ComboFix 10-12-13.02 - Tammy 12/13/2010 18:36:06.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.197 [GMT -5:00] Running from: c:\documents and settings\Tammy\Desktop\ComboFix.exe AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll Infected copy of c:\windows\system32\DRIVERS\usbehci.sys was found and disinfected Restored copy from - The cat found it :) . ((((((((((((((((((((((((( Files Created from 2010-11-13 to 2010-12-13 ))))))))))))))))))))))))))))))) . 2010-12-11 18:10 . 2010-12-11 18:10 54016 ----a-w- c:\windows\system32\drivers\ucqmqa.sys 2010-12-07 05:09 . 2010-10-23 17:55 553984 ----a-r- C:\OTLPE.exe 2010-12-07 05:04 . 2010-12-07 05:04 -------- d-----w- C:\_OTL 2010-12-05 03:22 . 2010-12-05 03:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-30 16:18 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe 2010-11-30 16:18 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-11-30 16:18 . 2010-11-30 16:18 -------- d-----w- C:\VIPRERESCUE 2010-11-30 16:01 . 2010-11-30 16:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple 2010-11-29 19:01 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 19:01 . 2010-12-11 04:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-29 19:01 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-29 15:24 . 2010-11-29 15:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro 2010-11-29 15:01 . 2010-12-07 04:08 -------- d-----w- c:\program files\Trend Micro 2010-11-19 22:46 . 2010-11-19 22:46 364032 ----a-w- c:\program files\rkill.com 2010-11-19 22:42 . 2010-11-19 22:42 294400 ----a-w- c:\program files\exeHelper.com 2010-11-19 22:39 . 2010-11-19 22:39 294400 ----a-w- c:\program files\exeHelper.scr 2010-11-19 22:14 . 2010-11-19 22:14 -------- d-----w- c:\documents and settings\Tammy\Application Data\Malwarebytes 2010-11-19 22:14 . 2010-11-19 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-19 22:14 . 2010-11-19 22:48 6153352 ----a-w- c:\program files\mbam-setup-1.46.exe 2010-11-19 22:09 . 2010-11-19 22:10 575488 ----a-w- c:\program files\OTL.com 2010-11-19 22:09 . 2010-11-19 22:09 575488 ----a-w- c:\program files\OTL.scr 2010-11-19 22:07 . 2010-11-19 22:07 575488 ----a-w- c:\program files\OTL.exe 2010-11-19 15:10 . 2010-11-29 14:09 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys 2010-11-19 15:10 . 2010-11-29 14:09 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys 2010-11-19 15:10 . 2010-11-29 14:09 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys 2010-11-19 15:10 . 2010-11-29 14:09 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2010-11-19 00:09 . 2010-11-19 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro 2010-11-18 23:33 . 2010-11-18 23:33 -------- dc----w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097} 2010-11-18 20:37 . 2010-11-18 20:39 -------- dc-h--w- c:\windows\ie8 2010-11-18 18:45 . 2010-11-18 18:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-11-18 16:39 . 2010-11-18 16:39 -------- d-----w- c:\documents and settings\Tammy\Application Data\AVG10 2010-11-18 16:27 . 2010-11-18 16:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-18 16:25 . 2010-12-07 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-11 16:13 . 2009-05-07 03:00 398744 ----a-r- c:\windows\system32\cpnprt2.cid 2010-09-29 14:20 . 2009-09-07 15:03 249856 ------w- c:\windows\Setup1.exe 2010-09-29 14:20 . 2009-09-07 15:03 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-09-18 16:23 . 2004-08-10 16:51 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-10 16:51 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-10 16:51 954368 ------w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-10 16:51 953856 ------w- c:\windows\system32\mfc40u.dll 2010-03-23 14:50 . 2010-03-23 14:47 2114184 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3[1] 2007-08-03 17:14 . 2007-08-03 17:14 50005304 ------w- c:\program files\iTunesSetup.exe 2007-07-24 00:37 . 2007-07-24 00:37 6466517 ------w- c:\program files\cwcom_inst.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848] "nwiz"="nwiz.exe" [2006-08-23 1617920] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "Cobian Backup 8"="c:\program files\Cobian Backup 8\Cobian.exe" [2007-09-27 501248] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2010-11-29 112632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http:" [X] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] Printkey2000.lnk - c:\program files\Printkey2000\printkey2000.exe [2009-1-8 869376] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2008-02-18 21:40 10536 ------w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "AntiSpywareOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"= "c:\\Program Files\\Activision\\C.o.d-4\\iw3mp.exe"= "c:\\Documents and Settings\\Tammy\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5910:TCP"= 5910:TCP:vnc5910 R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [11/30/2010 11:18 AM 98392] R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [7/7/2010 3:50 PM 176408] R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [11/6/2007 5:04 PM 810632] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/19/2010 10:10 AM 64080] S2 Amsp;Trend Micro Solution Platform;"c:\program files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 --> c:\program files\Trend Micro\AMSP\coreServiceShell.exe [?] S2 gupdate1c9e647cb4d758c;Google Update Service (gupdate1c9e647cb4d758c);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2009 8:40 PM 133104] S3 uvnc_service;uvnc_service;c:\documents and settings\Tammy\Local Settings\Application Data\CrossLoop\winvnc.exe [3/5/2010 5:54 PM 1590216] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder 2010-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2010-12-13 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-12 23:13] 2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-06 01:40] 2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-06 01:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: Free YouTube to Mp3 Converter - c:\documents and settings\Tammy\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm LSP: mswsock.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-13 18:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: ST3250820AS rev.3.ADG -> Harddisk0\DR0 -> \Device\00000063 device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0xB91DE119]<< c:\docume~1\Tammy\LOCALS~1\Temp\catchme.sys _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xb91e1858]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; } 1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x861A0AB8] 3 CLASSPNP[0xF74A7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85850988] \Driver\Disk[0x85819600] -> IRP_MJ_CREATE -> 0xB91DE119 kernel: MBR read successfully _asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; } user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(640) c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll . Completion time: 2010-12-13 18:48:10 ComboFix-quarantined-files.txt 2010-12-13 23:47 ComboFix2.txt 2010-12-10 20:01 Pre-Run: 168,459,530,240 bytes free Post-Run: 168,486,805,504 bytes free - - End Of File - - C5DCA46FF46154E86910442769218941