ComboFix 10-09-27.03 - Owner 09/27/2010 17:33:38.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.515 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\GoToAssistDownloadHelper.exe c:\windows\system32\BSTIEPrintCtl1.dll c:\windows\system32\Thumbs.db Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected Restored copy from - c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_IAS -------\Service_6to4 -------\Service_Ias ((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 ))))))))))))))))))))))))))))))) . 2010-09-27 21:45 . 2010-09-27 21:45 -------- d-----w- C:\TDSSKiller_Quarantine 2010-09-27 18:58 . 2008-04-14 10:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll 2010-09-27 18:58 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll 2010-09-27 18:58 . 2008-04-14 10:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll 2010-09-27 18:58 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe 2010-09-27 18:58 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe 2010-09-27 18:58 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe 2010-09-27 18:58 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys 2010-09-27 18:58 . 2008-04-14 03:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys 2010-09-27 18:58 . 2008-04-14 03:04 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys 2010-09-27 18:58 . 2008-04-14 10:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll 2010-09-27 18:56 . 2008-04-14 03:04 11935 -c--a-w- c:\windows\system32\dllcache\wadv11nt.sys 2010-09-27 18:55 . 2001-08-17 18:49 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys 2010-09-27 18:54 . 2008-04-14 05:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys 2010-09-27 18:54 . 2008-04-14 05:26 12800 -c--a-w- c:\windows\system32\dllcache\usb8023x.sys 2010-09-27 18:54 . 2008-04-14 03:05 32384 -c--a-w- c:\windows\system32\dllcache\usb101et.sys 2010-09-27 18:54 . 2001-08-18 03:36 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll 2010-09-27 18:54 . 2001-08-18 03:36 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll 2010-09-27 18:54 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll 2010-09-27 18:54 . 2001-08-18 03:36 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll 2010-09-27 18:54 . 2001-08-18 03:36 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll 2010-09-27 18:54 . 2001-08-17 18:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys 2010-09-27 18:54 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll 2010-09-27 18:54 . 2001-08-18 03:36 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll 2010-09-27 18:54 . 2001-08-18 03:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll 2010-09-27 18:53 . 2001-08-18 03:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll 2010-09-27 18:53 . 2001-08-17 18:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys 2010-09-27 18:53 . 2008-04-14 05:06 44672 -c--a-w- c:\windows\system32\dllcache\uagp35.sys 2010-09-27 18:53 . 2001-08-17 18:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys 2010-09-27 18:53 . 2001-08-17 17:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys 2010-09-27 18:53 . 2001-08-18 03:36 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll 2010-09-27 18:53 . 2001-08-17 17:51 159232 -c--a-w- c:\windows\system32\dllcache\tridkbm.sys 2010-09-27 18:53 . 2001-08-17 19:56 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll 2010-09-27 18:53 . 2001-08-17 17:51 222336 -c--a-w- c:\windows\system32\dllcache\trid3dm.sys 2010-09-27 18:53 . 2001-08-17 19:56 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll 2010-09-27 18:52 . 2001-08-17 17:12 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys 2010-09-27 18:52 . 2001-08-18 03:35 42496 -c--a-w- c:\windows\system32\dllcache\tp4res.dll 2010-09-27 18:52 . 2008-04-14 10:42 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe 2010-09-27 18:52 . 2001-08-18 03:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll 2010-09-27 18:52 . 2001-08-17 18:51 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys 2010-09-27 18:52 . 2001-08-17 19:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys 2010-09-27 18:52 . 2001-08-17 19:01 241664 -c--a-w- c:\windows\system32\dllcache\tosdvd02.sys 2010-09-27 18:52 . 2001-08-17 17:10 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys 2010-09-27 18:52 . 2001-08-17 17:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys 2010-09-27 18:52 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys 2010-09-27 18:52 . 2001-08-17 19:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll 2010-09-27 18:51 . 2008-04-14 05:10 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys 2010-09-27 18:51 . 2001-08-17 17:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys 2010-09-27 18:51 . 2001-08-17 17:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys 2010-09-27 18:51 . 2001-08-17 18:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys 2010-09-27 18:51 . 2001-08-17 18:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys 2010-09-27 18:51 . 2001-08-17 17:50 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys 2010-09-27 18:51 . 2001-08-17 19:56 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll 2010-09-27 18:51 . 2001-08-17 19:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys 2010-09-27 18:51 . 2001-08-17 19:07 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys 2010-09-27 18:51 . 2001-08-17 19:07 30688 -c--a-w- c:\windows\system32\dllcache\sym_u3.sys 2010-09-27 18:50 . 2001-08-17 19:07 28384 -c--a-w- c:\windows\system32\dllcache\sym_hi.sys 2010-09-27 18:50 . 2001-08-18 03:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll 2010-09-27 18:50 . 2001-08-17 18:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys 2010-09-27 18:50 . 2001-08-17 19:02 3968 -c--a-w- c:\windows\system32\dllcache\swusbflt.sys 2010-09-27 18:50 . 2001-08-18 03:36 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll 2010-09-27 18:50 . 2001-08-18 03:36 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll 2010-09-27 18:50 . 2001-08-18 03:36 53760 -c--a-w- c:\windows\system32\dllcache\sw_wheel.dll 2010-09-27 18:50 . 2001-08-18 03:36 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll 2010-09-27 18:50 . 2001-08-18 03:36 155648 -c--a-w- c:\windows\system32\dllcache\stlnprop.dll 2010-09-27 18:50 . 2001-08-18 03:36 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll 2010-09-27 18:50 . 2001-08-17 17:18 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys 2010-09-27 18:49 . 2001-08-17 18:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys 2010-09-27 18:49 . 2001-08-17 17:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys 2010-09-27 18:49 . 2001-08-18 03:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll 2010-09-27 18:49 . 2001-08-18 03:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll 2010-09-27 18:49 . 2001-08-17 18:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys 2010-09-27 18:49 . 2001-08-18 03:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll 2010-09-27 18:49 . 2001-08-17 19:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys 2010-09-27 18:49 . 2001-08-17 18:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys 2010-09-27 18:49 . 2001-08-17 17:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys 2010-09-27 18:49 . 2001-08-18 03:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll 2010-09-27 18:47 . 2001-08-18 03:36 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll 2010-09-27 18:46 . 2001-08-18 03:36 238592 -c--a-w- c:\windows\system32\dllcache\sisgrv.dll 2010-09-27 18:46 . 2001-08-17 17:50 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys 2010-09-27 18:46 . 2008-04-14 05:06 40960 -c--a-w- c:\windows\system32\dllcache\sisagp.sys 2010-09-27 18:46 . 2001-08-17 19:56 150144 -c--a-w- c:\windows\system32\dllcache\sis6306v.dll 2010-09-27 18:46 . 2001-08-17 17:50 68608 -c--a-w- c:\windows\system32\dllcache\sis6306p.sys 2010-09-27 18:46 . 2001-08-17 19:56 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll 2010-09-27 18:46 . 2001-08-17 17:50 101760 -c--a-w- c:\windows\system32\dllcache\sis300ip.sys 2010-09-27 18:46 . 2008-04-14 10:42 3901 -c--a-w- c:\windows\system32\dllcache\siint5.dll 2010-09-27 18:46 . 2001-07-21 19:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys 2010-09-27 18:46 . 2001-07-21 19:29 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys 2010-09-27 18:46 . 2001-08-17 17:51 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys 2010-09-27 18:46 . 2001-08-18 03:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll 2010-09-27 18:46 . 2001-08-17 17:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys 2010-09-27 18:45 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys 2010-09-27 18:45 . 2001-08-17 18:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys 2010-09-27 18:45 . 2001-08-17 18:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys 2010-09-27 18:45 . 2008-04-14 05:15 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys 2010-09-27 18:45 . 2001-08-17 18:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys 2010-09-27 18:45 . 2001-08-17 18:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys 2010-09-27 18:45 . 2001-08-17 18:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys 2010-09-27 18:45 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys 2010-09-27 18:45 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys 2010-09-27 18:45 . 2008-04-14 05:10 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys 2010-09-27 18:45 . 2001-08-18 03:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll 2010-09-27 18:43 . 2001-08-18 03:36 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll 2010-09-27 18:42 . 2001-08-17 18:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys 2010-09-27 18:42 . 2001-08-17 18:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys 2010-09-27 18:42 . 2001-08-17 18:28 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys 2010-09-27 18:42 . 2001-08-18 03:36 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll 2010-09-27 18:42 . 2001-08-17 18:53 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys 2010-09-27 18:42 . 2001-08-17 18:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys 2010-09-27 18:42 . 2001-08-17 18:52 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys 2010-09-27 18:42 . 2001-08-17 18:52 45312 -c--a-w- c:\windows\system32\dllcache\ql12160.sys 2010-09-27 18:42 . 2001-08-17 18:52 33152 -c--a-w- c:\windows\system32\dllcache\ql10wnt.sys 2010-09-27 18:42 . 2001-08-17 18:52 40320 -c--a-w- c:\windows\system32\dllcache\ql1080.sys 2010-09-27 18:42 . 2008-04-14 05:10 6016 -c--a-w- c:\windows\system32\dllcache\qic157.sys 2010-09-27 18:40 . 2001-08-17 19:07 19840 -c--a-w- c:\windows\system32\dllcache\philtune.sys 2010-09-27 18:39 . 2001-08-17 17:11 29769 -c--a-w- c:\windows\system32\dllcache\pcntn5m.sys 2010-09-27 18:39 . 2001-08-17 17:11 30282 -c--a-w- c:\windows\system32\dllcache\pcntn5hl.sys 2010-09-27 18:39 . 2001-08-17 17:12 26153 -c--a-w- c:\windows\system32\dllcache\pcmlm56.sys 2010-09-27 18:39 . 2008-04-14 03:05 29502 -c--a-w- c:\windows\system32\dllcache\pca200e.sys 2010-09-27 18:39 . 2001-08-17 17:12 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys 2010-09-27 18:39 . 2001-08-18 03:36 41984 -c--a-w- c:\windows\system32\dllcache\ovui2rc.dll 2010-09-27 18:39 . 2001-08-18 03:36 44544 -c--a-w- c:\windows\system32\dllcache\ovui2.dll 2010-09-27 18:39 . 2001-08-17 19:05 25216 -c--a-w- c:\windows\system32\dllcache\ovsound2.sys 2010-09-27 18:39 . 2001-08-18 03:36 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe 2010-09-27 18:39 . 2001-08-18 03:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-24 06:49 . 2009-09-04 14:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype 2010-09-24 06:45 . 2009-05-05 16:27 -------- d-----w- c:\program files\Common Files\Adobe 2010-09-24 06:17 . 2009-10-29 21:17 -------- d-----w- c:\program files\Common Files\Real 2010-09-24 06:16 . 2009-05-05 16:40 -------- d-----r- c:\program files\Skype 2010-09-24 06:16 . 2009-05-05 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2010-09-24 06:13 . 2009-07-21 06:52 499712 ----a-w- c:\windows\system32\msvcp71.dll 2010-09-24 06:11 . 2010-07-12 00:02 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM 2010-09-24 05:58 . 2009-09-03 16:12 -------- d-----w- c:\program files\Java 2010-09-24 05:50 . 2009-09-04 14:46 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2010-09-24 00:36 . 2010-06-02 23:09 -------- d-----w- c:\program files\Google 2010-09-21 19:34 . 2009-10-30 07:27 -------- d-----w- c:\program files\Coupons 2010-09-14 23:51 . 2009-05-05 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-09-14 03:19 . 2009-11-26 02:22 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-09-08 07:07 . 2009-10-14 04:26 -------- d-----w- c:\program files\Safari 2010-09-08 07:03 . 2010-08-27 06:21 -------- d-----w- c:\program files\Common Files\Apple 2010-08-29 02:17 . 2010-08-17 05:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-08-28 22:57 . 2009-05-05 16:28 -------- d-----w- c:\program files\Microsoft Works 2010-08-28 19:27 . 2010-08-28 19:27 3328 ----a-w- c:\windows\system32\drivers\PCIIDE.SYS 2010-08-28 06:29 . 2009-04-28 05:09 99256 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-08-28 00:45 . 2010-08-28 00:45 -------- d-----w- c:\program files\Microsoft.NET 2010-08-28 00:40 . 2010-08-28 00:40 -------- d-----w- c:\program files\Microsoft Analysis Services 2010-08-27 23:59 . 2009-09-05 18:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer 2010-08-27 06:27 . 2010-08-27 06:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-08-27 06:23 . 2010-08-27 06:23 -------- d-----w- c:\program files\Apple Software Update 2010-08-27 06:22 . 2010-08-27 06:22 -------- d-----w- c:\program files\Bonjour 2010-08-26 01:35 . 2009-11-26 06:07 1498 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat 2010-08-24 19:57 . 2010-08-24 19:57 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2010-08-23 00:58 . 2010-08-23 00:58 -------- d-----w- c:\program files\Migo Software 2010-08-20 20:11 . 2010-02-09 21:26 423368 ----a-w- c:\documents and settings\Owner\Application Data\E-centives\BSTIEPrintCtl1.dll 2010-08-18 03:13 . 2010-02-17 01:58 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData 2010-08-17 18:31 . 2010-03-04 18:40 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Lypaa 2010-08-17 13:17 . 2009-04-28 04:51 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-17 06:59 . 2010-03-18 21:21 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Seobxy 2010-08-17 06:39 . 2010-08-17 06:39 12 ----a-w- c:\windows\system32\config\systemprofile\Application Data\pnmfzy.dat 2010-08-15 19:46 . 2010-08-15 19:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData 2010-08-15 19:20 . 2010-08-15 19:20 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData 2010-08-12 02:52 . 2009-11-26 02:10 -------- d-----w- c:\program files\OpenOffice.org 3 2010-07-22 15:49 . 2009-04-28 04:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-05-05 16:19 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-07-12 00:02 . 2010-07-12 00:02 32 ----a-w- c:\documents and settings\All Users\Application Data\ezsid.dat 2010-07-08 20:54 . 2010-04-07 20:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-07-02 02:38 . 2010-04-06 21:43 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe 2010-07-01 17:07 . 2010-07-01 17:07 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll 2010-06-30 12:31 . 2009-04-28 04:51 149504 ----a-w- c:\windows\system32\schannel.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784] "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304] "AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-16 118784] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "EEESplendidAR"="c:\program files\ASUS\EPC\EeeSplendid\AutoRun.exe" [2009-02-12 24576] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920] "SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144] "RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-10 1218008] "McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-24 202256] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] c:\documents and settings\All Users\Start Menu\Programs\Startup\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-5-5 376832] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ghduewvr HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\njfeoqxo [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [7/1/2010 12:07 PM 59240] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [7/1/2010 12:07 PM 166632] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/17/2010 12:01 PM 203280] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [7/1/2010 12:07 PM 840936] R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/27/2009 8:59 PM 38912] R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [3/16/2009 4:27 PM 39040] S1 MpKsl19211806;MpKsl19211806;\??\c:\windows\system32\MpEngineStore\MpKsl19211806.sys --> c:\windows\system32\MpEngineStore\MpKsl19211806.sys [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2010 6:09 PM 136176] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/5/2009 11:00 AM 1684736] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/22/2010 10:58 AM 38224] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000] S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [5/5/2009 12:16 PM 232872] . Contents of the 'Scheduled Tasks' folder 2010-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50] 2010-09-17 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-09-17 17:22] 2010-09-17 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-09-17 17:22] 2010-08-23 c:\windows\Tasks\Registry Repair 5.job - c:\program files\Migo Software\RegistryRepair5\Registry Repair.exe [2007-11-20 16:46] . . ------- Supplementary Scan ------- . uStart Page = hxxp://eeepc.asus.com/global uInternet Settings,ProxyOverride = ;*.local uInternet Settings,ProxyServer = http=127.0.0.1:6522 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105 IE: Send to &Bluetooth Device... IE: Send To Bluetooth Trusted Zone: internet Trusted Zone: mcafee.com Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kjbcjr13.default\ FF - prefs.js: network.proxy.type - 0 FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll FF - plugin: c:\progra~1\MICROS~3\Office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-09-27 18:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x863C8C76]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf7590f28 \Driver\ACPI -> ACPI.sys @ 0xf7423cb8 \Driver\atapi -> atapi.sys @ 0xf73db852 \Driver\iaStor -> iaStor.sys @ 0xf7338e74 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Atheros AR8132 PCI-E Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf720dbb0 PacketIndicateHandler -> NDIS.sys @ 0xf71fca0d SendHandler -> NDIS.sys @ 0xf7210b40 user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(6784) c:\program files\McAfee\SiteAdvisor\saHook.dll c:\program files\Trusteer\Rapport\bin\rooksbas.dll c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\brss01a.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\progra~1\McAfee\VIRUSS~1\mcshield.exe c:\program files\McAfee\MPF\MPFSrv.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxsrvc.exe c:\windows\system32\igfxext.exe c:\program files\Microsoft ActiveSync\wcescomm.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe . ************************************************************************** . Completion time: 2010-09-27 18:09:50 - machine was rebooted ComboFix-quarantined-files.txt 2010-09-27 23:09 Pre-Run: 134,020,898,816 bytes free Post-Run: 133,886,648,320 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut - - End Of File - - 8D099C6268A9942598B3F0338823EF2D