ComboFix 11-06-21.03 - Pablo 06/23/2011 17:23:19.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.287 [GMT -7:00] Running from: M:\ComboFix.exe AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393} AV: Symantec AntiVirus Corporate Edition *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\SalesMon c:\documents and settings\All Users\Application Data\Tarma Installer c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico c:\documents and settings\All Users\Application Data\WinAnonymous c:\documents and settings\All Users\Application Data\WinAnonymous\Abbr c:\documents and settings\All Users\Application Data\WinAnonymous\prod_code . . ((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 ))))))))))))))))))))))))))))))) . . 2011-06-24 02:02 . 2011-06-24 02:02 -------- d-----w- c:\windows\LastGood.Tmp 2011-06-22 19:07 . 2010-09-20 13:39 123904 ----a-w- C:\MbrFix.exe 2011-06-22 19:06 . 2004-08-10 10:00 388608 ----a-w- c:\windows\system32\cmd.exe 2011-06-22 19:06 . 2004-08-10 10:00 50620 ----a-w- c:\windows\system32\command.com 2011-06-17 15:05 . 2011-06-17 15:05 -------- d-----w- C:\_OTL . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-29 09:19 . 2011-03-29 09:20 546304 ----a-w- c:\documents and settings\All Users\Application Data\MNpEpQomdMQ.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon] @="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}" [HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}] 2010-12-17 01:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon] @="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}" [HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}] 2010-12-17 01:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\steam\steam.exe" [2010-11-21 1242448] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "CTHelper"="CTHELPER.EXE" [2006-12-12 19456] "CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 20480] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-11 169984] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-25 53408] "vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-06-15 124656] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048] "nwiz"="nwiz.exe" [2009-06-10 1657376] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464] "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-12-17 423232] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360] "MNpEpQomdMQ"="c:\documents and settings\All Users\Application Data\MNpEpQomdMQ.exe" [2011-03-29 546304] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-10-04 53760] . c:\documents and settings\Pablo\Start Menu\Programs\Startup\ RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Pablo\Local Settings\Temp\{4E43C220-5B4E-429A-96EE-68C47EE8943C}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A] RollerCoaster Tycoon 3_ Wild Registration.lnk - c:\documents and settings\Pablo\Local Settings\Temp\{016ADCD5-0199-470A-B2B6-3FDCE6983F8D}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-11 24576] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-11-30 608584] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [12/16/2010 6:12 PM 130376] R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [12/16/2010 6:12 PM 141768] R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [12/16/2010 6:12 PM 97352] R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [12/16/2010 6:12 PM 111944] R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [12/16/2010 6:12 PM 113096] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [6/4/2010 8:03 PM 102448] S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [5/14/2010 2:58 PM 20704] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - GTNDIS5 *NewlyCreated* - WUAUSERV . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder . 2011-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:42] . 2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 04:44] . 2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-22 04:44] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.la-falcons.com/ uInternet Settings,ProxyServer = http=127.0.0.1:5555;https=;ftp=;gopher=;socks= uInternet Settings,ProxyOverride = ;*.local TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 68.116.46.115 . - - - - ORPHANS REMOVED - - - - . BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Drop Down Deals\YontooIEClient.dll Toolbar-Locked - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) Notify-dimsntfy - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-23 17:49 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTHelper = CTHELPER.EXE? CTxfiHlp = CTXFIHLP.EXE? . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-286841846-2337188256-4264779381-1005\Software\YourCompanyName\YourProductName\Version*] "VersionData"=hex:90,02,8e,fc,32,e7,ca,0f,88,2b,2f,d8,5d,74,a1,bc,db,eb,ef,b8, 68,5b,6b,33,12,ea,d5,f9,5d,e5,48,dc,b3,4e,68,6f,ef,1a,1f,98,4b,af,ef,2c,32,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(5864) c:\windows\system32\logishrd\LVPrcInj01.dll c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll c:\windows\system32\ctagent.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Viewpoint\Common\ViewpointService.exe c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe c:\windows\system32\CTHELPER.EXE c:\windows\system32\CTXFIHLP.EXE c:\windows\SYSTEM32\CTXFISPI.EXE c:\progra~1\SYMANT~1\vptray.exe c:\windows\system32\RUNDLL32.EXE c:\windows\system32\dllhost.exe c:\windows\eHome\ehmsas.exe c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Symantec\LiveUpdate\AUPDATE.EXE c:\program files\Symantec\LiveUpdate\LuComServer_3_4.EXE c:\windows\SoftwareDistribution\Download\8cda3ff0e8af24b1269df9faab8394f9\update\update.exe . ************************************************************************** . Completion time: 2011-06-23 18:17:40 - machine was rebooted ComboFix-quarantined-files.txt 2011-06-24 01:17 . Pre-Run: 91,462,770,688 bytes free Post-Run: 97,709,309,952 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect [spybotsd] timeout.old=30 . - - End Of File - - BD5A5916BB6BC28AA188965C2D52CF46