ComboFix 11-08-17.03 - user1 08/18/2011 13:52:36.1.1 - x86 Running from: d:\downloads\ComboFix.exe AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\user1\usbsermpt.sys c:\documents and settings\user1\usbsermptxp.sys c:\program files\FunWebProducts c:\program files\FunWebProducts\ScreenSaver\Images\006E2B7D.urr c:\program files\FunWebProducts\ScreenSaver\Images\045E39DE.urr c:\program files\FunWebProducts\Shared\018A9D2D.dat c:\program files\MyWebSearch c:\program files\MyWebSearch\bar\History\search3 c:\program files\MyWebSearch\bar\Settings\s_FeatCk.dat c:\program files\MyWebSearch\bar\Settings\s_FeatCk.dat.bak c:\program files\MyWebSearch\bar\Settings\s_pid.dat c:\windows\$NARWE4234Uninstall$ c:\windows\$NARWE4234Uninstall$\punstl.exe c:\windows\system32\1ff6869f-0bce-a64d-57da-b3efa0b13ab8.exe c:\windows\system32\28463 . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_ABEL -------\Legacy_NPF -------\Service_Abel -------\Service_NPF . . ((((((((((((((((((((((((( Files Created from 2011-07-18 to 2011-08-18 ))))))))))))))))))))))))))))))) . . 2011-07-24 08:56 . 2011-07-24 08:56 -------- d-----w- c:\documents and settings\user1\Application Data\ibibo 2011-07-24 08:56 . 2011-07-24 08:57 -------- d-----w- c:\documents and settings\user1\Application Data\Tencent 2011-07-24 08:55 . 2011-07-24 08:55 -------- d-----w- c:\program files\Common Files\ibibo 2011-07-23 16:48 . 2011-07-23 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-12 11:26 . 2011-06-02 06:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-15 13:29 . 2006-03-15 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02 . 2006-03-15 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys 2011-06-24 14:10 . 2010-01-28 07:09 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2011-06-22 16:27 . 2011-06-22 16:24 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys 2011-06-21 18:45 . 2006-03-15 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2011-06-21 18:45 . 2006-03-15 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2011-06-21 18:45 . 2006-03-15 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl 2011-06-21 18:45 . 2006-03-15 12:00 17408 ------w- c:\windows\system32\corpol.dll 2011-06-21 11:47 . 2006-03-15 12:00 389120 ----a-w- c:\windows\system32\html.iec 2011-06-20 17:44 . 2006-03-15 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-06-02 14:02 . 2006-03-15 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-05-27 06:29 . 2011-05-26 13:22 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-05-26 15:22 . 2006-03-15 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll 2011-05-26 14:35 . 2011-05-26 14:22 2856 ----a-w- c:\documents and settings\All Users\Application Data\bdinstall.bin . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-04-02 399736] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560] "cdloader"="c:\documents and settings\user1\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408] "ares"="c:\program files\Ares\Ares.exe" [2010-01-22 1011712] "GameTracker"="d:\movies & videos\GameTracker\GTLite.exe" [2010-10-13 4018984] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 393216] "Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-12-15 839680] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "Adobe Reader Speed Launcher"="d:\reader\Reader_sl.exe" [2011-01-31 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] "Freecorder FLV Service"="d:\cain\FLVSrvc.exe" [2010-06-26 167936] "avgnt"="d:\cain\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Matrix Screen Locker.lnk - c:\program files\BaroufaSoft\Matrix Screen Locker\matrix.exe [2006-1-29 539136] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="D:\QTTask.exe" -atboottime . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Ares\\Ares.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Documents and Settings\\user1\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "d:\\counter strike (c zero)\\hl.exe"= "d:\\VLC\\vlc.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "d:\\quake\\Quake3\\quake3.exe"= "c:\\Program Files\\Ares\\chatServer.exe"= "c:\\Documents and Settings\\user1\\Application Data\\mjusbsp\\magicJack.exe"= "d:\\ibibo Messenger\\Bin\\ibibomsgr.exe"= . R3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2010-07-11 30432] R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2010-07-11 30432] R3 cyzport;Cyclades-Z Port Driver;c:\windows\system32\DRIVERS\cyzport.sys [2001-08-17 49792] R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [x] R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x] R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x] R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x] R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-07-26 137600] R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-07-26 8576] R3 qcusbser;CDMA USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys [2010-02-06 106752] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-28 717296] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\cain\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] S2 GS In-Game Service;GS In-Game Service;d:\movies & videos\GameTracker\GSInGameService.exe [2010-10-13 1677096] S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-09-30 1051968] S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ sysagent HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder . 2011-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-413027322-682003330-1002Core.job - c:\documents and settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-03 10:19] . 2011-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-413027322-682003330-1002UA.job - c:\documents and settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-03 10:19] . 2011-08-15 c:\windows\Tasks\RegCure Program Check.job - d:\mobile files\dxg\RegCure\RegCure.exe [2010-05-19 23:20] . 2011-07-23 c:\windows\Tasks\RegCure.job - d:\mobile files\dxg\RegCure\RegCure.exe [2010-05-19 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://h1.ripway.com/poojasharma/index.html mStart Page = hxxp://www.msn.com IE: E&xport to Microsoft Excel - d:\software\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\87mnnm37.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=hp FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - d:\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - d:\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - d:\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - d:\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: z: {0b69f0d7-8854-bed9-a744-f4bf3e297930} - d:\extensions\{0b69f0d7-8854-bed9-a744-f4bf3e297930} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - d:\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com FF - Ext: Freecorder Community Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - %profile%\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - d:\ret\Nokia PC Suite 7\bkmrksync FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . . ------- File Associations ------- . . - - - - ORPHANS REMOVED - - - - . BHO-{dba30aec-aca0-49aa-6d1e-df72106eac82} - (no file) BHO-{ee3409ba-c0fe-278a-4cea-d708dc5d4ae1} - (no file) SafeBoot-Wdf01000.sys MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe MSConfigStartUp-vmware-tray - d:\vmware\vmware-tray.exe AddRemove-$NARWE4234Uninstall$ - c:\windows\$NARWE4234Uninstall$\punstl.exe AddRemove-1ff6869f-0bce-a64d-57da-b3efa0b13ab8 - c:\windows\system32\1ff6869f-0bce-a64d-57da-b3efa0b13ab8.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-18 14:02 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(1412) c:\windows\system32\WININET.dll c:\documents and settings\user1\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll c:\windows\system32\ieframe.dll c:\windows\system32\netprovcredman.dll d:\software\OFFICE11\msohev.dll c:\windows\system32\WMVCore.DLL c:\windows\system32\WMASF.DLL c:\windows\system32\MSWMDM.dll c:\windows\system32\WMDMLOG.dll c:\windows\system32\MsPMSP.dll c:\windows\system32\cewmdm.dll c:\windows\system32\wpdsp.dll c:\windows\system32\WdfApi.dll c:\windows\system32\wpdtrace.dll c:\windows\system32\WMDMPS.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\WiFi\bin\S24EvMon.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe d:\cain\Avira\AntiVir Desktop\avguard.exe c:\program files\Intel\WiFi\bin\EvtEng.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe c:\windows\system32\wdfmgr.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\windows\system32\igfxsrvc.exe c:\windows\stsystra.exe c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe c:\windows\system32\uWDF.exe c:\windows\system32\uWDF.exe . ************************************************************************** . Completion time: 2011-08-18 14:11:59 - machine was rebooted ComboFix-quarantined-files.txt 2011-08-18 08:41 . Pre-Run: 247,328,768 bytes free Post-Run: 221,237,248 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [Boot Loader] Timeout=2 Default=c:\$win_nt$.~bt\BOOTSECT.DAT [Operating Systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /TUTag=HBUEPR /Kernel=TUKernel.exe multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=HBUEPR-BAK . - - End Of File - - 17C719799091C5B25250DDAB948C9A08