ComboFix 10-08-16.03 - Administrator 08/16/2010 21:19:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.704 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Prevx 2.0 *On-access scanning disabled* (Outdated) {557C3342-BC52-4508-AC25-4441BDF5C04C}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.
2010-08-16 18:51 . 2010-08-16 18:56 -------- d-----w- c:\windows\system32\wbem\Logs
2010-08-16 17:19 . 2010-08-16 17:19 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-08-16 11:20 . 2010-08-16 16:41 -------- d-----w- c:\windows\ie8updates
2010-08-16 11:09 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-16 11:09 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-16 11:09 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-16 05:03 . 2010-08-16 05:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-16 04:59 . 2010-08-16 04:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-16 03:02 . 2010-08-16 03:07 -------- dc-h--w- c:\windows\ie8
2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-16 02:16 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-16 02:16 . 2010-08-16 02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-16 02:16 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 01:33 . 2010-05-17 20:33 -------- d-----w- c:\program files\Symantec AntiVirus
2010-08-17 01:31 . 2007-08-16 01:01 -------- d-----w- c:\program files\Prevx2
2010-08-17 01:08 . 2007-08-09 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-08-17 01:08 . 2007-08-09 22:22 -------- d-----w- c:\program files\Viewpoint
2010-08-16 22:04 . 2009-03-26 20:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-16 18:31 . 2007-08-21 20:23 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-29 01:17 . 2007-12-24 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\ZoomBrowser EX
2010-06-29 01:17 . 2009-09-25 22:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\CameraWindowDC
2010-06-18 22:54 . 2007-08-16 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Prevx
2010-06-14 14:30 . 2007-07-21 19:10 743936 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrevxOne"="c:\program files\Prevx2\PXConsole.exe" [2008-01-23 1997880]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-24 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\1186698198\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\NJStar Communicator\\MINISMTP.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [8/15/2007 9:02 PM 28040]
R3 als4k;Avance Audio Miniport Driver (WDM);c:\windows\system32\drivers\als4000.sys [8/11/2007 1:05 PM 25674]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 6:58 PM 102448]
S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe --> c:\program files\iWin Games\iWinTrusted.exe [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [8/15/2007 9:02 PM 107912]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
.
Contents of the 'Scheduled Tasks' folder
2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-08-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-05 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\uqzp8njt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
HKCU-Run-Aim6 - (no file)
AddRemove-AOL Explorer - c:\program files\Common Files\AOL\1186698198\ee\services\browser\ver1_1_1042\uninst.exe
AddRemove-Cooking Academy 2 World Cuisine_is1 - c:\program files\Cooking Academy 2 World Cuisine\ReflexiveArcade\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-08-16 21:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,92,bb,5a,ac,fd,de,47,97,6e,80,\
[HKEY_USERS\S-1-5-21-1060284298-1960408961-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7FB13693-8AF5-DA47-CD45-EF95D01E4401}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaadbciabehlpffljcieajhhfkkhdh"=hex:6b,61,6a,62,6c,68,66,6d,6b,62,61,66,62,70,
6e,66,6f,6a,66,68,62,6e,00,00
"nagelakockidjelaobmjancliaim"=hex:6b,61,6a,62,6c,68,66,6d,6b,62,61,66,62,70,
6e,66,6f,6a,66,68,62,6e,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2010-08-16 21:40:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 01:40
Pre-Run: 105,155,895,296 bytes free
Post-Run: 105,184,063,488 bytes free
- - End Of File - - 4C5B08B97E567442B41EA5AB93F5A50E
By the way, after being prompted to install the Recovery Console, I recieved an error message saying that the "Boot partition cannot be enumerated correctly." I was then asked if I would like to continue scanning, so I clicked yes. Not sure if that's an issue, just wanted to let you know.