ComboFix 09-05-31.04 - Owner 06/01/2009 2:22.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1616 [GMT -4:00] Running from: c:\documents and settings\Owner.YOUR-DDD76B06BE\Desktop\Combo-Fix.exe AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} * Resident AV is active . [i] ADS - WINDOWS: deleted 0 bytes in 1 streams. [/i] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\LastSun Ltd c:\windows\system32\drivers\UACewypaspylqegipr.sys c:\windows\system32\UACeadmyfqjxxykdme.dll c:\windows\system32\UAChxltfmqxeqrkxhx.dat c:\windows\system32\uacinit.dll c:\windows\system32\UACkrmwbyrirlfxjcu.log c:\windows\system32\UACktxvwykthpgrylo.dll c:\windows\system32\UACnfpkchsqavbwear.log c:\windows\system32\UACnlfvskesivblnsr.dll c:\windows\system32\UAColetpxdypoqqliv.dll c:\windows\system32\UAColropxmfbymniym.db c:\windows\system32\UACtwkwiuofluavwmp.dll c:\windows\system32\UACucxdnknettttbpb.log c:\windows\system32\UACwuxtkosvhtjpnqq.dll D:\Autorun.inf D:\Desktop.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 ))))))))))))))))))))))))))))))) . 2009-06-01 05:53 . 2009-06-01 06:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-01 05:50 . 2009-06-01 05:51 -------- d-----w- C:\Rooter$ 2009-06-01 05:31 . 2009-06-01 05:31 -------- d-----w- c:\program files\ERUNT 2009-06-01 03:46 . 2009-06-01 03:46 -------- d-----w- C:\VundoFix Backups 2009-05-28 00:03 . 2009-05-28 00:03 390664 ----a-w- c:\documents and settings\Owner.YOUR-DDD76B06BE\Application Data\Real\RealPlayer\Update\RealPlayer11.exe 2009-05-27 00:25 . 2009-05-27 00:25 -------- d-----w- c:\program files\ESET 2009-05-23 19:11 . 2009-05-23 19:11 78848 ----a-w- c:\documents and settings\Owner.YOUR-DDD76B06BE\Application Data\upd.exe.exe 2009-05-14 19:49 . 2009-05-14 19:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys 2009-05-14 19:47 . 2009-05-14 19:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2009-05-14 19:41 . 2009-05-14 19:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-01 03:06 . 2006-11-12 17:57 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-04-24 03:32 . 2005-11-23 09:38 32992 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-24 03:25 . 2009-04-24 03:25 -------- d-----w- c:\program files\MSBuild 2009-04-24 03:25 . 2009-04-24 03:25 -------- d-----w- c:\program files\Reference Assemblies 2009-04-24 02:34 . 2009-04-24 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET 2009-04-24 02:24 . 2008-11-11 02:11 -------- d-----w- c:\program files\CCleaner 2009-04-24 02:07 . 2006-11-12 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-04-24 01:40 . 2009-04-01 20:12 -------- d-----w- c:\program files\support.com 2009-04-24 01:40 . 2009-04-01 20:12 -------- d-----w- c:\program files\Common Files\SupportSoft 2009-04-24 00:20 . 2006-08-07 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-04-08 23:41 . 2007-09-16 16:45 -------- d-----w- c:\program files\Full Tilt Poker 2009-03-06 14:22 . 2005-11-23 07:12 284160 ----a-w- c:\windows\system32\pdh.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-27 185896] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\[u]0[/u]autocheck autochk * [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\java.exe"= "%windir%\\system32\\drivers\\svchost.exe"= R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/23/2006 7:56 AM 200576] S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/22/2005 8:52 PM 69692] . Contents of the 'Scheduled Tasks' folder 2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . - - - - ORPHANS REMOVED - - - - SafeBoot-procexp90.Sys . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mWindow Title = Windows Internet Explorer provided by Comcast uInternet Connection Wizard,ShellNext = hxxp://desktop.google.com/uninstall-feedback.html?hl=en uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-01 02:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(908) c:\windows\system32\Ati2evxx.dll c:\windows\System32\BCMLogon.dll . Completion time: 2009-06-01 2:27 ComboFix-quarantined-files.txt 2009-06-01 06:27 Pre-Run: 20,313,100,288 bytes free Post-Run: 20,331,999,232 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 141 --- E O F --- 2009-05-27 00:05