ComboFix 09-12-03.05 - Rick 12/04/2009 9:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.476 [GMT -5:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - WINDOWS: deleted 0 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Recycle
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.
2009-12-01 17:01 . 2009-12-01 17:01 -------- d-----w- c:\program files\Java
2009-11-30 00:32 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-30 00:31 . 2009-11-30 00:31 -------- d-----w- c:\program files\Panda Security
2009-11-28 00:58 . 2009-11-28 00:58 -------- d-----w- c:\program files\ERUNT
2009-11-23 03:55 . 2009-11-23 04:01 -------- d-----w- c:\documents and settings\Rick\Application Data\Mobipocket
2009-11-23 03:53 . 2009-11-23 03:53 50008 ----a-r- c:\documents and settings\Rick\Application Data\Microsoft\Installer\{342126E1-173C-4585-BFBE-3EBDD20E3E9E}\_6FEFF9B68218417F98F549.exe
2009-11-23 03:53 . 2009-11-23 03:53 -------- d-----w- c:\program files\Mobipocket.com
2009-11-15 22:30 . 2009-11-15 22:30 -------- d-----w- C:\ADOBEAPP
2009-11-15 02:51 . 2009-11-15 02:51 -------- d-----w- c:\program files\Common Files\Intel
2009-11-07 15:18 . 2009-11-07 15:18 -------- d-----w- c:\windows\Performance
2009-11-07 15:18 . 2009-11-07 15:18 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Microsoft Corporation
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 14:21 . 2007-04-09 20:38 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-12-04 13:22 . 2008-09-30 22:03 -------- d-----w- c:\program files\Thunderbird
2009-12-04 13:06 . 2009-12-04 13:08 280576 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-12-03 17:12 . 2009-09-11 11:28 5258442 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-03 17:11 . 2009-12-03 17:12 1783296 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-12-02 18:16 . 2009-12-02 18:18 1763328 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-12-02 02:18 . 2009-12-02 02:19 1766400 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-12-02 02:18 . 2009-12-02 02:19 899584 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-12-01 17:01 . 2009-01-18 19:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-01 16:24 . 2009-12-01 16:25 1768448 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-11-29 10:21 . 2007-08-04 16:35 -------- d-----w- c:\program files\Google
2009-11-28 22:08 . 2004-11-18 23:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-28 08:54 . 2009-11-28 08:55 1547264 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-11-28 08:54 . 2009-11-28 08:55 1744384 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-11-28 04:01 . 2006-12-15 14:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-27 05:48 . 2008-08-23 02:31 -------- d-----w- c:\program files\Spyware Doctor
2009-11-26 22:17 . 2009-11-26 22:18 1716736 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-11-24 18:35 . 2009-11-24 18:36 1700864 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-11-23 18:22 . 2009-11-23 18:24 1708544 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-11-23 00:52 . 2009-11-23 00:53 1703936 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-11-20 18:20 . 2009-11-20 18:21 1694208 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-11-20 12:39 . 2009-11-20 12:40 1695232 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-11-20 02:42 . 2008-08-14 02:33 -------- d-----w- c:\program files\JKDefrag
2009-11-18 16:39 . 2004-11-17 20:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-18 16:31 . 2008-07-21 21:41 -------- d-----w- c:\program files\MediaComplete
2009-11-18 16:08 . 2009-08-18 02:12 -------- d-----w- c:\program files\Cisco Systems
2009-11-18 16:06 . 2004-11-18 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-11-18 16:03 . 2009-09-10 12:44 -------- d-----w- c:\documents and settings\Rick\Application Data\Amazon
2009-11-12 02:45 . 2009-09-01 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-05 14:47 . 2004-11-17 21:00 202752 -c--a-w- c:\documents and settings\Rick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 16:10 . 2009-09-01 17:05 -------- d-----w- c:\program files\Microsoft Works
2009-10-03 03:15 . 2009-09-18 15:27 479604 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll
2009-10-03 03:15 . 2009-09-18 15:27 393587 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeemu.dll
2009-09-29 12:37 . 2009-09-29 12:37 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-15 20:58 . 2009-09-18 15:27 106867 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll
2009-09-15 20:57 . 2009-09-18 15:26 184693 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll
2009-09-11 14:18 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-09-06 12:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-09-06 12:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 19:49 . 2009-09-08 19:49 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-08 18:21 . 2009-09-08 18:21 167376 ----a-w- c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\ybb7qck1.default\FlashGot.exe
2006-01-23 23:15 . 2005-06-01 02:06 30 -c--a-w- c:\program files\Exiferupdate.ini
2003-07-25 16:38 . 2004-11-19 02:19 132096 -c--a-w- c:\program files\Common Files\PCSBoff.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 7"="c:\program files\Cobian Backup 7\CobBU.exe" [2006-02-28 127488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-01 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Sonic RecordNow! Deluxe"=
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/29/2009 7:32 PM 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/1/2009 6:53 AM 206256]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [1/13/2009 6:39 PM 72992]
R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [1/3/2008 10:09 PM 20864]
R1 cdrport;cdrport;c:\windows\system32\drivers\cdrport.sys [1/3/2008 10:09 PM 4608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/6/2009 7:42 AM 108289]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [5/23/2006 1:45 PM 1078560]
R3 FTD2XX;LogTag USB Interface driver;c:\windows\system32\drivers\FTD2XX.sys [2/1/2004 2:00 AM 29292]
S2 gupdate1c9b943662457d8;Google Update Service (gupdate1c9b943662457d8);c:\program files\Google\Update\GoogleUpdate.exe [4/9/2009 1:45 PM 133104]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\system32\drivers\usbscan.sys [11/18/2004 5:34 PM 15104]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys --> c:\windows\system32\DRIVERS\CSVirtA.sys [?]
S3 efipsk;efipsk;\??\c:\docume~1\BRAD~1.STU\LOCALS~1\Temp\efipsk.sys --> c:\docume~1\BRAD~1.STU\LOCALS~1\Temp\efipsk.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B.tmp --> c:\windows\system32\B.tmp [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [10/26/2009 8:21 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/28/2009 7:43 PM 8320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/1/2009 6:52 AM 348752]
S4 AloPar;AloPar;c:\windows\system32\drivers\AloPar.sys [11/19/2004 9:06 PM 5056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
2009-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 18:45]
2009-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 18:45]
2009-12-04 c:\windows\Tasks\jucheck.job
- c:\program files\Java\jre6\bin\jucheck.exe [2009-12-01 17:01]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://my.yahoo.com/uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) =
hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes -
file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\ybb7qck1.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com/ig|http://mail.go ... 3Ftab%3DmcFF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nptgeqplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI
AddRemove-PictureItPrem_v12 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe ADDREMOVE=1 SKU=PREM VERSION=12
AddRemove-{2FCE4FC5-6930-40E7-A4F1-F862207424EF} - c:\program files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe REMOVEALL
AddRemove-{98E8A2EF-4EAE-43B8-A172-74842B764777} - c:\program files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe REMOVEALL
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-12-04 09:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3420)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Cobian Backup 7\cobui.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-04 09:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 14:25
Pre-Run: 43,481,362,432 bytes free
Post-Run: 43,334,299,648 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - A3237E78324295564B5ED6B657415591