ComboFix 11-06-05.01 - Johny 06/05/2011 12:14:42.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3062.2205 [GMT -4:00]
Running from: c:\documents and settings\Johny\Desktop\Combo-Fix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Johny\Application Data\shoppinguard.com
c:\documents and settings\Johny\Application Data\shoppinguard.com\shoppinguard\wa11\webAtrbts.tat
c:\documents and settings\Johny\Application Data\shoppinguard.com\shoppinguard\wa11\webAtrbts.ttr
c:\documents and settings\Johny\WINDOWS
c:\windows\system32\winlogon.bak
.
.
((((((((((((((((((((((((( Files Created from 2011-05-05 to 2011-06-05 )))))))))))))))))))))))))))))))
.
.
2011-06-04 18:05 . 2011-06-04 18:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-01 20:54 . 2011-06-01 20:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-06-01 15:06 . 2011-06-01 15:07 -------- d-----w- c:\windows\$regcmp$
2011-05-29 16:10 . 2011-05-29 16:10 -------- d-----w- C:\$WIN_NT$.~BT
2011-05-28 00:47 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-27 10:46 . 2011-05-27 10:46 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-05-27 04:44 . 2011-05-27 04:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-05-27 04:44 . 2011-05-27 04:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-05-27 03:42 . 2011-05-27 03:42 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-05-24 02:01 . 2011-05-24 02:01 -------- d-----w- c:\program files\Common Files\Adobe
2011-05-17 15:43 . 2011-05-17 15:43 -------- d-----w- c:\documents and settings\Johny\Application Data\Unity
2011-05-13 14:43 . 2011-05-13 14:43 -------- d-----w- c:\documents and settings\Johny\Application Data\Intel Corporation
2011-05-09 01:21 . 2011-05-09 01:21 -------- d-----w- c:\documents and settings\Johny\Application Data\InstallShield
2011-05-09 01:16 . 2011-05-09 01:16 -------- d-----w- c:\program files\SystemRequirementsLab
2011-05-09 01:16 . 2011-05-09 01:16 -------- d-----w- c:\documents and settings\Johny\Application Data\SystemRequirementsLab
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:10 . 2010-07-03 01:37 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2010-05-24 03:12 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2010-05-24 03:12 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-05-24 03:12 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2010-05-24 03:12 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2010-05-24 03:12 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2010-05-24 03:12 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-05-24 03:12 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2010-05-24 03:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-26 22:39 . 2011-03-26 22:39 65536 ----a-r- c:\documents and settings\Johny\Application Data\Microsoft\Installer\{843081BD-351F-46FC-8A17-517A0D9117A3}\NewShortcut5_843081BD351F46FC8A17517A0D9117A3.exe
2011-03-26 22:39 . 2011-03-26 22:39 65536 ----a-r- c:\documents and settings\Johny\Application Data\Microsoft\Installer\{843081BD-351F-46FC-8A17-517A0D9117A3}\NewShortcut3_843081BD351F46FC8A17517A0D9117A3.exe
2011-03-26 22:39 . 2011-03-26 22:39 65536 ----a-r- c:\documents and settings\Johny\Application Data\Microsoft\Installer\{843081BD-351F-46FC-8A17-517A0D9117A3}\NewShortcut2_843081BD351F46FC8A17517A0D9117A3.exe
2011-03-26 22:39 . 2011-03-26 22:39 65536 ----a-r- c:\documents and settings\Johny\Application Data\Microsoft\Installer\{843081BD-351F-46FC-8A17-517A0D9117A3}\NewShortcut1_843081BD351F46FC8A17517A0D9117A3.exe
2011-05-03 01:19 . 2011-05-03 01:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-04-30 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
.
[-] 2009-12-11 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-07 19523104]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-08-21 1306624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 16:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 08:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2011-02-04 19:53 2984856 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phc700]
2006-10-16 14:18 344064 ----a-w- c:\windows\vphc700.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]
2010-04-16 14:04 471650 ----a-w- c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"GabPath"=c:\documents and settings\Johny\Application Data\GabPath\gabpath.exe
"SfKg6wIPuSp"=c:\documents and settings\Johny\Application Data\Microsoft\Windows\jnipmo.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"phc700"=c:\windows\vphc700.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ijjiOptimizer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56359:TCP"= 56359:TCP:Pando Media Booster
"56359:UDP"= 56359:UDP:Pando Media Booster
"57460:TCP"= 57460:TCP:Pando Media Booster
"57460:UDP"= 57460:UDP:Pando Media Booster
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6893:TCP"= 6893:TCP:League of Legends Launcher
"6893:UDP"= 6893:UDP:League of Legends Launcher
"6946:TCP"= 6946:TCP:League of Legends Launcher
"6946:UDP"= 6946:UDP:League of Legends Launcher
"9322:TCP"= 9322:TCP:EKDiscovery
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6897:TCP"= 6897:TCP:League of Legends Launcher
"6897:UDP"= 6897:UDP:League of Legends Launcher
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/15/2010 9:09 PM 691696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/27/2011 8:47 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/23/2010 11:12 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/23/2010 11:12 PM 19544]
R2 HLServer;HL-Server;c:\windows\system32\HLS32SVC.EXE [1/20/2011 7:41 PM 335872]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [5/8/2011 9:22 PM 13336]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe [7/18/2008 11:24 AM 270336]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [9/10/2008 1:44 PM 28672]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [4/2/2011 12:25 AM 16512]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 phc700;USB PC Camera (SPC700NC);c:\windows\system32\drivers\phc700.sys [4/29/2010 10:40 PM 644864]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
S3 XDva351;XDva351;\??\c:\windows\system32\XDva351.sys --> c:\windows\system32\XDva351.sys [?]
S3 XDva356;XDva356;\??\c:\windows\system32\XDva356.sys --> c:\windows\system32\XDva356.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-06-04 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2008-09-10 17:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.tangotoolbar.com/
mSearch Bar = hxxp://www.tangosearch.com/?useie5=1&q=
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.3.1
FF - ProfilePath - c:\documents and settings\Johny\Application Data\Mozilla\Firefox\Profiles\uxr7tv95.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2559647&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://serp.freecause.com/?sid=61293&cuid=&userid=63391079&q=
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{AA8160DC-2FA6-4A39-B037-1DE85AC317E2} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Easy Dock - c:\documents and settings\Johny\My Documents\RCA easyRip\EZDock.exe
AddRemove-Final Fantasy VII - c:\program files\Final Fantasy VII\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-05 12:30
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-06-05 12:36:06
ComboFix-quarantined-files.txt 2011-06-05 16:36
.
Pre-Run: 375,199,109,120 bytes free
Post-Run: 377,401,688,064 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /TUTag=52PUN4 /NoExecute=OptOut
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Setup"
.
- - End Of File - - 28BE61C95D1D7B233E590BAB0B9FA1CE