ComboFix 10-11-18.05 - sales 11/19/2010 13:55:20.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.259 [GMT -5:00] Running from: c:\documents and settings\sales\Desktop\ComboFix.exe AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\sales\Application Data\Microsoft\stor.cfg c:\documents and settings\sales\Application Data\Microsoft\svchost.exe c:\documents and settings\sales\Application Data\Microsoft\Windows\shell.exe c:\documents and settings\sales\Local Settings\Application Data\opRSK c:\documents and settings\sales\Local Settings\Application Data\pw.exe c:\documents and settings\sales\Local Settings\Temporary Internet Files\AaBbaA7.jpg c:\documents and settings\sales\Local Settings\Temporary Internet Files\pYn66bka.jpg c:\documents and settings\sales\Local Settings\Temporary Internet Files\webex.ini c:\documents and settings\sales\Local Settings\Temporary Internet Files\xLLM2bAm.jpg c:\documents and settings\sales\Local Settings\Temporary Internet Files\XMjMBAJ.jpg c:\documents and settings\tcjones\Application Data\Microsoft\stor.cfg c:\documents and settings\tcjones\Application Data\Microsoft\svchost.exe c:\documents and settings\tcjones\Application Data\Microsoft\Windows\shell.exe . ((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 ))))))))))))))))))))))))))))))) . 2010-11-19 16:54 . 2010-11-19 18:27 -------- d-----w- c:\documents and settings\tcjones 2010-11-17 17:24 . 2010-11-17 17:24 -------- d-----w- c:\program files\Windows Media Connect 2 2010-11-17 17:20 . 2010-11-17 17:22 -------- d-----w- c:\windows\system32\drivers\UMDF . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 16:23 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2006-03-03 22:33 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-04 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-04 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-04 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2004-08-04 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2004-08-04 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-05-06 19:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2004-08-04 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-15 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-07-13 136600] "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2008-03-06 21:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/6/2009 1:18 PM 164048] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/6/2009 1:18 PM 19024] S2 gupdate1c9d569540b0ce4;Google Update Service (gupdate1c9d569540b0ce4);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2009 9:27 AM 133104] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 14:27] 2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 14:27] 2010-11-19 c:\windows\Tasks\User_Feed_Synchronization-{42CAAEC9-B836-43B6-B9D9-3F217AC4EB60}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ig?referrer=ign uInternet Settings,ProxyServer = http=127.0.0.1:50370 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/business/vzTCPConfig.CAB . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-19 14:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2010-11-19 14:08:23 ComboFix-quarantined-files.txt 2010-11-19 19:08 Pre-Run: 17,999,310,848 bytes free Post-Run: 20,141,342,720 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 71694EAD636F4DBC1817691957EEF6FA