ComboFix 11-06-30.03 - Administrator 07/04/2011 11:38:46.3.2 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1368 [GMT -12:00] Running from: e:\downloads\ComboFix.exe AV: ESET Smart Security 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} * Resident AV is active . . . ((((((((((((((((((((((((( Files Created from 2011-06-04 to 2011-07-04 ))))))))))))))))))))))))))))))) . . 2011-07-04 01:59 . 2011-07-04 02:09 47 ----a-w- c:\windows\SOLOSCAN.BAT 2011-07-04 01:58 . 2011-07-04 01:59 -------- d-----w- C:\SRN Micro 2011-07-04 01:54 . 2011-07-04 01:55 -------- d-----w- c:\windows\system32\wbem\Repository 2011-07-04 01:13 . 2011-07-04 01:13 -------- d-----w- c:\windows\system32\drivers\Avg(2) 2011-07-04 01:13 . 2011-07-04 01:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR 2011-07-01 23:36 . 2011-07-01 23:36 71880 ----a-w- c:\windows\system32\PxSecure.dll-upgrade672578.tmp 2011-07-01 23:36 . 2011-07-01 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI 2011-07-01 05:25 . 2009-04-05 11:36 -------- d-----w- C:\SmitfraudFix 2011-07-01 03:51 . 2011-07-01 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2011-07-01 03:50 . 2011-05-29 21:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-01 03:50 . 2011-07-01 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-07-01 03:50 . 2011-05-29 21:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-30 23:33 . 2011-06-30 23:33 -------- d-----w- C:\FOUND.001 2011-06-30 06:53 . 2011-06-30 06:53 -------- d-----w- C:\FOUND.000 2011-06-29 22:15 . 2011-06-30 23:37 40448 ----a-w- c:\windows\system32\Slsvcx.exe 2011-06-29 01:14 . 2011-06-29 22:14 92672 --sh--w- c:\windows\system32\tcpwalalib.exe 2011-06-29 01:13 . 2011-06-29 01:13 -------- d-----w- c:\windows\system32\X 2011-06-23 06:40 . 2011-06-23 06:40 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll 2011-06-23 06:40 . 2011-06-23 06:40 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll 2011-06-22 22:22 . 2004-08-25 23:56 24576 ----a-w- c:\windows\system32\GsiNdi32.dll 2011-06-22 22:22 . 2011-06-22 22:22 -------- d-----w- c:\program files\Huawei 2011-06-13 00:00 . 2011-06-13 00:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\ImTOO Software Studio 2011-06-05 23:49 . 2011-06-05 23:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ImTOO 2011-06-05 23:44 . 2011-06-05 23:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\ImTOO 2011-06-05 23:44 . 2011-06-05 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ImTOO . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-27 22:08 . 2011-05-27 22:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-23 06:40 . 2011-03-24 22:44 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2004-08-04 . A3886230C2B22BF4D3C452B90B1C45CB . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys . ((((((((((((((((((((((((((((( SnapShot@2011-07-04_02.47.40 ))))))))))))))))))))))))))))))))))))))))) . - 2001-08-24 00:00 . 2011-07-04 02:00 94040 c:\windows\system32\perfc009.dat + 2001-08-24 00:00 . 2011-07-04 22:33 94040 c:\windows\system32\perfc009.dat - 2001-08-24 00:00 . 2011-07-04 02:00 505318 c:\windows\system32\perfh009.dat + 2001-08-24 00:00 . 2011-07-04 22:33 505318 c:\windows\system32\perfh009.dat - 2004-08-03 22:56 . 2004-08-03 22:56 792064 c:\windows\system32\dllcache\comres.dll + 2004-08-03 22:56 . 2009-04-08 05:58 792064 c:\windows\system32\dllcache\comres.dll - 2004-08-03 22:56 . 2004-08-03 22:56 792064 c:\windows\system32\comres.dll + 2004-08-03 22:56 . 2009-04-08 05:58 792064 c:\windows\system32\comres.dll + 2004-08-03 22:56 . 2004-08-03 22:56 792064 c:\windows\system32\comres BACKUP.dll - 2004-08-04 10:56 . 2004-08-04 10:56 792064 c:\windows\system32\COMRES backup.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EPSON Stylus CX1500 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE" [2004-06-01 99840] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480] "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-01-30 3179952] "WOSB"="f:\softwares\WakeupOnStandBy\wosb.exe" [2011-03-22 1272320] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "egui"="e:\new folder\nod32\egui.exe" [2009-02-07 2021400] "Malwarebytes' Anti-Malware"="e:\new folder\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584] "SoloSentry"="e:\newfol~1\SRNMIC~1\SOLOSENT.EXE" [2010-08-27 77824] "SoloSchedule"="c:\srnmic~1\SOLOCFG.EXE" [2010-08-27 303104] "SoloSysCheck"="c:\srnmic~1\SYSCHECK.COM" [2010-08-27 237568] . [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration Prince of Persia Warrior Within.LNK] path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Registration Prince of Persia Warrior Within.LNK backup=c:\windows\pss\Registration Prince of Persia Warrior Within.LNKStartup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Security Update.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Security Update.lnk backup=c:\windows\pss\Security Update.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2009-09-05 00:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-10-03 16:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] 2011-01-20 09:20 1305408 ----a-w- e:\new folder\DAEMON Tools Lite\DTLite.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE] 2004-08-25 23:56 65536 ------w- c:\program files\Huawei\MT841\dslagent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] 2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-09-05 09:13 141848 ----a-r- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2004-06-16 18:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2004-06-16 18:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mapper] 2008-09-05 07:17 40960 ----a-w- c:\program files\Home Browsing\IE Internet Helper\maper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 23:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2007-09-05 09:13 137752 ----a-r- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2008-02-13 06:31 16857600 ------r- c:\windows\RTHDCPL.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] 2009-03-06 04:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "Nikon Transfer Monitor"=c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe "DSLAGENTEXE"=c:\program files\Huawei\MT841\dslagent.exe "EPSON Stylus CX1500 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Huawei\\MT841\\DSLAGENT.EXE"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "e:\\New Folder\\gigaget\\Gigaget.exe"= "e:\\New Folder\\flashget\\flashget.exe"= "c:\\Tally\\tally72.exe"= "c:\\Tally\\TALLY9.EXE"= "h:\\BackUp of Tally\\Tally\\tally9.exe"= "f:\\Tally\\tally72.exe"= "e:\\New Folder\\bitt\\BitTorrent.exe"= "e:\\New Folder\\Free Download Manager\\fdm.exe"= "e:\\New Folder\\VLC\\vlc.exe"= "e:\\New Folder\\java\\bin\\javaw.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP) "8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP) "8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP) "8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP) "8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP) "8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP) "8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP) "8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP) "8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP) "8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP) "7606:TCP"= 7606:TCP:enzunljc . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 2:23 PM 106208] R1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [7/11/2003 1:22 AM 14912] R2 ekrn;ESET Service;e:\new folder\nod32\ekrn.exe [2/6/2009 2:23 PM 727720] R2 WalaSvc;Windows Infomation Actioning;c:\windows\system32\tcpwalalib.exe [6/28/2011 1:14 PM 92672] R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [3/25/2011 6:48 PM 218688] S3 illreqpim;illreqpim;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/30/2011 3:50 PM 22712] S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\ztemtusbser.sys --> c:\windows\system32\DRIVERS\ztemtusbser.sys [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WUAUSERV . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs cvjpechd . Contents of the 'Scheduled Tasks' folder . 2010-11-05 c:\windows\Tasks\firefox.job - c:\program files\Mozilla Firefox\firefox.exe [2009-11-26 06:40] . 2011-07-04 c:\windows\Tasks\Free Download Manager.job - e:\new folder\Free Download Manager\fdm.exe [2011-02-16 11:28] . 2011-06-19 c:\windows\Tasks\prismShakeIcon.job - c:\program files\NCH Software\Prism\prism.exe [2010-12-08 00:08] . . ------- Supplementary Scan ------- . uStart Page = about:blank mWindow Title = uInternet Connection Wizard,ShellNext = iexplore IE: &Download All by Gigaget - e:\new folder\gigaget\getallurl.htm IE: &Download All with FlashGet - e:\new folder\flashget\jc_all.htm IE: &Download by Gigaget - e:\new folder\gigaget\geturl.htm IE: &Download with FlashGet - e:\new folder\flashget\jc_link.htm IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download all with Free Download Manager - file://e:\new folder\Free Download Manager\dlall.htm IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Download selected with Free Download Manager - file://e:\new folder\Free Download Manager\dlselected.htm IE: Download video with Free Download Manager - file://e:\new folder\Free Download Manager\dlfvideo.htm IE: Download with Free Download Manager - file://e:\new folder\Free Download Manager\dllink.htm IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: Download with ImTOO Download YouTube Video - e:\new folder\Download YouTube Video\upod_link.HTM IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: Interfaces\{05621D6F-D130-41FF-8E8C-4399A56A1976}: NameServer = 8.8.8.8,8.8.4.4 TCP: Interfaces\{19A8216A-C872-4E9F-A357-7C54AC89B671}: NameServer = 8.8.8.8,8.8.4.4 TCP: Interfaces\{63DF77B5-46A8-4A74-8B36-84A9F91AEBF7}: NameServer = 8.8.4.4,8.8.8.8 TCP: Interfaces\{8F58A87F-8FAD-43E8-BCF6-8E6238938FD9}: NameServer = 218.248.241.3 218.248.255.177 FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\i2fob4tv.default\ . . ------- File Associations ------- . .scr=AutoCADScriptFile . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-07-04 11:41 Windows 5.1.2600 Service Pack 2 FAT NTAPI . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run EPSON Stylus CX1500 Series = c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /M "Stylus CX1500" /EF "HKCU"?6?????6?????D????????????h?w?? ????????????????????????????? 'explorer.exe'(11892) e:\new folder\flashget\fgmgr.dll c:\windows\system32\msi.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2011-07-04 11:43:43 ComboFix-quarantined-files.txt 2011-07-04 23:43 ComboFix2.txt 2011-07-04 22:35 ComboFix3.txt 2011-07-04 02:54 . Pre-Run: 3,096,690,688 bytes free Post-Run: 3,084,271,616 bytes free . - - End Of File - - F68F10D62E215F95D96A93E6967BB8D2