ComboFix 11-08-08.02 - HP_Administrator 08/08/2011 17:34:59.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.632 [GMT -7:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\WINDOWS c:\documents and settings\Default User\WINDOWS c:\documents and settings\HP_Administrator\Application Data\Adobe\plugs c:\documents and settings\HP_Administrator\Application Data\Adobe\shed c:\documents and settings\HP_Administrator\WINDOWS C:\Recycle.Bin c:\windows\$NtUninstallKB3255$ c:\windows\$NtUninstallKB3255$\1424066960 c:\windows\$NtUninstallKB3255$\485945278\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} c:\windows\$NtUninstallKB3255$\485945278\click.tlb c:\windows\$NtUninstallKB3255$\485945278\L\aqaeidou c:\windows\$NtUninstallKB3255$\485945278\loader.tlb c:\windows\$NtUninstallKB3255$\485945278\U\@00000001 c:\windows\$NtUninstallKB3255$\485945278\U\@000000c0 c:\windows\$NtUninstallKB3255$\485945278\U\@000000cb c:\windows\$NtUninstallKB3255$\485945278\U\@000000cf c:\windows\$NtUninstallKB3255$\485945278\U\@80000000 c:\windows\$NtUninstallKB3255$\485945278\U\@800000c0 c:\windows\$NtUninstallKB3255$\485945278\U\@800000cb c:\windows\$NtUninstallKB3255$\485945278\U\@800000cf c:\windows\Downloaded Program Files\ODCTOOLS c:\windows\system32\c_47915.nls c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\ps2.bat c:\windows\system32\rnaph.dll c:\windows\winhelp.ini D:\Autorun.inf . Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected Restored copy from - The cat found it :) . ((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 ))))))))))))))))))))))))))))))) . . 2011-08-09 00:31 . 2009-11-13 22:57 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-08-08 23:13 . 2011-08-08 23:13 -------- d-----w- c:\windows\system32\wbem\Repository 2011-08-05 19:23 . 2001-08-17 20:51 61824 ----a-w- c:\windows\system32\dllcache\speed.sys 2011-08-05 19:23 . 2001-08-18 05:36 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll 2011-08-05 19:23 . 2001-08-17 21:07 19072 ----a-w- c:\windows\system32\dllcache\sparrow.sys 2011-08-05 19:23 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys 2011-08-05 19:23 . 2001-08-17 19:51 37040 ----a-w- c:\windows\system32\dllcache\sonypi.sys 2011-08-05 19:23 . 2001-08-18 05:36 114688 ----a-w- c:\windows\system32\dllcache\sonypi.dll 2011-08-05 19:23 . 2001-08-17 19:51 20752 ----a-w- c:\windows\system32\dllcache\sonync.sys 2011-08-05 19:23 . 2001-08-17 20:53 9600 ----a-w- c:\windows\system32\dllcache\sonymc.sys 2011-08-05 19:23 . 2008-04-13 18:40 7552 ----a-w- c:\windows\system32\dllcache\sonyait.sys 2011-08-05 19:23 . 2004-08-09 21:00 143422 ----a-w- c:\windows\system32\dllcache\softkey.dll 2011-08-05 19:21 . 2001-08-17 19:50 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys 2011-08-05 19:20 . 2001-08-17 21:56 245632 ----a-w- c:\windows\system32\dllcache\s3savmx.dll 2011-08-05 19:19 . 2001-08-17 20:51 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys 2011-08-05 19:18 . 2001-08-18 05:36 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll 2011-08-05 19:17 . 2001-08-18 05:36 20480 ----a-w- c:\windows\system32\dllcache\ovcomc.dll 2011-08-05 19:16 . 2001-08-17 19:20 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys 2011-08-05 19:16 . 2001-08-17 19:20 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys 2011-08-05 19:16 . 2001-08-17 19:12 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys 2011-08-05 19:16 . 2004-08-04 05:31 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys 2011-08-05 19:16 . 2001-08-17 19:11 65278 ----a-w- c:\windows\system32\dllcache\netflx3.sys 2011-08-05 19:16 . 2001-08-17 19:50 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys 2011-08-05 19:16 . 2001-08-18 05:36 60480 ----a-w- c:\windows\system32\dllcache\neo20xx.dll 2011-08-05 19:16 . 2001-08-17 20:49 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys 2011-08-05 19:16 . 2001-08-17 21:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll 2011-08-05 19:16 . 2001-08-17 19:50 27936 ----a-w- c:\windows\system32\dllcache\n9i3d.sys 2011-08-05 19:16 . 2001-08-17 19:50 33088 ----a-w- c:\windows\system32\dllcache\n9i128v2.sys 2011-08-05 19:16 . 2001-08-18 05:36 59104 ----a-w- c:\windows\system32\dllcache\n9i128v2.dll 2011-08-05 19:14 . 2001-08-17 20:57 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys 2011-08-05 19:13 . 2001-08-17 20:51 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys 2011-08-05 19:12 . 2004-08-09 21:00 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe 2011-08-05 19:11 . 2001-08-17 20:28 57471 ----a-w- c:\windows\system32\dllcache\hsf_samp.sys 2011-08-05 19:10 . 2001-08-17 20:51 82304 ----a-w- c:\windows\system32\dllcache\grclass.sys 2011-08-05 19:09 . 2001-08-17 19:19 63360 ----a-w- c:\windows\system32\dllcache\ess.sys 2011-08-05 19:08 . 2008-04-13 18:40 8320 ----a-w- c:\windows\system32\dllcache\dlttape.sys 2011-08-05 19:07 . 2001-08-18 05:36 175104 ----a-w- c:\windows\system32\dllcache\csamsp.dll 2011-08-05 19:06 . 2008-04-13 18:46 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys 2011-08-05 19:05 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll 2011-08-01 05:23 . 2011-08-08 03:13 44560 --sha-w- c:\windows\system32\c_47915.nl_ 2011-07-31 23:15 . 2011-08-08 23:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-31 17:31 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-07-31 17:31 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-07-31 17:31 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-07-31 17:31 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-07-31 17:31 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2011-07-31 17:31 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2011-07-31 17:31 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys 2011-07-31 17:31 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2011-07-31 17:31 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr 2011-07-31 17:31 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe 2011-07-31 17:30 . 2011-08-08 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software 2011-07-31 17:30 . 2011-07-31 17:30 -------- d-----w- c:\program files\AVAST Software . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-08 03:13 . 2004-08-03 14:59 115200 ----a-w- c:\windows\system32\drivers\redbook.sys 2011-08-06 17:58 . 2008-11-13 22:19 912640 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-08-05 19:37 . 2004-08-09 21:00 325632 ----a-w- c:\windows\system32\drivers\netbt.sys 2011-06-02 14:02 . 2004-08-09 21:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-05-27 04:34 . 2008-09-18 02:43 2291824 ----a-w- c:\program files\setupav.exe 2011-04-19 17:09 . 2009-04-11 17:53 2231248 ----a-w- c:\program files\autovip.exe 2011-01-07 17:10 . 2009-08-06 22:10 207912 ----a-w- c:\program files\wupdate.exe 2009-05-05 00:03 . 2009-04-11 17:53 154272 ----a-w- c:\program files\validate.exe 2009-04-30 03:08 . 2009-04-13 20:50 159440 ----a-w- c:\program files\wucheck.exe 2009-04-13 02:12 . 2009-04-11 17:53 158040 ----a-w- c:\program files\AddShortcuts.exe 2008-01-28 01:05 . 2008-01-24 17:05 154672 ----a-w- c:\program files\wcheck.exe 2007-10-13 03:50 . 2007-10-13 03:50 148936 ----a-w- c:\program files\Uninst_AutoVIP.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 68856] "AutoVIP"="c:\program files\autovip.exe" [2011-04-19 2231248] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312] "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152] "DISCover"="c:\program files\DISC\DISCover.exe" [2005-11-11 1064960] "DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-11-11 61440] "DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "Ashampoo FireWall"="c:\program files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 3251800] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624] Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-3-7 36903] . c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-3-6 27136] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\DISC\\myFTP.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Juno\\bin\\juno.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\JunoInternet\\exec.exe"= "c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"= "c:\\Documents and Settings\\HP_Administrator\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"= . R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/31/2011 10:31 AM 309848] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/31/2011 10:31 AM 19544] S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/31/2011 10:31 AM 441176] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 9:02 PM 135664] S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [3/6/2006 11:27 PM 468768] S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [12/27/2010 3:20 PM 229376] . Contents of the 'Scheduled Tasks' folder . 2011-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:02] . 2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:02] . 2011-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3916121995-2667568415-902956153-1008Core.job - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 05:20] . 2011-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3916121995-2667568415-902956153-1008UA.job - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-27 05:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://my.juno.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Display All Images with Full Quality - "c:\program files\JunoInternet\qsacc\appres.dll/228" IE: Display Image with Full Quality - "c:\program files\JunoInternet\qsacc\appres.dll/227" IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html Trusted Zone: microsoft.com\*.update Trusted Zone: microsoft.com\update Trusted Zone: microsoft.com\windowsupdate Trusted Zone: microsoft.com\www.update Trusted Zone: windowsupdate.com Trusted Zone: windowsupdate.com\download Trusted Zone: trymedia.com . - - - - ORPHANS REMOVED - - - - . HKLM-Run-PCDrProfiler - (no file) SafeBoot-70339660.sys AddRemove-Corel Remove Program - f:\corel\AppMan\Setup\remove.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-08 17:41 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide] "ImagePath"="\??\c:\docume~1\HP_ADM~1\LOCALS~1\Temp\ASFWHide" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(516) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(2948) c:\windows\system32\WININET.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\arservice.exe c:\windows\system32\Ati2evxx.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\ARPWRMSG.EXE c:\windows\eHome\ehmsas.exe . ************************************************************************** . Completion time: 2011-08-08 17:45:01 - machine was rebooted ComboFix-quarantined-files.txt 2011-08-09 00:44 . Pre-Run: 208,226,775,040 bytes free Post-Run: 208,194,719,744 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect . - - End Of File - - A951D4D62099198F3EE4118A180626D2