ComboFix 09-12-01.01 - skip 12/01/2009 18:03.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2645 [GMT -6:00] Running from: c:\temp\geekstogo\Combo-Fix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it :p Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected Restored copy from - Kitty ate it :p . ((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 ))))))))))))))))))))))))))))))) . 2009-12-01 23:26 . 2009-12-01 23:29 -------- d-----w- C:\Combo-Fix 2009-12-01 22:54 . 2009-12-01 22:54 -------- d-----w- c:\temp\firefox 2009-12-01 16:24 . 2009-12-01 16:24 -------- d-----w- c:\program files\ERUNT 2009-12-01 15:51 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll 2009-12-01 15:51 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll 2009-12-01 04:29 . 2009-12-01 23:24 -------- d-----w- c:\temp\geekstogo 2009-12-01 00:04 . 2009-12-01 16:40 -------- d-----w- c:\documents and settings\skip\Local Settings\Application Data\wqvoqi 2009-11-11 21:17 . 2009-11-11 21:17 -------- d-----w- C:\site-content 2009-11-10 18:03 . 2009-11-10 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\GoodSync . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-01 20:45 . 2008-07-09 01:07 -------- d-----w- c:\program files\JetBrains 2009-12-01 19:58 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2009-12-01 16:46 . 2009-01-05 18:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-29 06:23 . 2009-01-20 03:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-11-20 21:48 . 2009-02-09 22:13 -------- d-----w- c:\documents and settings\skip\Application Data\MySQL 2009-11-17 16:26 . 2009-07-24 14:56 -------- d-----w- c:\documents and settings\skip\Application Data\GoodSync 2009-11-16 15:29 . 2008-07-07 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-10-30 04:53 . 2009-10-30 04:47 -------- d-----w- c:\documents and settings\skip\Application Data\JGoodies 2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 20:54 . 2009-01-05 18:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 20:53 . 2009-01-05 18:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-11-03 13:52 . 2009-11-03 13:52 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-07 68856] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120] "Synergy Server"="c:\program files\Synergy\synergys.exe" [2006-04-02 733184] "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-17 160592] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-03 30192] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296] "HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-16 270336] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-22 16132608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= c:\documents and settings\skip\My Documents\My Pictures\desktop\undiscovered-night1280.jpg FriendlyName= [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] Source= c:\documents and settings\skip\My Documents\My Pictures\desktop\biodomesunset1280.jpg FriendlyName= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "c:\\Program Files\\Synergy\\synergys.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\JetBrains\\IntelliJ IDEA 7.0.3\\bin\\idea.exe"= "c:\\java\\jdks\\jdk1.5.0_15\\bin\\java.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [6/26/2009 10:44 AM 194817] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 10:44 AM 108289] R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [6/26/2009 10:44 AM 434945] S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/7/2008 3:02 PM 30192] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html IE: Open Client to monitor &1 - c:\windows\web\AOpenClient.htm IE: Open Client to monitor &2 - c:\windows\web\AOpenClient.htm IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll TCP: {CD00FC06-7DD2-48E7-946D-FCACDE3BE462} = 192.168.0.220,24.93.41.126 DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file:///E:/LTOCX14N.cab FF - ProfilePath - c:\documents and settings\skip\Application Data\Mozilla\Firefox\Profiles\io8bh28i.default\ FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - AddRemove-cygwin_bash - c:\cygwin\bin\sh -c ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-01 18:15 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(812) c:\program files\Avira\AntiVir Desktop\avsda.dll - - - - - - - > 'explorer.exe'(956) c:\windows\system32\WININET.dll c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll c:\program files\TortoiseSVN\bin\tortoisesvn.dll c:\program files\TortoiseSVN\bin\intl3_svn.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Dell Network Assistant\hnm_svc.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\wscntfy.exe c:\program files\TortoiseSVN\bin\TSVNCache.exe c:\program files\ATI Technologies\ATI.ACE\CLI.EXE c:\program files\ATI Technologies\ATI.ACE\cli.exe c:\program files\ATI Technologies\ATI.ACE\cli.exe c:\windows\system32\mdm.exe . ************************************************************************** . Completion time: 2009-12-01 18:42 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-02 00:42 Pre-Run: 122,071,810,048 bytes free Post-Run: 121,986,465,792 bytes free - - End Of File - - 4B3DF8B0D4A608439E86BD28DF09DAE7