ComboFix 12-04-15.02 - Rob 04/16/2012 14:42:30.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.596 [GMT -6:00] Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . FILE :: "c:\windows\system32\drivers\xpsec.sys" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\drivers\etc\hosts.ics . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_xpsec . . ((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 ))))))))))))))))))))))))))))))) . . 2012-04-16 02:08 . 2012-04-16 02:08 73728 ----a-w- c:\windows\system32\javacpl.cpl 2012-04-16 00:35 . 2012-04-16 00:35 -------- d-----w- C:\TDSSKiller_Quarantine 2012-04-14 19:50 . 2012-04-14 19:50 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes 2012-04-14 19:50 . 2012-04-14 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-04-14 19:50 . 2012-04-14 21:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-04-14 19:50 . 2012-04-04 21:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-13 22:25 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{0C6CA56C-91DC-4811-AB06-6234F5CE6087}\mpengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-04-16 02:08 . 2010-05-28 16:32 472808 ----a-w- c:\windows\system32\deployJava1.dll 2012-03-06 23:15 . 2010-10-19 17:36 41184 ----a-w- c:\windows\avastSS.scr 2012-03-06 23:15 . 2008-09-02 04:01 201352 ----a-w- c:\windows\system32\aswBoot.exe 2012-03-06 23:03 . 2011-03-22 02:02 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2012-03-06 23:03 . 2008-09-02 04:02 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys 2012-03-06 23:02 . 2008-09-02 04:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2012-03-06 23:01 . 2008-09-02 04:02 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2012-03-06 23:01 . 2008-09-02 04:02 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2012-03-06 23:01 . 2008-09-02 04:02 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys 2012-03-06 23:01 . 2008-09-02 04:02 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2012-03-06 22:58 . 2008-09-02 04:02 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2012-03-01 11:01 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-03-01 11:01 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-03-01 11:01 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-03-01 02:23 . 2011-05-17 14:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-02-29 14:10 . 2004-08-04 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll 2012-02-29 14:10 . 2004-08-04 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll 2012-02-29 12:17 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec 2012-02-23 16:18 . 2009-10-02 22:07 237072 ------w- c:\windows\system32\MpSigStub.exe 2012-02-08 06:03 . 2007-06-08 04:25 6552120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys . . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of %user%\library ---- . . ---- Directory of c:\program files\Common ---- . . . ((((((((((((((((((((((((((((( SnapShot@2012-04-16_00.13.15 ))))))))))))))))))))))))))))))))))))))))) . + 2012-04-16 20:52 . 2012-04-16 20:52 16384 c:\windows\Temp\Perflib_Perfdata_140.dat + 2012-04-16 02:08 . 2012-04-16 02:08 157472 c:\windows\system32\javaws.exe + 2012-04-16 02:08 . 2012-04-16 02:08 149280 c:\windows\system32\javaw.exe + 2012-04-16 02:08 . 2012-04-16 02:08 149280 c:\windows\system32\java.exe + 2012-04-16 02:09 . 2012-04-16 02:09 203776 c:\windows\Installer\15bb19.msi + 2012-04-16 02:08 . 2012-04-16 02:08 901120 c:\windows\Installer\15bb14.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "gStart"="c:\garmin\TrainingCenter\gStart.exe" [2008-08-13 1891416] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-01-26 53248] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896] "avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2012-03-06 4241512] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] . c:\documents and settings\Rob\Start Menu\Programs\Startup\ Jacquie Lawson London Advent Calendar.lnk - c:\program files\Jacquie Lawson London Advent Calendar\Jacquie Lawson London Advent Calendar.exe [N/A] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\WINDOWS\\system32\\LMabcoms.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Soluto\\Soluto.exe"= "c:\\Program Files\\Soluto\\SolutoService.exe"= "c:\\Program Files\\Soluto\\SolutoConsole.exe"= "c:\\Program Files\\Soluto\\SolutoUpdateService.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:Remote Desktop "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services . R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/21/2011 8:02 PM 612184] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/1/2008 10:02 PM 337880] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/1/2008 10:02 PM 20696] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/13/2011 1:10 PM 200192] S0 Soluto;Soluto;c:\windows\system32\drivers\Soluto.sys [7/14/2011 9:09 AM 51144] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/19/2010 12:18 AM 135664] S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [1/25/2012 7:05 PM 547872] S3 cpuz135;cpuz135;\??\c:\windows\TEMP\cpuz135\cpuz135_x32.sys --> c:\windows\TEMP\cpuz135\cpuz135_x32.sys [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/19/2010 12:18 AM 135664] . Contents of the 'Scheduled Tasks' folder . 2012-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57] . 2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-19 06:18] . 2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-19 06:18] . 2012-04-16 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20] . 2012-04-15 c:\windows\Tasks\User_Feed_Synchronization-{B3D1086B-FF70-4450-83F2-D93055DEC513}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 10:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q305&bd=pavilion&pf=laptop uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q305&bd=pavilion&pf=laptop uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s TCP: DhcpNameServer = 192.168.1.254 75.153.176.1 . - - - - ORPHANS REMOVED - - - - . HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-04-16 14:55 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?6?1?6??????? ???B?????????????hLC? ?????? . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(780) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(3472) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\HPQ\shared\hpqwmi.exe . ************************************************************************** . Completion time: 2012-04-16 14:59:33 - machine was rebooted ComboFix-quarantined-files.txt 2012-04-16 20:59 ComboFix2.txt 2012-04-16 00:20 . Pre-Run: 72,246,407,168 bytes free Post-Run: 72,253,816,832 bytes free . - - End Of File - - B6401D6AFA8A0F0669E44B0B5A75959B