Combofix log
Dear Crunchie, it worked in safe mode. However, I neglected to disconnect from the Internet before I ran the program...hope that's not a problem. Log below.
ComboFix 10-12-09.08 - John B. Morgan IV 12/11/2010 17:24:43.4.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1703 [GMT 5.5:30]
Running from: c:\documents and settings\John B. Morgan IV\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\winlogon.exe
c:\program files\winlogon.exe\changes.rtf
c:\program files\winlogon.exe\Languages\arabic.lng
c:\program files\winlogon.exe\Languages\belarusian.lng
c:\program files\winlogon.exe\Languages\bosnian.lng
c:\program files\winlogon.exe\Languages\bulgarian.lng
c:\program files\winlogon.exe\Languages\catalan.lng
c:\program files\winlogon.exe\Languages\chineseSI.lng
c:\program files\winlogon.exe\Languages\chineseTR.lng
c:\program files\winlogon.exe\Languages\croatian.lng
c:\program files\winlogon.exe\Languages\czech.lng
c:\program files\winlogon.exe\Languages\danish.lng
c:\program files\winlogon.exe\Languages\dutch.lng
c:\program files\winlogon.exe\Languages\english.lng
c:\program files\winlogon.exe\Languages\estonian.lng
c:\program files\winlogon.exe\Languages\finnish.lng
c:\program files\winlogon.exe\Languages\french.lng
c:\program files\winlogon.exe\Languages\german.lng
c:\program files\winlogon.exe\Languages\greek.lng
c:\program files\winlogon.exe\Languages\hebrew.lng
c:\program files\winlogon.exe\Languages\hungarian.lng
c:\program files\winlogon.exe\Languages\italian.lng
c:\program files\winlogon.exe\Languages\korean.lng
c:\program files\winlogon.exe\Languages\latvian.lng
c:\program files\winlogon.exe\Languages\lithuanian.lng
c:\program files\winlogon.exe\Languages\macedonian.lng
c:\program files\winlogon.exe\Languages\norwegian.lng
c:\program files\winlogon.exe\Languages\polish.lng
c:\program files\winlogon.exe\Languages\portugueseBR.lng
c:\program files\winlogon.exe\Languages\portuguesePT.lng
c:\program files\winlogon.exe\Languages\romanian.lng
c:\program files\winlogon.exe\Languages\russian.lng
c:\program files\winlogon.exe\Languages\serbian.lng
c:\program files\winlogon.exe\Languages\slovak.lng
c:\program files\winlogon.exe\Languages\slovenian.lng
c:\program files\winlogon.exe\Languages\spanish.lng
c:\program files\winlogon.exe\Languages\swedish.lng
c:\program files\winlogon.exe\Languages\turkish.lng
c:\program files\winlogon.exe\license.txt
c:\program files\winlogon.exe\mbam.chm
c:\program files\winlogon.exe\mbam.dll
c:\program files\winlogon.exe\mbam.exe
c:\program files\winlogon.exe\mbamcore.dll
c:\program files\winlogon.exe\mbamext.dll
c:\program files\winlogon.exe\mbamgui.exe
c:\program files\winlogon.exe\mbamnet.dll
c:\program files\winlogon.exe\mbamservice.exe
c:\program files\winlogon.exe\ssubtmr6.dll
c:\program files\winlogon.exe\unins000.dat
c:\program files\winlogon.exe\unins000.exe
c:\program files\winlogon.exe\unins000.msg
c:\program files\winlogon.exe\vbalsgrid6.ocx
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_usnjsvc
((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.
2010-12-10 16:22 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33826E67-075B-4FF1-BB76-36B189FE3FE8}\mpengine.dll
2010-11-11 19:04 . 2010-11-11 19:04 -------- d-----w- c:\documents and settings\John B. Morgan IV\Application Data\com.adobe.ExMan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 12:12 . 2010-08-14 03:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 12:12 . 2010-08-14 03:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 20:51 . 2010-08-04 21:49 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2010-08-04 21:49 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-05-23 14:37 . 2010-04-09 08:51 52355 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll
2010-04-23 15:27 . 2010-04-09 08:51 190464 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll.old
2008-05-07 23:34 . 2008-09-11 13:03 15523560 ----a-w- c:\program files\Install AiGuruU1 Skype Phone.exe
2009-10-19 13:29 . 2010-07-09 06:42 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Online Files]
@="{B82655E9-B81D-4A97-8154-0D84A4C048E4}"
[HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}]
2010-05-23 14:37 52355 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"MobiLink3"="c:\program files\Novatel Wireless\Virgin Mobile\MobiLink3.exe" [2009-08-26 902144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2008-09-17 484880]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-20 131072]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-20 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-20 159744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ETDWareDetect"="c:\program files\Elantech\ETDDect.exe" [2008-08-23 204800]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-09-03 335872]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-09-03 106496]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-09-03 593920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
c:\documents and settings\John B. Morgan IV\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-5-29 113664]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-9-11 311296]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\John B. Morgan IV\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [8/25/2009 4:22 AM 82432]
S2 LanmanSrv;Trusted Center;c:\windows\system32\svchost.exe -k netsvcs [11/25/2009 2:15 AM 14336]
S3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\drivers\nwvmmdm.sys [5/16/2009 12:04 AM 174720]
S3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\drivers\nwvmser.sys [5/16/2009 12:04 AM 174720]
S3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\drivers\nwvmser2.sys [5/16/2009 12:04 AM 174720]
S3 RkPavproc1;RkPavproc1;c:\windows\system32\drivers\rkpavproc1.sys [4/24/2009 5:23 PM 16952]
--- Other Services/Drivers In Memory ---
*Deregistered* - sptd
.
Contents of the 'Scheduled Tasks' folder
2010-12-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
2010-12-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.arktos.com/
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: bobibanking.com\www
TCP: {2268D7D2-E6CB-40AB-AFFF-3898388F4A02} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1142338&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.arktos.com/
FF - prefs.js: keyword.URL - hxxp://in.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_in&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: DAEMON Tools Toolbar:
DTToolbar@toolbarnet.com - c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\DTToolbar@toolbarnet.com
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Java Quick Starter:
jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\winlogon.exe\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-12-11 17:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-835585458-1146130675-857608242-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5DE01600-F5B7-C8B1-7CD2-7297AF3CA1DA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaaoilmkjcecdghoci"=hex:6a,61,65,62,6d,67,70,65,62,69,6c,66,66,6c,70,6c,61,63,
64,6d,00,00
"haglooakcohnhhmp"=hex:6a,61,64,62,6f,67,68,6b,6f,6e,66,70,6e,6b,63,70,6f,6f,
63,6e,00,6e
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\Microsoft.NET\Framework\v1.1.4322\fusion.dll
c:\program files\eee storage\xpclient.dll
c:\program files\eee storage\logicnp.eznamespaceextensions.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-12-11 17:42:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-11 12:12
ComboFix2.txt 2010-08-18 16:45
ComboFix3.txt 2010-08-04 15:08
ComboFix4.txt 2010-08-03 16:07
Pre-Run: 2,479,628,288 bytes free
Post-Run: 2,465,161,216 bytes free
Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - AC0BE219B2FC36542225ED3B00E76170