ComboFix 10-05-20.07 - Owner 05/20/2010 16:56:30.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.318 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ajax\Combo-Fix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.
2010-05-15 17:07 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-15 17:07 . 2010-05-15 17:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-15 17:07 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 16:53 . 2010-05-15 16:53 -------- d-----w- c:\program files\Trend Micro
2010-05-15 05:53 . 2010-05-15 05:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-13 15:30 . 2010-05-13 15:30 -------- d-----w- c:\program files\MAPILab Ltd
2010-05-13 15:26 . 2010-05-13 15:26 -------- d-----w- c:\windows\Downloaded Installations
2010-05-13 14:06 . 2010-05-13 14:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-13 10:39 . 2010-05-13 10:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-13 10:34 . 2010-05-13 11:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\xewjmnnsa
2010-05-13 04:11 . 2010-05-13 05:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\xgnapvisa
2010-04-23 08:57 . 2010-04-23 09:00 102364 ----a-w- c:\windows\hpqins13.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 20:59 . 2009-08-16 20:29 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-08-16 20:30 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-08-16 20:30 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-08-16 20:30 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-08-16 20:30 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-08-16 20:30 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-08-16 20:30 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-08-16 20:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-24 13:15 . 2009-08-18 05:04 99736 ----a-w- c:\windows\CPEins05.dat
2010-04-14 16:47 . 2009-08-16 20:30 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-11 20:24 . 2009-08-16 20:29 -------- d-----w- c:\program files\Alwil Software
2010-04-11 09:55 . 2010-04-11 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 04:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\
www.macromedia.com\\bin\\octoshape\\octoshape.exe"=R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/16/2009 1:30 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/16/2009 1:30 PM 19024]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-05-20 c:\windows\Tasks\User_Feed_Synchronization-{DE83EBB3-0A68-4ECA-80A6-ABB3F9D0F481}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\v4pqvpaa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 17:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-05-20 17:14:35
ComboFix-quarantined-files.txt 2010-05-21 00:14
ComboFix2.txt 2010-01-28 02:18
Pre-Run: 4,660,649,984 bytes free
Post-Run: 5,476,098,048 bytes free
- - End Of File - - BCECD43F6B4B0615AE58C67378F32A2A