ComboFix 13-01-24.02 - jamie madigan 01/25/2013 15:45:30.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.439 [GMT -5:00]
Running from: d:\my documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\jamie madigan\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: ThreatFire *Disabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\SpeedyPC Software
c:\documents and settings\jamie madigan\Application Data\DriverCure
c:\documents and settings\jamie madigan\Application Data\DriverCure\LogFile.txt
c:\documents and settings\jamie madigan\Application Data\SpeedyPC Software
.
.
((((((((((((((((((((((((( Files Created from 2012-12-25 to 2013-01-25 )))))))))))))))))))))))))))))))
.
.
2013-01-25 08:30 . 2013-01-08 04:57 6991832 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E48D274E-FE28-45CB-B15D-6A8C78F447E3}\mpengine.dll
2013-01-24 08:31 . 2013-01-08 04:57 6991832 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-20 01:20 . 2009-01-25 17:14 15224 -c--a-w- c:\windows\system32\sdnclean.exe
2013-01-20 01:19 . 2013-01-20 01:20 -------- dc----w- c:\program files\Spybot - Search & Destroy 2
2013-01-19 22:11 . 2013-01-19 22:11 -------- dc----w- c:\program files\ESET
2013-01-19 00:49 . 2013-01-19 00:49 -------- dc----w- c:\documents and settings\Administrator.JHOME\Application Data\Malwarebytes
2013-01-19 00:36 . 2013-01-19 00:36 -------- dc----w- c:\documents and settings\Administrator.JHOME\Local Settings\Application Data\Mozilla
2013-01-17 03:03 . 2013-01-17 03:03 -------- dc----w- c:\program files\Enigma Software Group
2013-01-17 02:52 . 2013-01-23 02:43 -------- dc----w- c:\windows\DDABC66756B3412282B02F5782EA2F9A.TMP
2013-01-17 02:43 . 2013-01-17 02:43 -------- dc----w- c:\documents and settings\jamie madigan\Application Data\Auslogics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2001-08-18 12:00 290560 -c--a-w- c:\windows\system32\atmfd.dll
2012-12-14 21:49 . 2011-02-12 04:00 21104 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-12-12 17:19 . 2012-07-20 20:56 697272 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 17:19 . 2011-06-18 23:31 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2001-08-18 12:00 1866368 -c----w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2008-08-24 03:26 1371648 -c----w- c:\windows\system32\msxml6.dll
2012-11-02 02:02 . 2003-03-01 05:32 375296 -c----w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2004-02-06 22:05 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2003-02-27 03:54 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2003-02-27 03:52 1469440 -c----w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-04 05:59 385024 -c--a-w- c:\windows\system32\html.iec
2012-09-12 02:37 . 2012-07-21 03:05 266720 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-08-25 03:52 . 2008-02-09 02:09 300400 -c--a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2001-08-18 12:00 94784 -csh--w- c:\windows\twain.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="?\WkDetect.exe" [?]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-04-06 39408]
"H/PC Connection Agent"="d:\program files\WCESCOMM.EXE" [2003-04-22 413775]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"ATIPTA"="atiptaxx.exe" [2001-09-27 245760]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^Banshee Screamer Alarm.lnk]
backup=c:\windows\pss\Banshee Screamer Alarm.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\jamie madigan\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=c:\windows\pss\PowerReg Scheduler.exeStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^jamie madigan^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=c:\windows\pss\PowerReg SchedulerV2.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2001-08-17 04:41 28738 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\WCESCOMM.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"59145:TCP"= 59145:TCP:Pando Media Booster
"59145:UDP"= 59145:UDP:Pando Media Booster
.
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/19/2012 9:14 PM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/11/2011 11:01 PM 682344]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [1/19/2013 8:20 PM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1/19/2013 8:20 PM 1369624]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [11/9/2009 4:51 PM 37120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/11/2011 11:00 PM 21104]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 2:43 PM 204800]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [1/19/2013 8:20 PM 168384]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\d:\my documents\Garena Plus\Room\safedrv.sys --> d:\my documents\Garena Plus\Room\safedrv.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/26/2007 2:47 AM 272128]
S3 utmzmza3;AVZ Kernel Driver;c:\windows\system32\drivers\utmzmza3.sys [2/17/2011 4:59 PM 7168]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL3147A403
*Deregistered* - MpKsl3147a403
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 17:23 452136 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-20 17:19]
.
2013-01-24 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-01-20 19:08]
.
2013-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-06 01:44]
.
2013-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-06 01:44]
.
2013-01-23 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
2013-01-23 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-01-20 19:07]
.
2013-01-23 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-01-20 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?ncid=toolbar
uDefault_Search_URL = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
IE: &AOL Email Toolbar Search
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 24.154.1.6 24.154.1.8 192.168.1.1 24.154.1.6 24.154.1.8
FF - ProfilePath - c:\documents and settings\jamie madigan\Application Data\Mozilla\Firefox\Profiles\1lrqnt43.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?q={searchTerms}&s_it=aol-ff&s_qt=sb&tb_uuid=20100504052838609&tb_oid=23-01-2013&tb_mrud=23-01-2013
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?ncid=toolbar
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&s_qt=ab&s_it=aol-ff&tb_uuid=20100504052838609&tb_oid=23-01-2013&tb_mrud=23-01-2013&q=
FF - ExtSQL: !HIDDEN! 2009-08-10 03:00; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-25 16:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,28,a6,98,ee,81,bb,4e,ae,78,11,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,b3,52,cc,75,51,87,4a,8b,28,8c,\
.
[HKEY_USERS\S-1-5-21-1708537768-484061587-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2013-01-25 16:08:25
ComboFix-quarantined-files.txt 2013-01-25 21:08
ComboFix2.txt 2013-01-24 01:39
.
Pre-Run: 443,424,768 bytes free
Post-Run: 3,983,179,776 bytes free
.
- - End Of File - - A964428188C079C2E3A880BBD8E38552