Good morning Ron,
As requested:
Custom Combo Fix Log
ComboFix 11-12-27.01 - Administrator 12/27/2011 23:44:56.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3068.2760 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LMIINFO
-------\Legacy_MPKSL06B810B7
-------\Legacy_MPKSL1AC66141
-------\Legacy_MPKSL2BFFA4F3
-------\Legacy_MPKSL3DD639AB
-------\Legacy_MPKSL3EE6B27E
-------\Legacy_MPKSL42C55817
-------\Legacy_MPKSL4F969476
-------\Legacy_MPKSL53B0EED7
-------\Legacy_MPKSL5BA1B3BE
-------\Legacy_MPKSL63898193
-------\Legacy_MPKSL76C2176A
-------\Legacy_MPKSL8773EB8E
-------\Legacy_MPKSL935305F2
-------\Legacy_MPKSL9597717E
-------\Legacy_MPKSLB4EE7440
-------\Legacy_MPKSLBF532416
-------\Legacy_MPKSLDB37E6D8
-------\Legacy_MPKSLE513FDEB
-------\Legacy_MPKSLE6F6E2B0
-------\Legacy_MPKSLEB177773
-------\Legacy_MPKSLF433AE2D
-------\Legacy_MPKSLFDE536E0
-------\Service_cerc6
-------\Service_LMIInfo
-------\Service_MpKsl06b810b7
-------\Service_MpKsl1ac66141
-------\Service_MpKsl2bffa4f3
-------\Service_MpKsl3dd639ab
-------\Service_MpKsl3ee6b27e
-------\Service_MpKsl42c55817
-------\Service_MpKsl4f969476
-------\Service_MpKsl53b0eed7
-------\Service_MpKsl5ba1b3be
-------\Service_MpKsl63898193
-------\Service_MpKsl76c2176a
-------\Service_MpKsl8773eb8e
-------\Service_MpKsl935305f2
-------\Service_MpKsl9597717e
-------\Service_MpKslb4ee7440
-------\Service_MpKslbf532416
-------\Service_MpKsldb37e6d8
-------\Service_MpKsle513fdeb
-------\Service_MpKsle6f6e2b0
-------\Service_MpKsleb177773
-------\Service_MpKslf433ae2d
-------\Service_MpKslfde536e0
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-27 15:33 . 2011-12-27 15:33 -------- d-----w- C:\_OTL
2011-12-26 20:50 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-26 20:26 . 2008-04-14 07:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2011-12-26 20:26 . 2008-04-14 07:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-23 15:25 . 2011-12-23 15:25 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-12-23 15:24 . 2011-12-23 15:24 -------- d-----w- c:\program files\Belkin
2011-12-19 20:49 . 2011-12-19 20:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2011-12-19 19:21 . 2011-12-19 19:21 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-27 15:40 . 2011-05-18 03:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 14:15 . 2011-09-26 00:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-26_20.28.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-28 05:52 . 2011-12-28 05:52 16384 c:\windows\temp\Perflib_Perfdata_74c.dat
+ 2011-11-23 22:50 . 2011-12-27 15:40 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_Plugin.exe
- 2011-11-23 22:50 . 2011-11-23 22:50 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_Plugin.exe
+ 2011-01-28 02:43 . 2011-12-27 15:40 8527008 c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2011-01-28 02:43 . 2011-11-23 22:50 8527008 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2011-10-01 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-03-26 458865]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-08-30 979328]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F5D8053 N Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F5D8053\Belkinwcui.exe [2007-9-17 1732608]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\launcher.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/19/2011 1:31 PM 366152]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [4/7/2010 4:06 PM 241880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/26/2011 2:50 PM 22216]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1957994488-1606980848-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-13 20:54]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1957994488-1606980848-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-13 20:54]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wm26d1rp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - WhiteSmoke Bar Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://zinkwink.com/?tmp=redir_bho_bing&prt=corsairzwbho&keywords=
FF - user.js: keyword.URL - hxxp://zinkwink.com/?tmp=redir_bho_bing&prt=corsairzwbho&keywords=
FF - user.js: keyword.enabled - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2011-12-27 23:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1177238915-1957994488-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,bf,48,94,86,3c,0d,4d,9e,35,0c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,96,36,0b,ba,90,a5,4c,88,a7,f6,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,bf,48,94,86,3c,0d,4d,9e,35,0c,\
.
[HKEY_USERS\S-1-5-21-1177238915-1957994488-1606980848-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:56,9f,58,1f,ae,42,c6,cf,9d,d5,3b,23,e3,c7,29,03,52,ea,4e,2a,22,f9,3a,
45,a4,73,fd,9e,5e,7d,49,fe,2c,2d,76,ca,47,5a,79,96,f8,73,1c,94,33,bf,f3,7d,\
"??"=hex:2a,6f,c1,59,11,da,5e,27,00,47,ac,c1,e7,b6,39,d0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,bf,48,94,86,3c,0d,4d,9e,35,0c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,bf,48,94,86,3c,0d,4d,9e,35,0c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3320)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-12-27 23:55:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 05:55
ComboFix2.txt 2011-12-27 16:01
ComboFix3.txt 2011-12-26 20:32
ComboFix4.txt 2011-12-19 21:25
.
Pre-Run: 6,131,109,888 bytes free
Post-Run: 6,095,237,120 bytes free
.
- - End Of File - - BBF52DBED75FE3F9DC9DAE00B92DED25
Avast Results
Avast found 7 threats. All attached to Java.
Here's an example if you'd like (not sure if there's a way to post the log):
File name:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Java\Deployment\cache\6.0\36\70190024-4c505639|>notana.class
Status:
Threat: Java:CVE-2011-3544-AH [Expl]