ComboFix 09-11-27.07 - Carl_2 11/28/2009 13:07.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.23 [GMT -6:00] Running from: c:\dmg hold\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Microsoft AData c:\documents and settings\All Users\Microsoft AData\t.sid c:\program files\NavExcel c:\program files\NavExcel\NavHelper\v2.0.4c\NHelper.htm c:\recycler\NPROTECT c:\windows\Cursors\tunten.bak1 c:\windows\Cursors\tunten.bak2 c:\windows\Cursors\tunten.ini c:\windows\Downloaded Program Files\popcaploader.inf . ((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 ))))))))))))))))))))))))))))))) . 2009-11-28 18:55 . 2009-11-28 18:55 -------- d-----w- C:\_OTL 2009-11-27 18:20 . 2009-11-27 18:20 -------- d-----w- c:\program files\LimeWire 2009-11-24 23:54 . 2009-11-28 19:01 -------- d-----w- C:\DMG hold 2009-11-24 21:55 . 2009-11-24 21:55 1068 ----a-w- C:\dmg5.reg 2009-11-24 21:47 . 2009-11-24 21:48 1236 ----a-w- C:\dmg4.reg 2009-11-24 21:23 . 2009-11-24 21:23 28454 ----a-w- C:\dmg11093.reg 2009-11-24 20:12 . 2009-11-24 20:12 1494 ----a-w- C:\dmg11092.reg 2009-11-24 20:10 . 2009-11-24 20:10 3444 ----a-w- C:\dmg112409.reg 2009-11-20 19:34 . 2009-11-20 19:35 -------- d-----w- c:\program files\Symantec 2009-11-20 19:31 . 2009-11-20 19:31 -------- d-----w- c:\program files\Windows Sidebar 2009-11-20 19:30 . 2009-11-24 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-11-20 19:29 . 2009-11-20 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-11-20 19:22 . 2009-11-20 19:22 -------- d-----w- c:\documents and settings\Carl_2\Local Settings\Application Data\ICS 2009-11-19 21:31 . 2009-11-19 21:32 -------- d-----w- c:\windows\system32\NtmsData 2009-11-19 20:43 . 2009-11-19 20:43 -------- d-----w- c:\windows\system32\XPSViewer 2009-11-19 20:43 . 2009-11-19 20:43 -------- d-----w- c:\program files\MSBuild 2009-11-19 20:42 . 2009-11-19 20:42 -------- d-----w- c:\program files\Reference Assemblies 2009-11-19 20:37 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-11-19 20:37 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-11-19 20:37 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-11-19 20:37 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-11-19 20:37 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-11-19 20:37 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-11-19 20:37 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll 2009-11-19 20:37 . 2009-11-19 20:40 -------- d-----w- C:\289395e755978cf54a 2009-11-10 12:20 . 2009-11-10 12:20 -------- d-----w- c:\documents and settings\Carl_2\Local Settings\Application Data\Dell 2009-11-07 00:16 . 2009-11-19 20:32 -------- d-----w- c:\program files\Angle Interactive 2009-11-07 00:16 . 2009-11-07 00:16 -------- d-----w- C:\ProgramData 2009-11-03 03:54 . 2009-11-03 03:54 152576 ----a-w- c:\documents and settings\Carl_2\Application Data\Sun\Java\jre1.6.0_17\lzma.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-27 20:10 . 2009-09-17 00:13 -------- d-----w- c:\program files\AVG 2009-11-27 18:40 . 2009-09-26 07:37 -------- d-----w- c:\documents and settings\Carl_2\Application Data\LimeWire 2009-11-27 17:01 . 2004-02-24 14:24 -------- d-----w- c:\program files\PokerStars 2009-11-24 22:34 . 2004-03-15 22:23 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-11-20 19:34 . 2009-11-20 19:34 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2009-11-20 19:34 . 2009-11-20 19:34 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2009-11-20 19:34 . 2004-03-15 22:24 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2009-11-20 19:34 . 2004-03-15 22:24 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-11-20 19:05 . 2004-03-15 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-11-19 21:26 . 2009-09-26 07:08 -------- d-----w- c:\program files\Windows Live 2009-11-19 21:14 . 2009-09-22 21:10 -------- d-----w- c:\documents and settings\Carl_2\Application Data\Yahoo! 2009-11-19 20:53 . 2004-03-15 22:05 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-11-19 20:53 . 2004-04-04 00:39 -------- d-----w- c:\program files\EPSON 2009-11-19 20:48 . 2009-09-16 12:21 62936 ----a-w- c:\documents and settings\Carl_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-19 20:44 . 2009-09-22 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2009-11-19 20:44 . 2004-09-11 03:08 -------- d-----w- c:\program files\Yahoo! 2009-11-03 04:01 . 2004-03-15 21:54 -------- d-----w- c:\program files\Java 2009-10-29 11:01 . 2009-10-24 00:45 -------- d-----w- c:\program files\CS 2009-10-14 00:57 . 2009-10-01 15:23 393216 ------w- c:\windows\Setup1.exe 2009-10-14 00:57 . 2004-07-18 16:07 73216 ----a-w- c:\windows\ST6UNST.EXE 2009-10-14 00:55 . 2009-10-14 00:55 737280 ------w- c:\windows\midaswiz.exe 2009-10-11 10:17 . 2009-09-26 07:35 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-04 13:26 . 2002-09-03 14:58 79223 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat 2009-09-26 07:35 . 2009-09-26 07:35 152576 ----a-w- c:\documents and settings\Carl_2\Application Data\Sun\Java\jre1.6.0_11\lzma.dll 2009-09-19 02:35 . 2009-09-19 02:35 1961720 ----a-w- c:\documents and settings\Carl_2\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe 2009-09-11 14:18 . 2004-11-08 01:17 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2004-11-08 01:18 58880 ----a-w- c:\windows\system32\msasn1.dll . ------- Sigcheck ------- [7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys [-] 2008-04-13 18:40 . 3029B7F80F923E4861CCFF03ACE352D5 . 96512 . . [------] . . c:\windows\SYSTEM32\DRIVERS\atapi.sys [7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys [-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\SYSTEM32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys [-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"= . Contents of the 'Scheduled Tasks' folder 2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{1FA8223A-7822-4CA4-A437-05A7F15EC3DD}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: {{578FC4E3-151E-456c-AF8E-B63061EFE228} - c:\program files\GhostSurf\LaunchPCC.exe IE: {{578FC4E3-151E-456c-AF8E-B63061EFE228}} TCP: {52CF510E-320E-4A0E-B44E-ED3FF560C646} = 83.149.115.182 . - - - - ORPHANS REMOVED - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) AddRemove-PhotoParade.exe - c:\program files\PhotoParade\Uninstall PhotoParade Player.exe PhotoParade.exe AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0 AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0 ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-28 13:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81F12E07]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf92a4f28 \Driver\ACPI -> ACPI.sys @ 0xf9217cb8 \Driver\atapi -> atapi.sys @ 0xf91cf852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf90dbbb0 PacketIndicateHandler -> NDIS.sys @ 0xf90e8a21 SendHandler -> NDIS.sys @ 0xf90c687b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(660) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(724) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3668) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe c:\windows\System32\nvsvc32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-11-28 13:32 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-28 19:32 Pre-Run: 68,688,457,728 bytes free Post-Run: 68,781,293,568 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn - - End Of File - - 4AB51DD734FF5F602A93E9F41FD12362