ComboFix 10-08-17.01 - Darren 08/17/2010 14:38:37.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.631 [GMT -4:00]
Running from: c:\documents and settings\Darren\My Documents\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}
c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}\chrome.manifest
c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}\chrome\content\_cfg.js
c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}\chrome\content\overlay.xul
c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}\install.rdf
.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.
2010-08-16 15:18 . 2010-08-16 15:18 -------- d-----w- c:\documents and settings\Darren\Application Data\Malwarebytes
2010-08-16 15:18 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-16 15:18 . 2010-08-16 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-16 15:18 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-16 15:18 . 2010-08-16 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-13 21:22 . 2010-06-21 15:27 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-13 21:22 . 2010-06-21 15:27 354304 ----a-w- c:\windows\system32\dllcache\srv.sys
2010-08-13 21:21 . 2010-04-27 13:59 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-13 21:21 . 2010-04-27 13:59 2146304 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-13 21:21 . 2010-04-28 02:25 2189952 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-08-13 21:21 . 2010-04-27 13:05 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-13 21:21 . 2010-04-27 13:05 2024448 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-08-13 21:21 . 2010-04-27 13:05 2066816 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-08-12 04:02 . 2010-06-18 13:36 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
2010-08-08 16:43 . 2010-08-08 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-08 16:43 . 2010-08-08 16:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-28 00:44 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-27 06:30 . 2010-07-27 06:30 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-07-26 19:50 . 2010-07-30 14:55 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-26 19:50 . 2010-07-30 14:55 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-26 19:49 . 2010-08-17 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-07-26 19:49 . 2010-07-26 19:49 -------- d-----w- c:\program files\Kaspersky Lab
2010-07-26 19:47 . 2010-07-26 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-07-26 16:49 . 2010-07-26 18:00 -------- d-----w- c:\program files\Enigma Software Group
2010-07-26 16:49 . 2010-07-26 16:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-23 14:45 . 2010-07-23 14:45 -------- d--h--w- c:\windows\PIF
2010-07-20 19:15 . 2010-07-20 15:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-20 15:23 . 2010-07-20 15:23 -------- d-----w- c:\documents and settings\Darren\Local Settings\Application Data\Sunbelt Software
2010-07-20 15:16 . 2010-07-26 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 18:48 . 2010-05-26 13:36 -------- d-----w- c:\documents and settings\Darren\Application Data\uTorrent
2010-08-16 22:06 . 2010-06-01 19:17 -------- d-----w- c:\documents and settings\Darren\Application Data\vlc
2010-08-14 18:05 . 2010-05-26 04:57 -------- d-----w- c:\program files\Microsoft Works
2010-08-13 21:22 . 2010-05-26 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-26 21:41 . 2008-04-15 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-07-20 15:12 . 2010-06-02 18:35 148 ----a-w- c:\documents and settings\Darren\Application Data\wklnhst.dat
2010-06-30 12:31 . 2010-06-30 12:31 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2010-08-12 04:06 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 18:17 . 2010-06-23 18:17 -------- d-----w- c:\program files\AVG
2010-06-23 13:44 . 2010-06-23 13:44 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03 . 2010-06-17 14:03 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-07-28 00:44 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2010-06-14 07:41 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 16:22 . 2010-05-26 05:09 40576 ----a-w- c:\documents and settings\Darren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 13:33 . 2010-05-26 13:33 0 -c--a-w- c:\windows\nsreg.dat
2010-05-26 05:08 . 2010-05-26 05:08 259584 ----a-w- c:\windows\system32\bcdedit.exe
2010-05-26 05:07 . 2010-05-26 05:07 91376 ----a-w- c:\windows\system32\bcmwlcoi.dll
2010-05-26 05:07 . 2009-06-02 00:57 1746432 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-31 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"HP BTW Detect Program"="c:\program files\HP\HPBTWD.exe" [2009-03-30 319488]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-06-29 458844]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-06 737280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-12 148888]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP]
2009-07-14 10:54 589104 ----a-w- c:\program files\Hewlett-Packard\HP QuickSync\QuickSync.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-31 23:42 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [8/11/2009 9:51 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [8/11/2009 9:51 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [7/2/2009 2:10 AM 103792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [8/11/2009 9:51 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 10:05 PM 457200]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [7/9/2009 7:08 AM 199152]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/11/2009 9:37 PM 113664]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1c51x86.sys --> c:\windows\system32\DRIVERS\l1c51x86.sys [?]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/11/2009 9:35 PM 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-08-17 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-07-09 11:09]
2010-08-17 c:\windows\Tasks\USER_FEED_SYNCHRONIZATION-{63A60B05-A1C1-4DB5-B4E4-4B8EA50E06C9}.JOB
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
FF - ProfilePath - c:\documents and settings\Darren\Application Data\Mozilla\Firefox\Profiles\ij5igcd4.default\
FF - prefs.js: browser.startup.homepage -
www.google.ca
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-08-17 14:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\idt\wdm\STacSV.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\Shared\hpqToaster.exe
.
**************************************************************************
.
Completion time: 2010-08-17 14:51:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 18:51
Pre-Run: 116,568,952,832 bytes free
Post-Run: 116,486,119,424 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut
- - End Of File - - BFECB752250226CAC945A3541DE36ABD