ComboFix 11-11-07.03 - student610 11/07/2011 19:09:00.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.312 [GMT -5:00]
Running from: c:\documents and settings\student610\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\DealScout
c:\program files\DealScout\dealscout.dll
c:\program files\SynchronEyes Student 4.0\SynchronEyesSrv.exe
c:\windows\$NtUninstallKB52678$
c:\windows\$NtUninstallKB52678$\1046132013
c:\windows\$NtUninstallKB52678$\1202353555\@
c:\windows\$NtUninstallKB52678$\1202353555\click.tlb
c:\windows\$NtUninstallKB52678$\1202353555\L\iahonoel
c:\windows\$NtUninstallKB52678$\1202353555\loader.tlb
c:\windows\$NtUninstallKB52678$\1202353555\U\@00000001
c:\windows\$NtUninstallKB52678$\1202353555\U\@000000c0
c:\windows\$NtUninstallKB52678$\1202353555\U\@000000cb
c:\windows\$NtUninstallKB52678$\1202353555\U\@000000cf
c:\windows\$NtUninstallKB52678$\1202353555\U\@80000000
c:\windows\$NtUninstallKB52678$\1202353555\U\@800000c0
c:\windows\$NtUninstallKB52678$\1202353555\U\@800000cb
c:\windows\$NtUninstallKB52678$\1202353555\U\@800000cf
c:\windows\system32\
c:\windows\system32\c_80684.nls
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it
Infected copy of c:\windows\system32\Ati2evxx.exe was found and disinfected
Restored copy from - c:\i386\ati2evxx.exe
.
c:\windows\system32\basfipm.exe . . . is infected!!
c:\windows\system32\basfipm.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\windows\Microsoft.NET\Framework\v2.0.50727\
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe . . . is infected!!
c:\program files\Intel\Wireless\Bin\EvtEng.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\program files\Intel\Wireless\Bin\RegSrvc.exe was found and disinfected
Restored copy from - c:\program files\Intel\Wireless\Bin\
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe . . . is infected!!
c:\program files\Intel\Wireless\Bin\S24EvMon.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Intel\Wireless\Bin\WLKeeper.exe . . . is infected!!
c:\program files\Intel\Wireless\Bin\WLKeeper.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_47aa7593
-------\Legacy_SynchronEyes_4.0_Helper_Service
-------\Service_SynchronEyes 4.0 Helper Service
.
.
((((((((((((((((((((((((( Files Created from 2011-10-08 to 2011-11-08 )))))))))))))))))))))))))))))))
.
.
2011-11-07 23:55 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-07 23:55 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2011-11-07 23:03 . 2011-11-07 23:09 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-07 22:20 . 2011-11-07 23:37 -------- dc----w- c:\windows\system32\DRVSTORE
2011-11-07 22:20 . 2011-11-07 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-10-30 15:29 . 2011-11-07 22:40 -------- d-----w- c:\documents and settings\student610\Local Settings\Application Data\AskToolbar
2011-10-30 15:28 . 2011-10-30 15:30 -------- d-----w- c:\program files\Ask.com
2011-10-30 15:28 . 2011-11-07 22:08 -------- d-----w- c:\documents and settings\student610\Application Data\Sammsoft
2011-10-16 20:53 . 2011-10-16 20:58 -------- d-----w- C:\326b7d48b71f1e60e70526
2011-10-16 20:40 . 2011-10-16 20:45 -------- d-----w- C:\0177660a697cdc20e5ee
2011-10-16 20:27 . 2011-10-16 20:31 -------- d-----w- C:\9df338423ed9c7cc6e72eff94fc8
2011-10-16 16:48 . 2011-10-16 16:48 -------- d-----w- c:\windows\system32\XPSViewer
2011-10-16 16:48 . 2011-10-16 16:48 -------- d-----w- c:\program files\MSBuild
2011-10-16 16:48 . 2011-10-16 16:48 -------- d-----w- c:\program files\Reference Assemblies
2011-10-16 16:47 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-10-16 16:47 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-10-16 16:47 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-10-16 16:47 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-10-16 16:47 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-10-16 16:47 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-10-16 16:47 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-10-16 16:47 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-10-16 16:47 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-10-16 16:47 . 2011-10-16 16:47 -------- d-----w- C:\b49b6db7aca5be087c51a75d4e
2011-10-16 16:38 . 2011-10-16 16:51 -------- d-----w- C:\dccd2909ffc7fc0bbb1053501a
2011-10-15 17:37 . 2011-10-15 17:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Sun
2011-10-10 23:19 . 2011-10-10 23:19 -------- d-----w- c:\documents and settings\student610\Local Settings\Application Data\Sun
2011-10-10 19:16 . 2011-10-10 20:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 18:48 . 2011-10-10 18:48 -------- d-----w- c:\program files\FileHippo.com
2011-10-10 16:40 . 2011-10-10 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-10 16:40 . 2011-10-10 20:40 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-07 23:09 . 2010-10-17 19:58 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-26 15:41 . 2011-09-26 15:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-11 22:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-11 22:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-11 22:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-11 22:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-11 22:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-11 22:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-03-11 04:01 . 2010-03-11 04:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 04:40 . 2010-03-11 04:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 04:02 . 2010-03-11 04:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 04:01 . 2010-03-11 04:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 04:01 . 2010-03-11 04:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 04:00 . 2010-03-11 04:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 04:01 . 2010-03-11 04:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 04:01 . 2010-03-11 04:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 17:49 . 2009-10-05 17:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 04:02 . 2010-03-11 04:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-07-26 1493160]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-07-26 22:23 1493160 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-07-26 1493160]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-07-26 1493160]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-26 397992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^student610^Start Menu^Programs^Startup^Launch WhiteSmokeTranslator.lnk]
path=c:\documents and settings\student610\Start Menu\Programs\Startup\Launch WhiteSmokeTranslator.lnk
backup=c:\windows\pss\Launch WhiteSmokeTranslator.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^student610^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\student610\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-09-13 21:33 155648 ----a-w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2010-03-11 04:21 300400 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-26 13:04 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-27 22:40 136176 ----atw- c:\documents and settings\student610\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2004-10-30 19:59 385024 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 17:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SynchronEyes Student 4.0\\dax64.exe"=
"c:\\Program Files\\SynchronEyes Student 4.0\\SynchronEyesClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\student610\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\student610\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\FileHippo.com\\UpdateChecker.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Ask.com\\Updater\\Updater.exe"=
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 9:08 AM 65584]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/9/2005 8:47 PM 80384]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2128556077-1414674724-1788574560-1005Core.job
- c:\documents and settings\student610\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-27 22:40]
.
2011-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2128556077-1414674724-1788574560-1005UA.job
- c:\documents and settings\student610\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-27 22:40]
.
2011-11-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-07-26 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{10B03BAD-C3E6-4600-A59D-E17E7B659BA3}: NameServer = 128.164.132.73,128.164.132.74
TCP: Interfaces\{B6A14078-7297-4562-A8ED-BC437A4F64B0}: NameServer = 128.164.132.73,128.164.132.74
FF - ProfilePath - c:\documents and settings\student610\Application Data\Mozilla\Firefox\Profiles\8zczs505.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - http://www.yahoo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}
FF - Ext: Firefox (default): {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-BrMfcWnd - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
MSConfigStartUp-ControlCenter3 - c:\program files\Brother\ControlCenter3\brctrcen.exe
MSConfigStartUp-Dell QuickSet - c:\program files\Dell\QuickSet\quickset.exe
MSConfigStartUp-OrderReminder - c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe
MSConfigStartUp-SynchronEyes 4 - c:\program files\SynchronEyes Student 4.0\SynchronEyesSrv.exe
AddRemove-HijackThis - e:\host testing\HijackThis.exe
AddRemove-LSP Explorer plug-in for Ad-Aware SE - c:\progra~1\Lavasoft\AD-AWA~1\Plugins\LSPEXP~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-07 19:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(2672)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-11-07 19:25:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-08 00:25
.
Pre-Run: 70,847,721,472 bytes free
Post-Run: 71,018,323,968 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 1D4FD4463F356E703DCC992274821BBE