ComboFix 12-06-10.01 - DaCostaBoy 06/10/2012 17:38:32.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1005 [GMT -4:00] Running from: c:\documents and settings\DaCostaBoy\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\Propellerhead Software\ReCycle c:\documents and settings\All Users\Application Data\QuestDns c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\DaCostaBoy\Application Data\Propellerhead Software\ReCycle c:\documents and settings\DaCostaBoy\WINDOWS c:\program files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97} c:\program files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\chrome.manifest c:\program files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\chrome\questdns.jar c:\program files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\defaults\preferences\prefs.js c:\program files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\install.rdf c:\windows\EventSystem.log c:\windows\system32\AutoRun.inf c:\windows\system32\avisynth.dll c:\windows\system32\devil.dll c:\windows\system32\dllcache\dlimport.exe c:\windows\system32\drivers\etc\lmhosts c:\windows\system32\pthreadVC.dll . . ((((((((((((((((((((((((( Files Created from 2012-05-10 to 2012-06-10 ))))))))))))))))))))))))))))))) . . 2012-06-10 21:16 . 2012-06-10 21:16 -------- d-----w- c:\program files\ERUNT 2012-05-14 18:24 . 2012-05-14 18:24 -------- d-----w- c:\program files\Mozilla Maintenance Service 2012-05-14 18:24 . 2012-05-14 18:24 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe 2012-05-14 18:24 . 2012-05-14 18:24 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-07 23:06 . 2012-04-20 16:37 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-07 23:06 . 2011-06-08 23:02 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-22 05:09 . 2012-04-22 05:09 73728 ----a-w- c:\windows\system32\javacpl.cpl 2012-04-22 05:09 . 2010-06-28 23:41 472808 ----a-w- c:\windows\system32\deployJava1.dll 2012-04-22 04:04 . 2012-04-22 04:04 80090 ----a-w- c:\documents and settings\DaCostaBoy\Application Data\SMBIOSSP.exe 2012-04-21 01:46 . 2012-04-21 01:46 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys 2012-05-14 18:24 . 2011-09-11 21:23 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888] "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216] "nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824] "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2011-06-16 2510848] "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2011-12-12 2234288] . c:\documents and settings\DaCostaBoy\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "Midi1"=ma_cmidn.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Backup Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk backup=c:\windows\pss\WD Backup Monitor.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer] c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer] 2002-10-15 22:00 1818624 ----a-w- c:\windows\mixer.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] 2009-07-26 20:44 3883856 -c--a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"= "c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"= "c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"= "c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "67:UDP"= 67:UDP:DHCP Discovery Service "5353:UDP"= 5353:UDP:Bonjour Port 5353 "9323:TCP"= 9323:TCP:EKDiscovery "9322:TCP"= 9322:TCP:EKDiscovery . R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/24/2010 10:20 PM 691696] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/19/2012 12:13 PM 612184] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/19/2012 12:13 PM 337880] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/19/2012 12:13 PM 20696] R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [3/10/2010 12:00 AM 6656] R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [12/19/2011 5:32 PM 394672] R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [12/15/2010 7:01 AM 33912] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384] S2 gupdate1c9c04510022fe8;Google Update Service (gupdate1c9c04510022fe8);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/20/2012 12:37 PM 257696] S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336] S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [5/11/2011 3:41 PM 10744] S3 gupdatem;Google Update Service (gupdatem);"c:\program files\Google\Update\GoogleUpdate.exe" /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/14/2012 2:24 PM 129976] S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [6/26/2010 9:46 AM 137344] S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?] S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [12/3/2008 10:45 PM 20168] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504] S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 11:08 PM 47128] S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 4:09 AM 239336] S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 4:23 AM 366936] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2012-06-10 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 23:06] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.2.1 DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB FF - ProfilePath - c:\documents and settings\DaCostaBoy\Application Data\Mozilla\Firefox\Profiles\xh2ewup7.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.msn.com FF - prefs.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101058100&s= FF - user.js: browser.search.selectedEngine - Google FF - user.js: browser.search.order.1 - Google FF - user.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101058100&s= . - - - - ORPHANS REMOVED - - - - . HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe HKLM-Run-hpqSRMon - c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe MSConfigStartUp-Aim6 - f:\program files\AIM6\aim6.exe MSConfigStartUp-doubleTwist - c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe MSConfigStartUp-iPodVideoConverter_upgrade - c:\program files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe MSConfigStartUp-NokiaOviSuite2 - c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe MSConfigStartUp-WD Button Manager - WDBtnMgr.exe MSConfigStartUp-WD Drive Manager - c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe MSConfigStartUp-Zune Launcher - f:\program files\ZuneLauncher.exe AddRemove-Adobe Connect Add-in - c:\documents and settings\DaCostaBoy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-10 17:44 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1757981266-1390067357-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_USERS\S-1-5-21-1757981266-1390067357-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "??"=hex:31,74,42,36,4f,25,15,8b,2e,b7,40,be,ec,3b,5b,1c,ff,7b,15,ab,66,cf,09, b5,8b,6e,7c,af,9d,8a,c7,7e,7a,d6,e6,96,72,61,d4,87,e4,9e,e1,d0,31,23,79,c1,\ "??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d . [HKEY_USERS\S-1-5-21-1757981266-1390067357-682003330-1003\Software\SecuROM\License information*] "datasecu"=hex:50,82,78,45,be,74,dd,bd,37,fb,b2,74,96,b9,60,c1,c1,c9,0a,74,e3, 26,16,c7,b9,a4,88,38,8d,39,5e,82,3c,52,84,f2,c2,a4,ea,b1,fe,34,e3,75,29,ad,\ "rkeysecu"=hex:d5,53,47,96,d5,81,72,30,f3,a8,c2,35,44,d4,1e,c1 . Completion time: 2012-06-10 17:48:27 ComboFix-quarantined-files.txt 2012-06-10 21:48 . Pre-Run: 17,245,294,592 bytes free Post-Run: 17,187,172,352 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 82C34F5BE4D8EB00F7EC112343168493