COMBOFIX
ComboFix 11-11-15.06 - OWNER 11/15/2011 20:14:25.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.289 [GMT -5:00]
Running from: c:\documents and settings\Cassidy\desktop\ComboFix.exe
Command switches used :: /nombr
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\OWNER\Application Data\Adobe\plugs
c:\documents and settings\OWNER\Application Data\Adobe\shed
c:\documents and settings\OWNER\Local Settings\Application Data\{A6229D32-CF4F-46AA-B529-C0F352C72582}
c:\documents and settings\OWNER\Local Settings\Application Data\{A6229D32-CF4F-46AA-B529-C0F352C72582}\chrome.manifest
c:\documents and settings\OWNER\Local Settings\Application Data\{A6229D32-CF4F-46AA-B529-C0F352C72582}\chrome\content\overlay.xul
c:\documents and settings\OWNER\Local Settings\Application Data\{A6229D32-CF4F-46AA-B529-C0F352C72582}\install.rdf
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
c:\windows\tsoc.log
c:\windows\XSxS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-10-16 to 2011-11-16 )))))))))))))))))))))))))))))))
.
.
2011-11-13 04:32 . 2011-10-18 06:28 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-13 04:30 . 2011-10-18 06:28 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{54B1E0AA-E09E-46C1-98E5-36DC11ECE7A2}\mpengine.dll
2011-11-12 17:44 . 2011-11-12 17:45 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-09 00:57 . 2011-11-09 00:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-08 01:06 . 2011-11-12 17:44 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-08 00:58 . 2011-11-08 00:58 -------- d--h--w- c:\windows\PIF
2011-11-07 04:38 . 2011-11-07 04:38 -------- d-----w- c:\program files\Common Files\Java
2011-11-07 04:25 . 2011-11-07 04:27 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-07 01:23 . 2011-11-07 01:24 -------- d-----w- C:\WINSSLog
2011-11-06 22:14 . 2011-11-06 22:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-11-06 21:54 . 2011-11-06 21:54 69120 --sha-r- c:\windows\system32\inetcplc9.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-14 23:18 . 2011-05-16 05:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2009-11-25 03:31 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2010-05-26 02:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 07:06 . 2003-03-20 21:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-04-12 08:06 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-04-12 08:06 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-04-12 08:12 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2009-12-03 16:02 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2004-04-12 08:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-04-12 08:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-04-12 08:01 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 03:12 . 2011-06-03 04:24 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\OWNER\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2001-11-06 131072]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-11-01 208560]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-10 1326080]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-10 136472]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\OWNER\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^OWNER^Start Menu^Programs^Startup^Seagate 2GH26QJW Product Registration.lnk]
path=c:\documents and settings\OWNER\Start Menu\Programs\Startup\Seagate 2GH26QJW Product Registration.lnk
backup=c:\windows\pss\Seagate 2GH26QJW Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-29 13:22 136176 ----atw- c:\documents and settings\OWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\OWNER\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
S1 MpKsl06753459;MpKsl06753459;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{02065891-3F17-4033-9DA0-E553F7762462}\MpKsl06753459.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{02065891-3F17-4033-9DA0-E553F7762462}\MpKsl06753459.sys [?]
S1 MpKsl06c2b7d5;MpKsl06c2b7d5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C4B9E7A3-B56B-4F6E-A395-663BC9DD2933}\MpKsl06c2b7d5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C4B9E7A3-B56B-4F6E-A395-663BC9DD2933}\MpKsl06c2b7d5.sys [?]
S1 MpKsl0ce97650;MpKsl0ce97650;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DBB7438C-35D9-49E4-BDBE-FCC8BD52F423}\MpKsl0ce97650.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DBB7438C-35D9-49E4-BDBE-FCC8BD52F423}\MpKsl0ce97650.sys [?]
S1 MpKsl104f1a89;MpKsl104f1a89;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{914F958E-E732-4B4B-B0DA-C71D178667E3}\MpKsl104f1a89.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{914F958E-E732-4B4B-B0DA-C71D178667E3}\MpKsl104f1a89.sys [?]
S1 MpKsl18b0c8f1;MpKsl18b0c8f1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03DCA112-2FD8-4273-BD98-239E261C787E}\MpKsl18b0c8f1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03DCA112-2FD8-4273-BD98-239E261C787E}\MpKsl18b0c8f1.sys [?]
S1 MpKsl1d5ce3db;MpKsl1d5ce3db;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB8BD429-96DB-4CAB-807F-6AF44714325E}\MpKsl1d5ce3db.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB8BD429-96DB-4CAB-807F-6AF44714325E}\MpKsl1d5ce3db.sys [?]
S1 MpKsl2098ee12;MpKsl2098ee12;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{17F40F73-B59C-4FDE-AEC1-2E7A0B6BD64B}\MpKsl2098ee12.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{17F40F73-B59C-4FDE-AEC1-2E7A0B6BD64B}\MpKsl2098ee12.sys [?]
S1 MpKsl2c9a16f8;MpKsl2c9a16f8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43BC38AF-E431-4613-8113-3F07AAAA2876}\MpKsl2c9a16f8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43BC38AF-E431-4613-8113-3F07AAAA2876}\MpKsl2c9a16f8.sys [?]
S1 MpKsl2f587506;MpKsl2f587506;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2F39569A-B513-4ACD-9400-79A1A6937EDB}\MpKsl2f587506.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2F39569A-B513-4ACD-9400-79A1A6937EDB}\MpKsl2f587506.sys [?]
S1 MpKsl492b9faa;MpKsl492b9faa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BF0F4DA6-22F1-4F18-8CD9-28D9ACFF0766}\MpKsl492b9faa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BF0F4DA6-22F1-4F18-8CD9-28D9ACFF0766}\MpKsl492b9faa.sys [?]
S1 MpKsl5c882d1f;MpKsl5c882d1f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8B6ADFF-3C64-47E1-A50F-7FA1F6DBA09D}\MpKsl5c882d1f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8B6ADFF-3C64-47E1-A50F-7FA1F6DBA09D}\MpKsl5c882d1f.sys [?]
S1 MpKsl7c543b59;MpKsl7c543b59;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D241811-9A84-4E70-B3A4-F4E822BB2902}\MpKsl7c543b59.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D241811-9A84-4E70-B3A4-F4E822BB2902}\MpKsl7c543b59.sys [?]
S1 MpKsl7c8b4a62;MpKsl7c8b4a62;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{74C7B35C-1996-46B8-AB2D-A6D094376DBE}\MpKsl7c8b4a62.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{74C7B35C-1996-46B8-AB2D-A6D094376DBE}\MpKsl7c8b4a62.sys [?]
S1 MpKsl8b2b6408;MpKsl8b2b6408;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{74C7B35C-1996-46B8-AB2D-A6D094376DBE}\MpKsl8b2b6408.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{74C7B35C-1996-46B8-AB2D-A6D094376DBE}\MpKsl8b2b6408.sys [?]
S1 MpKslde5af808;MpKslde5af808;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CB61DF90-165B-4CC5-9940-78CE104A4C80}\MpKslde5af808.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CB61DF90-165B-4CC5-9940-78CE104A4C80}\MpKslde5af808.sys [?]
S3 26666836;26666836; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/12/2011 12:44 PM 41272]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-492894223-1957994488-1004Core.job
- c:\documents and settings\OWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 13:22]
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-492894223-1957994488-1004UA.job
- c:\documents and settings\OWNER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 13:22]
.
2011-11-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\OWNER\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\OWNER\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 192.168.2.1
DPF: {2EA5DD45-9254-4B0D-9F48-E92FEC3A9754} - hxxps://simulcast.manheim.com/simulcast_docs/av/SimulcastAVPlugin-win-ie.cab
DPF: {7206EAAC-5CFA-43A3-9F61-E27E8E51E42F} - hxxp://adus1.liveglobalbid.com/container_repository/laiexec.cab
FF - ProfilePath - c:\documents and settings\OWNER\Application Data\Mozilla\Firefox\Profiles\hykzwa8x.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/;_ylt=AtoEu.MyDuQycydxJDNikOlG2vAI
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60848
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-GigglePop.com evalPal Plus for NADA - c:\windows\suinsta4001.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-15 20:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(3376)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\nvsvc32.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2011-11-15 20:33:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-16 01:33
.
Pre-Run: 34,540,924,928 bytes free
Post-Run: 36,535,570,432 bytes free
.
- - End Of File - - 92BBADCB600E35477D1320CFB08E05F7
CKFILES
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.RAAPTI
----- EOF -----
Note- I have read the warnings on here, I do not have any file sharing installed anymore, It was deleted long ago but shows for some reason in that report under startup, not sure why. Thanks again for any help