ComboFix 10-11-20.01 - user 20/11/2010 17:31:49.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1420 [GMT 0:00] Running from: c:\documents and settings\user\Desktop\ComboFix.exe AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\user\Application Data\Adobe\AdobeUpdate .exe c:\documents and settings\user\Application Data\Adobe\plugs c:\documents and settings\user\Application Data\Adobe\plugs\KB15611687.exe c:\documents and settings\user\Application Data\Adobe\plugs\KB15637390.exe c:\documents and settings\user\Local Settings\Application Data\{F564A0F8-099A-42D7-9BCE-957C171D49CD} c:\documents and settings\user\Local Settings\Application Data\{F564A0F8-099A-42D7-9BCE-957C171D49CD}\chrome.manifest c:\documents and settings\user\Local Settings\Application Data\{F564A0F8-099A-42D7-9BCE-957C171D49CD}\chrome\content\_cfg.js c:\documents and settings\user\Local Settings\Application Data\{F564A0F8-099A-42D7-9BCE-957C171D49CD}\chrome\content\overlay.xul c:\documents and settings\user\Local Settings\Application Data\{F564A0F8-099A-42D7-9BCE-957C171D49CD}\install.rdf c:\documents and settings\user\Local Settings\Temporary Internet Files\cookies.sqlite c:\windows\oxuwoyul.dll c:\windows\system32\0.35637815349388635.exe c:\windows\system32\AutoRun.inf Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe Infected copy of c:\windows\explorer.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe . ((((((((((((((((((((((((( Files Created from 2010-10-20 to 2010-11-20 ))))))))))))))))))))))))))))))) . 2010-11-20 17:28 . 2010-11-20 17:28 -------- d-----w- c:\program files\iPod 2010-11-20 17:28 . 2010-11-20 17:29 -------- d-----w- c:\program files\iTunes 2010-11-20 16:50 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94352BD4-4F8F-46A3-A2F9-CC153F252786}\mpengine.dll 2010-11-13 14:57 . 2010-11-13 14:57 54016 ----a-w- c:\windows\system32\drivers\oxxsqqp.vir 2010-11-13 14:19 . 2010-11-13 14:19 -------- d-----w- c:\documents and settings\user\Application Data\WhiteSmokeTranslator 2010-11-13 14:18 . 2010-11-13 14:19 -------- d-----w- c:\documents and settings\user\Application Data\WhiteSmokeSetup . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-19 20:51 . 2009-12-17 12:07 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-10-07 23:21 . 2010-08-09 17:55 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2010-09-26 15:50 . 2010-09-26 15:50 89680 ----a-w- c:\documents and settings\MSSSerif120.fon 2010-09-18 11:23 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-10 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-10 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-11 13:31 . 2010-08-22 13:29 1198163 ----a-w- c:\windows\system32\unins000.exe 2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-08 09:46 . 2010-09-11 13:31 903723 ----a-w- c:\windows\system32\ff_x264.dll 2010-09-08 09:46 . 2010-09-11 13:31 142291 ----a-w- c:\windows\system32\libmplayer.dll 2010-09-08 09:46 . 2010-09-11 13:31 4497993 ----a-w- c:\windows\system32\libavcodec.dll 2010-09-08 09:46 . 2010-08-22 13:29 324096 ----a-w- c:\windows\system32\TomsMoComp_ff.dll 2010-09-08 09:46 . 2010-08-22 13:29 248320 ----a-w- c:\windows\system32\ff_kernelDeint.dll 2010-09-08 09:46 . 2010-08-22 13:29 145408 ----a-w- c:\windows\system32\libmpeg2_ff.dll 2010-09-08 09:46 . 2010-08-22 13:29 97792 ----a-w- c:\windows\system32\ff_unrar.dll 2010-09-08 09:46 . 2010-08-22 13:29 336384 ----a-w- c:\windows\system32\ff_libfaad2.dll 2010-09-08 09:46 . 2010-08-22 13:29 216576 ----a-w- c:\windows\system32\ff_libdts.dll 2010-09-08 09:46 . 2010-08-22 13:29 1529856 ----a-w- c:\windows\system32\ff_samplerate.dll 2010-09-08 09:46 . 2010-08-22 13:29 151552 ----a-w- c:\windows\system32\ff_libmad.dll 2010-09-08 09:46 . 2010-08-22 13:29 121856 ----a-w- c:\windows\system32\ff_liba52.dll 2010-09-08 09:46 . 2010-08-22 13:29 1212665 ----a-w- c:\windows\system32\ffmpegmt.dll 2010-09-08 09:46 . 2010-08-22 13:29 116736 ----a-w- c:\windows\system32\ff_tremor.dll 2010-09-08 09:46 . 2010-06-26 15:41 880220 ----a-w- c:\windows\system32\xvidcore.dll 2010-09-08 09:46 . 2008-12-19 16:26 3849216 ----a-w- c:\windows\system32\ffdshow.ax 2010-09-08 08:45 . 2010-09-11 13:31 100864 ----a-w- c:\windows\system32\ff_wmv9.dll 2010-09-08 08:09 . 2010-09-11 13:31 108032 ----a-w- c:\windows\system32\ff_vfw.dll 2010-09-01 11:51 . 2004-08-10 11:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-10 11:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-10 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2004-08-10 11:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2004-08-10 11:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-12-17 11:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2004-08-10 11:00 617472 ----a-w- c:\windows\system32\comctl32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-17 13529088] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-19 202256] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-28 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152] "Yfixatofoke"="c:\windows\oxuwoyul.dll" [BU] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520] Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2005-10-15 114688] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-11-17 20:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2010-02-19 16:42 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [14/02/2006 19:07 2825088] R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [05/10/2005 10:44 468768] S0 jtflnqg;jtflnqg;c:\windows\system32\drivers\oxxsqqp.sys --> c:\windows\system32\drivers\oxxsqqp.sys [?] S1 ahxljnbn;ahxljnbn;\??\c:\windows\system32\drivers\ahxljnbn.sys --> c:\windows\system32\drivers\ahxljnbn.sys [?] S1 cstgbops;cstgbops;\??\c:\windows\system32\drivers\cstgbops.sys --> c:\windows\system32\drivers\cstgbops.sys [?] S1 epqnanfy;epqnanfy;\??\c:\windows\system32\drivers\epqnanfy.sys --> c:\windows\system32\drivers\epqnanfy.sys [?] S1 ewfdbvpr;ewfdbvpr;\??\c:\windows\system32\drivers\ewfdbvpr.sys --> c:\windows\system32\drivers\ewfdbvpr.sys [?] S1 fazsnxbs;fazsnxbs;\??\c:\windows\system32\drivers\fazsnxbs.sys --> c:\windows\system32\drivers\fazsnxbs.sys [?] S1 hlkbiybv;hlkbiybv;\??\c:\windows\system32\drivers\hlkbiybv.sys --> c:\windows\system32\drivers\hlkbiybv.sys [?] S1 izguimaq;izguimaq;\??\c:\windows\system32\drivers\izguimaq.sys --> c:\windows\system32\drivers\izguimaq.sys [?] S1 jraxstkx;jraxstkx;\??\c:\windows\system32\drivers\jraxstkx.sys --> c:\windows\system32\drivers\jraxstkx.sys [?] S1 lgcqxfww;lgcqxfww;\??\c:\windows\system32\drivers\lgcqxfww.sys --> c:\windows\system32\drivers\lgcqxfww.sys [?] S1 mohlczml;mohlczml;\??\c:\windows\system32\drivers\mohlczml.sys --> c:\windows\system32\drivers\mohlczml.sys [?] S1 qkyotxfh;qkyotxfh;\??\c:\windows\system32\drivers\qkyotxfh.sys --> c:\windows\system32\drivers\qkyotxfh.sys [?] S1 sufumffj;sufumffj;\??\c:\windows\system32\drivers\sufumffj.sys --> c:\windows\system32\drivers\sufumffj.sys [?] S2 gupdate1caa51164154ca8;Google Update Service (gupdate1caa51164154ca8);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2010 20:42 133104] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592] S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [19/09/2010 18:48 88960] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 20:42] 2010-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 20:42] 2010-11-20 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40] 2010-11-11 c:\windows\Tasks\Norton Security Scan for user.job - c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-07-25 09:06] 2010-11-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-412668190-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-09 18:38] 2010-11-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-412668190-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-09 18:38] 2010-11-20 c:\windows\Tasks\User_Feed_Synchronization-{A566F178-6430-40D1-B51C-C1B268196F1A}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 04:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uInternet Settings,ProxyOverride = ;*.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-20 17:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) @="" "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) @="" "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) @="" "Installed"="1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(4008) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Essentials\MsMpEng.exe c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-11-20 17:41:43 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-20 17:41 ComboFix2.txt 2010-08-15 15:23 Pre-Run: 72,389,365,760 bytes free Post-Run: 72,679,161,856 bytes free - - End Of File - - EE869BEAEB128EC1AE0638754EEBF1D4