ComboFix 11-02-20.01 - DRyder 02/20/2011 17:26:36.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.601 [GMT -5:00] Running from: c:\documents and settings\DRyder\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk c:\documents and settings\DRyder\Application Data\Sun\mxd1.txt C:\Microsoft . ((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 ))))))))))))))))))))))))))))))) . 2011-02-20 22:23 . 2011-02-20 22:23 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF1F25EE-096B-46C3-BB22-C4560F064925}\MpKslb62469cb.sys 2011-02-20 22:22 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF1F25EE-096B-46C3-BB22-C4560F064925}\mpengine.dll 2011-02-19 22:55 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-02-19 21:30 . 2010-12-09 15:15 718336 ----a-w- c:\windows\system32\ntdll.dll 2011-02-19 21:30 . 2010-12-09 15:15 718336 ------w- c:\windows\system32\dllcache\ntdll.dll 2011-02-19 21:30 . 2010-12-09 13:42 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-02-19 21:30 . 2010-12-09 13:42 2148864 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2011-02-19 21:30 . 2010-12-09 13:38 2192768 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2011-02-19 21:30 . 2010-12-09 13:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-02-19 21:30 . 2010-12-09 13:07 2027008 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2011-02-19 21:30 . 2010-12-09 13:07 2069376 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2011-02-07 22:11 . 2009-08-06 02:55 123904 ----a-w- C:\MbrFix.exe 2011-02-04 02:04 . 2011-02-06 18:26 -------- d-----w- C:\_OTL 2011-01-24 11:32 . 2011-01-24 11:32 -------- d-----w- c:\documents and settings\CRyder\Local Settings\Application Data\Mozilla . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:44 . 2011-01-21 14:44 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-13 09:41 . 2010-07-20 12:23 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-01-07 14:09 . 2011-01-07 14:09 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2010-12-31 13:10 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2010-12-22 12:34 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:08 . 2010-07-13 21:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-20 17:26 . 2010-12-20 17:26 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-09 14:30 . 2010-12-09 14:30 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-11-28 06:58 . 2010-11-28 06:58 37248 ----a-w- c:\windows\system32\drivers\ISAPNP.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072] "HP BTW Detect Program"="c:\program files\HP\HPBTWD.exe" [2009-03-30 319488] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536] "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-06 737280] "WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP] 2009-07-14 10:54 589104 ----a-w- c:\program files\Hewlett-Packard\HP QuickSync\QuickSync.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE] 2010-09-15 09:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [8/25/2009 7:31 PM 21488] R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [8/25/2009 7:31 PM 15856] R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [7/2/2009 1:10 AM 103792] R1 MpKslb62469cb;MpKslb62469cb;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF1F25EE-096B-46C3-BB22-C4560F064925}\MpKslb62469cb.sys [2/20/2011 5:23 PM 28752] R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [8/25/2009 7:31 PM 25584] R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [7/9/2009 6:08 AM 199152] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/25/2009 7:18 PM 113664] R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/31/2009 3:11 PM 39424] S3 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 9:05 PM 457200] S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?] S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?] --- Other Services/Drivers In Memory --- *NewlyCreated* - MPKSLB62469CB . Contents of the 'Scheduled Tasks' folder 2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2011-02-20 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job - c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-07-09 11:09] 2011-02-20 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb uInternet Settings,ProxyOverride = Trusted Zone: servicecanada.gc.ca\www FF - ProfilePath - c:\documents and settings\DRyder\Application Data\Mozilla\Firefox\Profiles\agz1quun.default\ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 50370 FF - prefs.js: network.proxy.type - 1 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . - - - - ORPHANS REMOVED - - - - Toolbar-Locked - (no file) WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-20 17:47 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2011-02-20 17:50:13 ComboFix-quarantined-files.txt 2011-02-20 22:50 Pre-Run: 109,871,185,920 bytes free Post-Run: 126,968,766,464 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 302610B0F3CBB30FEEF2E790BB85D919