ComboFix 12-08-22.03 - Greg 08/22/2012 22:42:38.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2922.2354 [GMT -5:00] Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\dllcache\dlimport.exe c:\windows\system32\regobj.dll c:\windows\system32\URTTemp c:\windows\system32\URTTemp\regtlib.exe . c:\windows\system32\drivers\i8042prt.sys was missing Restored copy from - c:\windows\ServicePackFiles\i386\i8042prt.sys . . ((((((((((((((((((((((((( Files Created from 2012-07-23 to 2012-08-23 ))))))))))))))))))))))))))))))) . . 2012-08-23 03:50 . 2008-04-14 06:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys 2012-08-23 03:50 . 2008-04-14 06:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys 2012-08-22 22:01 . 2012-08-22 22:06 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-08-21 17:04 . 2012-08-21 17:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll 2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-14 23:57 . 2012-04-08 03:27 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-08-14 23:57 . 2012-01-02 23:41 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-06 13:58 . 2004-08-04 06:56 78336 ----a-w- c:\windows\system32\browser.dll 2012-07-04 14:05 . 2012-01-02 21:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-07-03 18:46 . 2012-01-02 23:52 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-07-03 16:21 . 2012-01-02 23:10 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2012-07-03 16:21 . 2012-01-02 23:10 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys 2012-07-03 16:21 . 2012-01-02 23:10 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2012-07-03 16:21 . 2012-01-02 23:10 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2012-07-03 16:21 . 2012-01-02 23:10 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2012-07-03 16:21 . 2012-01-02 23:10 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2012-07-03 16:21 . 2012-01-02 23:10 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys 2012-07-03 16:21 . 2012-01-02 23:10 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2012-07-03 16:21 . 2012-01-02 23:10 41224 ----a-w- c:\windows\avastSS.scr 2012-07-03 16:21 . 2012-01-02 23:10 227648 ----a-w- c:\windows\system32\aswBoot.exe 2012-07-03 13:40 . 2004-08-04 05:17 1866112 ----a-w- c:\windows\system32\win32k.sys 2012-07-02 17:49 . 2004-08-04 06:56 916992 ----a-w- c:\windows\system32\wininet.dll 2012-07-02 17:49 . 2004-08-04 06:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-07-02 17:49 . 2004-08-04 06:56 43520 ------w- c:\windows\system32\licmgr10.dll 2012-07-02 12:05 . 2004-08-04 04:59 385024 ------w- c:\windows\system32\html.iec 2012-06-07 01:59 . 2012-06-07 01:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX 2012-06-05 15:50 . 2012-01-02 21:13 1372672 ----a-w- c:\windows\system32\msxml6.dll 2012-06-05 15:50 . 2004-08-04 06:56 1172480 ----a-w- c:\windows\system32\msxml3.dll 2012-06-04 04:32 . 2004-08-04 06:56 152576 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 20:19 . 2012-01-02 21:43 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 20:19 . 2012-01-02 21:43 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 20:19 . 2012-01-02 21:01 329240 ----a-w- c:\windows\system32\wucltui.dll 2012-06-02 20:19 . 2012-01-02 21:01 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 20:19 . 2012-01-02 21:01 210968 ----a-w- c:\windows\system32\wuweb.dll 2012-06-02 20:19 . 2012-01-02 21:43 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 20:19 . 2012-01-02 21:43 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 20:19 . 2012-01-02 21:01 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 20:19 . 2012-01-02 21:01 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 20:19 . 2004-08-04 06:56 97304 ----a-w- c:\windows\system32\cdm.dll 2012-06-02 20:19 . 2012-01-02 21:43 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 20:19 . 2012-01-02 21:01 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 20:19 . 2012-01-02 21:01 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 20:18 . 2012-01-03 00:36 275696 ----a-w- c:\windows\system32\mucltui.dll 2012-06-02 20:18 . 2012-01-03 00:36 17136 ----a-w- c:\windows\system32\mucltui.dll.mui 2012-06-02 20:18 . 2009-08-07 01:23 214256 ----a-w- c:\windows\system32\muweb.dll 2012-05-31 13:22 . 2004-08-04 06:56 599040 ----a-w- c:\windows\system32\crypt32.dll 2012-07-21 15:07 . 2012-01-03 01:43 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-04-09 1519272] . [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2012-04-09 22:43 1519272 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-04-09 1519272] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-04-09 1519272] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-04-09 39408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2010-11-16 19722344] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-05-06 142616] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-05-06 182552] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-05-06 166680] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368] "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-04-09 1557160] . c:\documents and settings\Greg\Start Menu\Programs\Startup\ Screen Shot 2.0.lnk - c:\program files\Parsons Technology\Screen Shot 2.0\Sshot2.exe [2012-1-2 815104] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2012-1-2 25214] McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528] . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/2/2012 6:10 PM 721000] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/2/2012 6:10 PM 353688] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/2/2012 6:10 PM 21256] R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [1/2/2012 6:49 PM 21992] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [5/15/2012 6:57 AM 95200] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/2/2012 6:54 PM 136176] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/7/2012 10:27 PM 250056] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/2/2012 4:27 PM 1691480] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/2/2012 6:54 PM 136176] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.207\McCHSvc.exe [6/17/2011 12:33 PM 237008] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/26/2012 7:41 PM 113120] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-08-23 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 23:57] . 2012-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57] . 2012-08-23 c:\windows\Tasks\avast! Emergency Update.job - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-29 16:21] . 2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-02 23:54] . 2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-02 23:54] . 2012-08-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2012-04-09 22:43] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 FF - ProfilePath - c:\documents and settings\Greg\Application Data\Mozilla\Firefox\Profiles\w0oyxqd2.default\ FF - prefs.js: browser.search.selectedEngine - Secure Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p= FF - user.js: network.protocol-handler.warn-external.dnupdate - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-08-23 05:47 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: ST3500413AS rev.JC4B -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully error: Read A device attached to the system is not functioning. kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x8A1092E2 user & kernel MBR OK . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(768) c:\windows\system32\WININET.dll . - - - - - - - > 'lsass.exe'(828) c:\windows\system32\WININET.dll . - - - - - - - > 'explorer.exe'(1712) c:\windows\system32\WININET.dll c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\windows\system32\rundll32.exe c:\windows\RTHDCPL.EXE c:\program files\Brother\ControlCenter3\brccMCtl.exe c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe c:\program files\Brother\Brmfcmon\BrMfcmon.exe c:\program files\iPod\bin\iPodService.exe c:\program files\AVAST Software\Avast\AvastSvc.exe . ************************************************************************** . Completion time: 2012-08-23 05:52:45 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-23 10:52 . Pre-Run: 435,152,744,448 bytes free Post-Run: 436,985,675,776 bytes free . - - End Of File - - 6B5F0F5F59912263B4DCBF2759E7B36C