ComboFix 11-08-30.02 - John 08/30/2011 22:50:47.1.4 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1860 [GMT -4:00] Running from: c:\users\John\Desktop\ComboFix.exe AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C} FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47} SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\hkwjvbbx.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb} c:\users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\hkwjvbbx.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\chrome.manifest c:\users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\hkwjvbbx.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\chrome\xulcache.jar c:\users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\hkwjvbbx.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\defaults\preferences\xulcache.js c:\users\Carol\AppData\Roaming\Mozilla\Firefox\Profiles\hkwjvbbx.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\install.rdf c:\users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\0ob41n0u.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb} c:\users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\0ob41n0u.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\chrome.manifest c:\users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\0ob41n0u.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\chrome\xulcache.jar c:\users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\0ob41n0u.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\defaults\preferences\xulcache.js c:\users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\0ob41n0u.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\install.rdf c:\users\John-Carl\AppData\Roaming\Mozilla\Firefox\Profiles\vcgmi03q.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb} c:\users\John-Carl\AppData\Roaming\Mozilla\Firefox\Profiles\vcgmi03q.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\chrome.manifest c:\users\John-Carl\AppData\Roaming\Mozilla\Firefox\Profiles\vcgmi03q.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\chrome\xulcache.jar c:\users\John-Carl\AppData\Roaming\Mozilla\Firefox\Profiles\vcgmi03q.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\defaults\preferences\xulcache.js c:\users\John-Carl\AppData\Roaming\Mozilla\Firefox\Profiles\vcgmi03q.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\install.rdf c:\users\John\AppData\Roaming\Microsoft\Windows\Recent\Curse Client.appref-ms c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\0kmnda57.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb} c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\0kmnda57.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\chrome.manifest c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\0kmnda57.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\chrome\xulcache.jar c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\0kmnda57.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\defaults\preferences\xulcache.js c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\0kmnda57.default\extensions\{875623a4-14f4-4c6f-b91d-a11a658815bb}\install.rdf c:\windows\security\Database\tmp.edb E:\install.exe e:\program files\Steam\steam.exe . . ((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-31 ))))))))))))))))))))))))))))))) . . 2011-08-31 02:57 . 2011-08-31 02:58 -------- d-----w- c:\users\John\AppData\Local\temp 2011-08-31 02:57 . 2011-08-31 02:57 -------- d-----w- c:\users\Lauren\AppData\Local\temp 2011-08-31 02:57 . 2011-08-31 02:57 -------- d-----w- c:\users\John-Carl\AppData\Local\temp 2011-08-31 02:57 . 2011-08-31 02:57 -------- d-----w- c:\users\Jennifer\AppData\Local\temp 2011-08-31 02:57 . 2011-08-31 02:57 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp 2011-08-31 02:57 . 2011-08-31 02:57 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-08-31 02:57 . 2011-08-31 02:57 -------- d-----w- c:\users\Carol\AppData\Local\temp 2011-08-31 02:57 . 2011-08-31 02:57 -------- d-----w- c:\users\Administrator\AppData\Local\temp 2011-08-30 23:19 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{68755A99-1F11-4544-8630-2FEEA2BEE5A8}\mpengine.dll 2011-08-30 23:18 . 2011-08-30 23:18 -------- d-----w- C:\_OTL 2011-08-29 22:17 . 2011-08-29 22:17 -------- d-----w- c:\programdata\WindowsSearch 2011-08-24 03:37 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll 2011-08-20 18:46 . 2011-08-20 18:46 -------- d-----w- c:\users\John-Carl\AppData\Roaming\Razer 2011-08-20 14:22 . 2011-08-20 14:22 -------- d-----w- c:\users\Carol\AppData\Roaming\Razer 2011-08-20 04:51 . 2011-08-20 04:51 -------- d-----w- c:\users\John\AppData\Roaming\Razer 2011-08-20 04:25 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys 2011-08-20 04:25 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys 2011-08-20 04:21 . 2010-10-01 04:16 10240 ----a-w- c:\windows\system32\drivers\VKbms.sys 2011-08-20 04:21 . 2010-09-25 16:55 6656 ----a-w- c:\windows\system32\drivers\hidkmdf.sys 2011-08-20 04:21 . 2009-07-15 08:27 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll 2011-08-20 04:21 . 2006-11-23 09:55 73728 ----a-w- c:\windows\system32\DeathAdder.cpl 2011-08-20 04:03 . 2009-08-10 19:25 39936 ----a-w- c:\windows\system32\drivers\CYUSB.sys 2011-08-16 18:03 . 2011-08-16 18:03 0 ---ha-w- c:\windows\system32\pgsrduuwqy.tmp 2011-08-14 02:11 . 2011-08-14 02:12 -------- d-----w- c:\users\Carol\AppData\Roaming\Ventrilo 2011-08-10 22:29 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-08-10 22:29 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-08-10 22:29 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-11 01:31 . 2011-05-25 03:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-06 23:52 . 2008-10-03 04:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-06 23:52 . 2008-10-03 04:47 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-04 11:43 . 2010-07-07 00:39 40112 ----a-w- c:\windows\avastSS.scr 2011-07-04 11:43 . 2007-12-25 05:12 199304 ----a-w- c:\windows\system32\aswBoot.exe 2011-07-04 11:37 . 2010-03-13 01:42 103384 ----a-w- c:\windows\system32\drivers\aswFW.sys 2011-07-04 11:36 . 2010-03-13 01:42 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2011-07-04 11:36 . 2008-04-05 21:45 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-07-04 11:36 . 2010-03-13 01:41 194264 ----a-w- c:\windows\system32\drivers\aswNdis2.sys 2011-07-04 11:35 . 2007-12-25 05:13 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-07-04 11:32 . 2007-12-25 05:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-07-04 11:32 . 2007-12-25 05:12 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2011-07-04 11:32 . 2008-04-05 21:45 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-06-07 18:55 . 2009-02-03 04:13 138784 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2011-06-07 18:55 . 2009-03-11 03:09 111928 ----a-w- c:\windows\system32\PnkBstrB.exe 2011-06-02 13:34 . 2011-07-18 05:40 2043392 ----a-w- c:\windows\system32\win32k.sys 2009-04-01 02:47 . 2008-09-07 03:30 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CCUTRAYICON"="FactoryMode" [X] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536] "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536] "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784] "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008] "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456] "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-25 336384] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320] . c:\users\Carol\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216] . c:\users\Jennifer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216] . c:\users\John-Carl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ CurseClientStartup.ccip [2010-2-3 0] OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216] . c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ CurseClientStartup.ccip [2010-2-5 0] Picture Motion Browser Media Check Tool.lnk - e:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-10-11 385024] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office.lnk - e:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . R2 avast! Firewall;avast! Firewall;e:\program files\Alwil Software\Avast5\afwServ.exe [2011-07-04 121000] R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-05-10 29696] R3 CYUSB;Cypress Generic USB Driver;c:\windows\system32\Drivers\CYUSB.sys [2009-08-10 39936] R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-02-26 493568] S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2010-01-09 12112] S0 aswNdis2;avast! Firewall Core Firewall Service; [x] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-07-16 717296] S1 aswFW;avast! TDI Firewall driver; [x] S1 aswSnx;aswSnx; [x] S1 aswSP;aswSP; [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-05-25 176128] S2 aswFsBlk;aswFsBlk; [x] S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104] S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896] S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240] S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-05-25 7800832] S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-05-25 245760] S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2011-03-30 97808] S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784] S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-04 1426304] S3 hidkmdf;Filter Driver Service for HID-KMDF Interface layer;c:\windows\system32\DRIVERS\hidkmdf.sys [2010-09-25 6656] S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [2008-01-18 16128] S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [2010-10-01 10240] . . Contents of the 'Scheduled Tasks' folder . 2011-08-20 c:\windows\Tasks\HPCeeScheduleForJohn-Carl.job - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-08-23 23:55] . 2011-08-30 c:\windows\Tasks\User_Feed_Synchronization-{6460C8A4-CB79-4BC5-B2FD-3F698354478A}.job - c:\windows\system32\msfeedssync.exe [2011-08-10 09:26] . 2011-08-31 c:\windows\Tasks\User_Feed_Synchronization-{6819AB56-5BC4-490F-8676-176A5595540A}.job - c:\windows\system32\msfeedssync.exe [2011-08-10 09:26] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 192.168.0.1 TCP: Interfaces\{62CE607A-1353-4A2D-B5D5-4E4AE3B77005}: NameServer = 24.159.64.23,68.189.0.100 FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\f3xp57k0.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - c:\windows\system32\6exs7.dll HKCU-Run-Steam - e:\program files\Steam\Steam.exe AddRemove-Steam App 220 - e:\program files\Steam\steam.exe AddRemove-Steam App 380 - e:\program files\Steam\steam.exe AddRemove-Steam App 400 - e:\program files\Steam\steam.exe AddRemove-Steam App 420 - e:\program files\Steam\steam.exe AddRemove-Steam App 440 - e:\program files\Steam\steam.exe AddRemove-{8BCAFB73-49AE-4AC4-00A1-70E4EC38BD4E} - c:\program files\Electronic Arts\The Lord of the Rings . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-30 22:57 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-3452593512-2370901467-3437361607-1001\Software\SecuROM\License information*] @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2011-08-30 23:00:26 ComboFix-quarantined-files.txt 2011-08-31 03:00 . Pre-Run: 91,676,295,168 bytes free Post-Run: 91,791,630,336 bytes free . - - End Of File - - 7B37B6D1043B26DD3176D5C66A279A86