ComboFix 12-08-31.08 - Sree 09/02/2012 18:46:43.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.83 [GMT 5.5:30] Running from: d:\download\_new\Google Chrome Err\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} AV: ZoneAlarm Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF} FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users.WINDOWS\Application Data\TEMP c:\windows\system32\PowerToyReadme.htm . . ((((((((((((((((((((((((( Files Created from 2012-08-02 to 2012-09-02 ))))))))))))))))))))))))))))))) . . 2012-09-02 12:35 . 2012-09-02 12:35 -------- d-----w- c:\program files\IPMsg 2012-08-19 11:48 . 2012-08-19 11:48 -------- d-----w- c:\documents and settings\Sree\Local Settings\Application Data\Opera 2012-08-19 11:48 . 2012-08-19 11:48 -------- d-----w- c:\program files\Opera 2012-08-19 11:14 . 2012-07-14 00:17 68576 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll 2012-08-19 11:14 . 2012-07-14 00:17 573920 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll 2012-08-19 11:14 . 2012-07-14 00:17 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe 2012-08-19 11:14 . 2012-07-14 00:17 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe 2012-08-19 11:14 . 2012-07-14 00:16 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll 2012-08-19 11:14 . 2012-07-14 00:16 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll 2012-08-19 09:04 . 2012-08-19 09:04 -------- d-sh--w- c:\documents and settings\Sree\IECompatCache 2012-08-19 07:43 . 2012-08-19 07:43 -------- d-----w- c:\documents and settings\Sree\Application Data\AdobeAUM 2012-08-15 21:49 . 2012-08-15 21:49 -------- d-----w- c:\documents and settings\Sree\Local Settings\Application Data\Help 2012-08-15 20:16 . 2012-08-15 20:16 -------- d-----w- c:\documents and settings\Sree\Local Settings\Application Data\Adobe 2012-08-15 20:16 . 2012-08-15 20:16 -------- d-----w- c:\documents and settings\Sree\Local Settings\Application Data\Temp 2012-08-13 13:34 . 2012-08-13 13:34 -------- d-----w- c:\documents and settings\Sree\Downloads . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-08 18:41 . 2007-12-31 18:58 315392 ----a-w- c:\windows\HideWin.exe 2012-07-08 15:46 . 2007-12-31 19:42 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys 2012-07-14 00:17 . 2011-07-30 07:08 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B}] 2007-12-31 19:49 2655736 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2007-12-31 2799104] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784] "RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-20 1983816] "ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-07-30 73392] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-23 85696] "Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544] . c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2009-12-23 2330624] . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Opera\\pluginwrapper\\opera_plugin_wrapper.exe"= "c:\\Program Files\\Opera\\opera.exe"= . R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [8/2/2012 5:34 AM 11352] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144] R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [7/14/2012 7:29 PM 27056] R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [7/14/2012 7:29 PM 497320] R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [12/3/2010 1:15 AM 218432] R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 3:12 PM 341504] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [1/1/2008 12:20 AM 250568] S3 RTLWUSB;Realtek RTL8187 Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\RTL8187.sys [7/9/2012 12:28 AM 157312] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608] . --- Other Services/Drivers In Memory --- . *Deregistered* - EraserUtilDrv11220 . Contents of the 'Scheduled Tasks' folder . 2012-09-02 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2007-12-31 18:59] . 2012-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1343024091-839522115-1003Core.job - c:\documents and settings\Sree\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-19 08:58] . 2012-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1343024091-839522115-1003UA.job - c:\documents and settings\Sree\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-19 08:58] . 2012-09-02 c:\windows\Tasks\MotoHelper MUM.job - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 19:45] . 2012-09-02 c:\windows\Tasks\MotoHelper Routing.job - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 19:45] . 2012-09-02 c:\windows\Tasks\MotoHelper Update.job - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 19:45] . . ------- Supplementary Scan ------- . uStart Page = about:blank IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm IE: &Download with &DAP - c:\program files\DAP\dapextie.htm IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\documents and settings\Sree\Application Data\Mozilla\Firefox\Profiles\3v4kzp42.default\ FF - user.js: extensions.zonealarm.autoRvrt - false FF - user.js: extensions.zonealarm_i.newTab - false FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN114103190951322-1001&toolbarId=base&affiliateId=1001&Lan={dfltLng}&utid=5c643a740000000000000026f2b42498&q= FF - user.js: extensions.zonealarm.id - 5c643a740000000000000026f2b42498 FF - user.js: extensions.zonealarm.instlDay - 15554 FF - user.js: extensions.zonealarm.vrsn - 1.6.4.5 FF - user.js: extensions.zonealarm.vrsni - 1.6.4.5 FF - user.js: extensions.zonealarm_i.vrsnTs - 1.6.4.55:32 FF - user.js: extensions.zonealarm.prtnrId - checkpoint FF - user.js: extensions.zonealarm.prdct - zonealarm FF - user.js: extensions.zonealarm.aflt - 1001 FF - user.js: extensions.zonealarm_i.smplGrp - none FF - user.js: extensions.zonealarm.tlbrId - base FF - user.js: extensions.zonealarm.instlRef - ZLN114103190951322-1001 FF - user.js: extensions.zonealarm.dfltLng - en FF - user.js: extensions.zonealarm.excTlbr - false FF - user.js: extensions.zonealarm.admin - false . - - - - ORPHANS REMOVED - - - - . HKLM-Run-SkyTel - 1SkyTel.EXE HKLM-Run-EasyTuneV - 1c:\program files\Gigabyte\ET5\ETcall.exe HKLM-Run-Adobe ARM - 1c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe HKLM-Run-ISW - (no file) SafeBoot-92578658.sys AddRemove-TweakUI - c:\windows\rundll32.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-09-02 18:54 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(932) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . - - - - - - - > 'lsass.exe'(988) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . Completion time: 2012-09-02 18:56:33 ComboFix-quarantined-files.txt 2012-09-02 13:26 . Pre-Run: 87,939,051,520 bytes free Post-Run: 87,891,869,696 bytes free . - - End Of File - - F7F52D58444A80BEA1F2C361CF9438EC