ComboFix 11-06-05.06 - Russel 06/06/2011 6:24.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1983.1355 [GMT 1:00]
Running from: c:\documents and settings\Russel.YOUR-C94F920E24\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Russel.YOUR-C94F920E24\My Documents\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *Disabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
FILE ::
"c:\windows\system32\DRIVERS\15188711.sys"
.
ADS - WINDOWS: deleted 128 bytes in 1 streams. .
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\config\systemprofile\Application Data\Pahovo
c:\windows\system32\config\systemprofile\Application Data\Pahovo\elah.eqo
c:\windows\system32\config\systemprofile\Application Data\Pahovo\elah.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_15188711
-------\Service_15188711
.
.
((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
.
.
2011-06-06 02:00 . 2011-06-06 02:00 -------- d-----w- C:\42c687b82ee949ecb446b2
2011-06-06 02:00 . 2011-06-06 05:24 -------- d-----w- C:\117ce940ed6ebb127004
2011-05-28 15:49 . 2011-06-01 00:28 -------- d-----w- c:\program files\CraigsCrawl
2011-05-19 00:21 . 2011-05-19 00:21 -------- d-----w- c:\program files\DupRemover
2011-05-19 00:08 . 2011-05-19 00:08 -------- d-----w- c:\program files\Duplicate Manager 3.0
2011-05-18 21:56 . 2011-06-05 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-05-18 21:56 . 2011-05-18 21:56 -------- d-----w- c:\program files\Common Files\Skype
2011-05-12 12:57 . 2011-05-12 12:57 -------- d-----w- c:\documents and settings\Russel.YOUR-C94F920E24\Local Settings\Application Data\Wordpress Mage
2011-05-12 12:57 . 2011-05-12 12:57 -------- d-----w- c:\program files\Wordpress Mage
2011-05-12 12:41 . 2011-05-12 23:13 -------- d-----w- c:\program files\SERPAttacks
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-22 02:32 . 2011-04-22 02:32 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-04-14 16:26 . 2011-06-01 00:32 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-19 68856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 188416]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-21 180269]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-6-21 27136]
.
c:\documents and settings\hevo\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-6-21 27136]
.
c:\documents and settings\Administrator.YOUR-C94F920E24\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-6-21 27136]
.
c:\documents and settings\aleck.YOUR-C94F920E24\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\faith\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"Google Update"="c:\documents and settings\Russel.YOUR-C94F920E24\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"KodakShareButtonApp"=c:\program files\Kodak\KODAK Share Button App\Listener.exe
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Documents and Settings\\Russel.YOUR-C94F920E24\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"90:TCP"= 90:TCP:AgentServer connection
"5700:UDP"= 5700:UDP:Network Discovery port
"5701:UDP"= 5701:UDP:Network Discovery port (Broadcast)
"8000:UDP"= 8000:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"5060:UDP"= 5060:UDP:Axon Virtual PBX Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Virtual PBX Web Server
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"1038:TCP"= 1038:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 15188712;15188712 Boot Guard Driver;c:\windows\system32\drivers\15188712.sys [3/25/2011 3:32 PM 37392]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R1 setup_9.0.0.722_25.03.2011_16-20drv;setup_9.0.0.722_25.03.2011_16-20drv;c:\windows\system32\drivers\1518871.sys [3/25/2011 3:32 PM 315408]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 12:00 PM 14336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [12/20/2010 5:39 PM 88176]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [6/24/2010 11:08 AM 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [6/24/2010 11:09 AM 65856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 4:18 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2010 4:18 AM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 1:49 PM 227232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-02-25 10:12 451872 ---ha-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 03:18]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 03:18]
.
2011-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951882237-1008395978-543828888-1009Core.job
- c:\documents and settings\Russel.YOUR-C94F920E24\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-11 11:50]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951882237-1008395978-543828888-1009UA.job
- c:\documents and settings\Russel.YOUR-C94F920E24\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-11 11:50]
.
2011-05-27 c:\windows\Tasks\HPCeeSchedule.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-08 18:22]
.
2011-05-02 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2011-04-17 18:36]
.
2011-06-06 c:\windows\Tasks\User_Feed_Synchronization-{9F6FD136-0ABE-43A8-970A-D40E2C30CE97}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
2011-05-31 c:\windows\Tasks\videopadDowngrade.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-04-03 10:32]
.
2011-06-01 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-04-03 10:32]
.
2011-05-21 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-06-24 16:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.hotspotshield.com/g/?c=h
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=63&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = local;*.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Russel.YOUR-C94F920E24\Application Data\Mozilla\Firefox\Profiles\ad31uh3q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2011-06-06 06:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1951882237-1008395978-543828888-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2D1EB7FD-03B6-7290-C6E8-B5B1E192FC7B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaplclgjkimjfpejme"=hex:6a,61,67,70,63,6d,68,6a,68,66,6a,6b,70,68,67,64,63,6b,
64,6d,00,d0
"hannekhlpdiidpen"=hex:6a,61,67,70,63,6d,68,6a,68,66,6a,6b,70,68,67,64,63,6b,
64,6d,00,d0
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2532)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\program files\Common Files\Nero\Lib\NeroDigitalExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_e87e0bcd\MFC80.DLL
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
c:\program files\Common Files\Nero\DSFilter\NeMP4Splitter.ax
c:\program files\Common Files\Nero\DSFilter\NeFLVSplitter.ax
c:\program files\Common Files\Nero\DSFilter\NeSplitter.ax
c:\windows\system32\wmpasf.dll
c:\windows\system32\DRMClien.DLL
c:\windows\system32\wmvcore.dll
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2011-06-06 06:42:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-06 05:42
ComboFix2.txt 2011-06-05 11:44
.
Pre-Run: 20,343,357,440 bytes free
Post-Run: 20,415,225,856 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=3
.
- - End Of File - - DC777C67B87DC209C9774052C183FEEE