ComboFix 10-12-13.02 - Tammy 12/14/2010 16:48:54.3.2 - x86 Running from: c:\documents and settings\Tammy\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Tammy\CFScript.txt AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5} * Created a new restore point FILE :: "c:\windows\system32\drivers\ucqmqa.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\ucqmqa.sys Infected copy of c:\windows\system32\drivers\ndproxy.sys was found and disinfected Restored copy from - The cat found it :) . ((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 ))))))))))))))))))))))))))))))) . 2010-12-07 05:09 . 2010-10-23 17:55 553984 ----a-r- C:\OTLPE.exe 2010-12-07 05:04 . 2010-12-07 05:04 -------- d-----w- C:\_OTL 2010-12-05 03:22 . 2010-12-05 03:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-30 16:18 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe 2010-11-30 16:18 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-11-30 16:18 . 2010-11-30 16:18 -------- d-----w- C:\VIPRERESCUE 2010-11-30 16:01 . 2010-11-30 16:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple 2010-11-29 19:01 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 19:01 . 2010-12-11 04:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-29 19:01 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-29 15:24 . 2010-11-29 15:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro 2010-11-29 15:01 . 2010-12-07 04:08 -------- d-----w- c:\program files\Trend Micro 2010-11-19 22:46 . 2010-11-19 22:46 364032 ----a-w- c:\program files\rkill.com 2010-11-19 22:42 . 2010-11-19 22:42 294400 ----a-w- c:\program files\exeHelper.com 2010-11-19 22:39 . 2010-11-19 22:39 294400 ----a-w- c:\program files\exeHelper.scr 2010-11-19 22:14 . 2010-11-19 22:14 -------- d-----w- c:\documents and settings\Tammy\Application Data\Malwarebytes 2010-11-19 22:14 . 2010-11-19 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-19 22:14 . 2010-11-19 22:48 6153352 ----a-w- c:\program files\mbam-setup-1.46.exe 2010-11-19 22:09 . 2010-11-19 22:10 575488 ----a-w- c:\program files\OTL.com 2010-11-19 22:09 . 2010-11-19 22:09 575488 ----a-w- c:\program files\OTL.scr 2010-11-19 22:07 . 2010-11-19 22:07 575488 ----a-w- c:\program files\OTL.exe 2010-11-19 15:10 . 2010-11-29 14:09 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys 2010-11-19 15:10 . 2010-11-29 14:09 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys 2010-11-19 15:10 . 2010-11-29 14:09 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys 2010-11-19 15:10 . 2010-11-29 14:09 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2010-11-19 00:09 . 2010-11-19 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro 2010-11-18 23:33 . 2010-11-18 23:33 -------- dc----w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097} 2010-11-18 20:37 . 2010-11-18 20:39 -------- dc-h--w- c:\windows\ie8 2010-11-18 18:45 . 2010-11-18 18:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-11-18 16:39 . 2010-11-18 16:39 -------- d-----w- c:\documents and settings\Tammy\Application Data\AVG10 2010-11-18 16:27 . 2010-11-18 16:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-18 16:25 . 2010-12-07 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-11 16:13 . 2009-05-07 03:00 398744 ----a-r- c:\windows\system32\cpnprt2.cid 2010-09-29 14:20 . 2009-09-07 15:03 249856 ------w- c:\windows\Setup1.exe 2010-09-29 14:20 . 2009-09-07 15:03 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-09-18 16:23 . 2004-08-10 16:51 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-10 16:51 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-10 16:51 954368 ------w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-10 16:51 953856 ------w- c:\windows\system32\mfc40u.dll 2010-03-23 14:50 . 2010-03-23 14:47 2114184 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3[1] 2007-08-03 17:14 . 2007-08-03 17:14 50005304 ------w- c:\program files\iTunesSetup.exe 2007-07-24 00:37 . 2007-07-24 00:37 6466517 ------w- c:\program files\cwcom_inst.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848] "nwiz"="nwiz.exe" [2006-08-23 1617920] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "Cobian Backup 8"="c:\program files\Cobian Backup 8\Cobian.exe" [2007-09-27 501248] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2010-11-29 112632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http:" [X] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] Printkey2000.lnk - c:\program files\Printkey2000\printkey2000.exe [2009-1-8 869376] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2008-02-18 21:40 10536 ------w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "AntiSpywareOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"= "c:\\Program Files\\Activision\\C.o.d-4\\iw3mp.exe"= "c:\\Documents and Settings\\Tammy\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5910:TCP"= 5910:TCP:vnc5910 R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x] R2 gupdate1c9e647cb4d758c;Google Update Service (gupdate1c9e647cb4d758c);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-06 133104] R3 uvnc_service;uvnc_service;c:\documents and settings\Tammy\Local Settings\Application Data\CrossLoop\winvnc.exe [2009-12-07 1590216] S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-11-09 98392] S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2010-07-07 176408] S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [2007-11-06 810632] S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-11-29 64080] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder 2010-12-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2010-12-14 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-12 23:13] 2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-06 01:40] 2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-06 01:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: Free YouTube to Mp3 Converter - c:\documents and settings\Tammy\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm LSP: mswsock.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-14 17:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(640) c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll - - - - - - - > 'explorer.exe'(2380) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\windows\stsystra.exe c:\program files\Cobian Backup 8\cbInterface.exe c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\program files\iPod\bin\iPodService.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe . ************************************************************************** . Completion time: 2010-12-14 17:17:27 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-14 22:17 ComboFix2.txt 2010-12-13 23:48 ComboFix3.txt 2010-12-10 20:01 Pre-Run: 168,464,474,112 bytes free Post-Run: 168,454,066,176 bytes free - - End Of File - - 87700B805233A6CAC77709F552DA6748