B.
I sense victory is near! here's the log:
ComboFix 10-05-21.04 - User1 05/22/2010 19:20:37.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.205 [GMT -4:00]
Running from: H:\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
PEV Error: AppFolder
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\User1\MYDOCU~1\GUARDI~1\101Ebo~1.exe
c:\documents and settings\User1\g2mdlhlpx.exe
c:\program files\AsesoftNet iToolbar
c:\program files\AsesoftNet iToolbar\BookTemplate\BookTemplate.xml
c:\program files\AsesoftNet iToolbar\BookTemplate\core.txt
c:\program files\AsesoftNet iToolbar\BookTemplate\favicon.ico
c:\program files\AsesoftNet iToolbar\BookTemplate\logo.bmp
c:\program files\AsesoftNet iToolbar\BookTemplate\nav.bmp
c:\program files\AsesoftNet iToolbar\BookTemplate\nav_hot.bmp
c:\program files\AsesoftNet iToolbar\BookTemplate\version.txt
C:\setup.exe
c:\windows\wc98pp.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.
2010-05-21 01:54 . 2010-05-21 01:55 -------- d-----w- C:\Inetpub
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:\documents and settings\User2\Local Settings\Application Data\Yahoo
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:\documents and settings\User2\Local Settings\Application Data\Google
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:\documents and settings\User2\Application Data\Yahoo!
2010-05-18 01:07 . 2010-05-18 01:07 -------- d-----w- c:\documents and settings\User2\Local Settings\Application Data\PCHealth
2010-05-15 14:51 . 2010-05-15 14:51 -------- d-----w- c:\documents and settings\User2\Application Data\Malwarebytes
2010-05-15 14:25 . 2010-05-22 23:15 -------- d-----w- c:\program files\a-squared Free
2010-05-13 18:19 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\User1\Application Data\mjusbsp\in00000\setup.exe
2010-05-13 18:19 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\User1\Application Data\mjusbsp\ar00000\install.exe
2010-05-13 11:54 . 2010-05-13 12:15 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-13 02:27 . 2010-05-13 02:27 210816 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2010-05-13 02:27 . 2010-05-13 02:27 298994 ----a-w- c:\documents and settings\User1\Application Data\ATManager\uninstall.exe
2010-05-13 02:26 . 2010-05-21 01:27 -------- d-----w- c:\documents and settings\User1\Local Settings\Application Data\lrcldabqi
2010-05-13 02:26 . 2010-05-13 02:29 -------- d-----w- c:\documents and settings\User1\Application Data\ATManager
2010-05-08 23:14 . 2010-05-08 23:14 -------- d-----w- c:\program files\Starfield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 23:35 . 2009-02-05 16:41 -------- d-----w- c:\program files\CallWave
2010-05-22 23:15 . 2007-06-09 05:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-22 01:43 . 2007-06-09 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-22 01:39 . 2008-08-05 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-18 01:33 . 2009-10-15 01:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-13 18:20 . 2009-06-26 23:08 -------- d-----w- c:\documents and settings\User1\Application Data\mjusbsp
2010-05-13 11:51 . 2010-03-22 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-11 15:49 . 2007-06-09 05:40 55352 ----a-w- c:\documents and settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 23:00 . 2009-07-01 23:21 -------- d-----w- c:\documents and settings\User1\Application Data\LimeWire
2010-05-06 14:36 . 2009-10-03 15:57 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 12:20 . 2009-12-04 04:53 -------- d-----w- c:\documents and settings\User1\Application Data\MGI
2010-04-29 19:39 . 2009-10-15 01:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-10-15 01:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 03:53 . 2010-04-14 03:53 -------- d-----w- c:\program files\TrueSwitch
2010-04-04 19:06 . 2010-04-04 19:06 -------- d-----w- c:\program files\Microsoft Reference
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-15 13:05 . 2010-03-15 13:05 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-15 13:05 . 2010-03-15 13:05 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-15 13:02 . 2007-06-09 05:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-15 13:02 . 2007-06-09 05:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-11 12:38 . 2004-08-04 01:07 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 01:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 01:07 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 01:07 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 20:58 . 2010-03-07 20:58 65823 ----a-w- c:\documents and settings\User1\Application Data\magicJackOutlookAddIn\magicJackOutlookAddInUninst.exe
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-03-02 13:41 6870864 ---ha-w- c:\documents and settings\User1\Application Data\mjusbsp\Upgrade\setup2.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-03-02 13:41 743872 ---ha-w- c:\documents and settings\User1\Application Data\mjusbsp\Upgrade\install2.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\User1\Application Data\mjusbsp\cdloader2.exe
2010-02-24 13:11 . 2004-08-04 01:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-10-06 23:20 . 2009-10-06 23:20 56832 --sha-r- c:\windows\system32\mfszwmz.dll
2008-04-02 12:59 . 2008-04-01 15:48 2159392 --sha-w- c:\windows\system32\drivers\fidbox.dat
.
------- Sigcheck -------
[-] 2010-05-13 02:27 . 09925C49086F2785C061418F7FCA406F . 210816 . . [------] . . c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys
c:\windows\System32\drivers\ndis.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\User1\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-20 39408]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 544768]
"AMTDeviceService"="c:\program files\AMT Media Manager\AMTDeviceService.exe" [2009-01-21 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CallWave.lnk - c:\program files\CallWave\IAM.exe [2009-2-5 1940544]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2007-6-9 565248]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\User1\Application Data\iolo"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-06-01 20:51 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=
"c:\\Documents and Settings\\User1\\Application Data\\mjusbsp\\magicJack.exe"=
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [6/9/2007 3:23 AM 77312]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [1/30/2008 9:34 AM 388936]
S3 isaxbox;isaxbox;\??\c:\windows\system32\isaxbox.sys --> c:\windows\system32\isaxbox.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-05-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2010-05-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-117609710-879983540-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
2010-05-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-879983540-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
2010-05-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{4444FF7E-2019-4df0-B7FD-B7F20FE02417} - {ccdc304a-4095-46a4-8b66-2b5cb3dfca3c} -
Trusted Zone: turbotax.com
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwbe.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
URLSearchHooks-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
WebBrowser-{8D8318EE-1E9B-4CA2-8654-BE0D8A2BD9F1} - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 19:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(272)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(332)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\CallWave\CWIdle.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\sm56hlpr.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-05-22 19:42:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-22 23:42
Pre-Run: 57,544,990,720 bytes free
Post-Run: 57,813,762,048 bytes free
- - End Of File - - B25FD31C8EF1AC7613EC14B1CA353AD7