21:47] 2010-11-06 d:\windows\Tasks\User_Feed_Synchronization-{60208E93-38E5-48D3-87A5-A4ABA6A99286}.job - d:\windows\system32\msfeedssync.exe [2006-10-17 11:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ IE: &ieSpell Options - d:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM IE: Check &Spelling - d:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Lookup on Merriam Webster - file://d:\program files\ieSpell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://d:\program files\ieSpell\wikipedia.HTM Trusted Zone: netflix.ca\www FF - ProfilePath - d:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rkentt2s.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-05 19:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(820) d:\windows\System32\BCMLogon.dll - - - - - - - > 'explorer.exe'(3716) d:\windows\system32\WININET.dll d:\windows\system32\ieframe.dll d:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . d:\windows\System32\WLTRYSVC.EXE d:\windows\System32\bcmwltry.exe d:\program files\Alwil Software\Avast5\AvastSvc.exe d:\windows\system32\LEXBCES.EXE d:\windows\system32\LEXPPS.EXE d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe d:\program files\Java\jre6\bin\jqs.exe d:\windows\system32\wdfmgr.exe d:\windows\stsystra.exe d:\windows\system32\rundll32.exe d:\program files\Common Files\Teleca Shared\CapabilityManager.exe d:\program files\Common Files\Teleca Shared\logger.exe d:\windows\system32\wscntfy.exe d:\program files\Common Files\Teleca Shared\Generic.exe d:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe d:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe d:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe d:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe . ************************************************************************** . Completion time: 2010-11-05 19:06:11 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-06 02:06 ComboFix2.txt 2010-11-05 22:15 Pre-Run: 1,036,230,656 bytes free Post-Run: 1,073,082,368 bytes free - - End Of File - - FF26F23A8299E06B6275F0F86E386F2F