ComboFix 11-08-27.01 - steve 08/26/2011 23:15:50.4.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.523 [GMT -4:00] Running from: c:\documents and settings\steve\Desktop\round3\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\Thumbs.db Pass LEGAL for license information. Built Sat Jun 25 23:20 2011c:\documents and settings\Administrator\Local Settings\Application Data\crypteditboot.exe . . ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 ))))))))))))))))))))))))))))))) . . 2011-08-23 23:20 . 2004-08-04 10:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll 2011-08-23 23:20 . 2004-08-04 10:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys 2011-08-23 23:20 . 2004-08-04 10:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll 2011-08-23 23:20 . 2004-08-04 10:00 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll 2011-08-23 23:20 . 2004-08-04 10:00 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll 2011-08-23 23:20 . 2004-08-04 10:00 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll 2011-08-23 23:20 . 2004-08-04 10:00 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe 2011-08-23 23:20 . 2004-08-04 10:00 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe 2011-08-23 23:20 . 2004-08-04 10:00 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe 2011-08-23 23:20 . 2004-08-04 10:00 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll 2011-08-23 23:18 . 2004-08-04 10:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll 2011-08-23 23:17 . 2004-08-04 10:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe 2011-08-23 22:50 . 2006-03-30 10:03 22339 ----a-r- c:\windows\SET77.tmp 2011-08-23 22:50 . 2005-03-30 17:54 10559 ----a-r- c:\windows\SET78.tmp 2011-08-23 22:50 . 2004-08-04 10:00 13753 ----a-r- c:\windows\SET44.tmp 2011-08-23 22:49 . 2004-08-04 10:00 1086058 ----a-r- c:\windows\SET38.tmp 2011-08-23 22:49 . 2004-08-04 10:00 1042903 ----a-r- c:\windows\SET35.tmp 2011-08-23 22:37 . 2004-08-04 02:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys 2011-08-23 22:37 . 2011-08-23 22:37 -------- d-----w- c:\windows\NV1100384.TMP 2011-08-23 22:28 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll 2011-08-23 22:28 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll 2011-08-23 22:28 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll 2011-08-23 22:28 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll 2011-08-23 03:36 . 2004-08-04 19:00 134400 ----a-w- C:\hal.dll 2011-08-23 02:22 . 2011-08-23 02:22 -------- d-----w- c:\windows\dell 2011-08-23 01:09 . 2011-08-23 01:09 -------- d-----w- C:\whatever-hal 2011-08-22 20:07 . 2011-08-22 20:07 512 ----a-w- C:\Backup_MBR_0.bin 2011-08-21 02:55 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-08-21 02:55 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-17 21:57 . 2011-08-17 21:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2011-08-17 17:21 . 2011-08-18 12:03 574 ----a-w- C:\cleanup.bat 2011-08-17 16:59 . 2011-08-17 16:59 -------- d-----w- C:\MGtools 2011-08-17 16:56 . 2011-08-17 16:56 -------- d-----w- c:\documents and settings\steve\Application Data\SUPERAntiSpyware.com 2011-08-17 16:56 . 2011-08-24 00:48 -------- d-----w- c:\program files\SUPERAntiSpyware 2011-08-17 16:56 . 2011-08-17 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2011-08-17 07:52 . 2011-08-17 07:52 -------- d-----w- c:\program files\ESET 2011-08-17 07:41 . 2011-08-17 15:30 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys 2011-08-17 07:19 . 2011-08-17 07:19 -------- d-----w- C:\TDSSKiller_Quarantine 2011-08-17 06:54 . 2011-08-25 22:38 -------- d-----w- c:\program files\RegCure 2011-08-09 23:12 . 2011-08-09 23:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2011-08-09 23:07 . 2011-08-09 23:13 -------- d-----w- c:\documents and settings\steve\Local Settings\Application Data\Temp 2011-08-09 23:07 . 2011-08-09 23:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2011-08-09 23:06 . 2011-08-15 04:44 -------- d-----w- c:\documents and settings\steve\Local Settings\Application Data\Google 2011-08-09 23:06 . 2011-08-09 23:08 -------- d-----w- c:\program files\Google 2011-08-03 21:02 . 2011-08-15 07:30 -------- d-----w- c:\documents and settings\steve\dwhelper 2011-08-02 22:53 . 2011-07-08 07:16 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-08-02 22:53 . 2011-07-08 07:16 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-08-02 22:53 . 2011-07-08 07:16 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-08-02 22:53 . 2011-07-08 07:16 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-08-02 22:53 . 2011-07-08 07:16 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-08-02 22:53 . 2011-07-08 07:16 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-08-02 22:53 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll 2011-08-02 22:53 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-07-08 07:16 . 2011-08-02 22:53 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568] "nwiz"="nwiz.exe" [2007-06-06 1626112] "NVHotkey"="nvHotkey.dll" [2007-06-06 67584] "NvMediaCenter"="NvMCTray.dll" [2007-06-06 81920] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936] "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624] "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-11-17 52848] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-03 198160] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-07-23 49152] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504] "VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2010-06-11 206120] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-8-9 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-31 50688] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt . [HKLM\~\startupfolder\C:^Documents and Settings^steve^Start Menu^Programs^Startup^_uninst_90142563.lnk] path=c:\documents and settings\steve\Start Menu\Programs\Startup\_uninst_90142563.lnk backup=c:\windows\pss\_uninst_90142563.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware] 2011-07-06 23:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] 2011-08-18 06:34 512992 ----a-w- c:\documents and settings\steve\Desktop\sdsetup_revwire207.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] 2011-08-12 21:37 4603264 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Documents and Settings\\steve\\Desktop\\utorrent.exe"= "c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"= "c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC . S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2011 7:06 PM 136176] S3 {380014DB-5CCC-4339-A514AAAB6A3B43B8};{380014DB-5CCC-4339-A514AAAB6A3B43B8};\??\c:\windows\TEMP\1DB.tmp --> c:\windows\TEMP\1DB.tmp [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2011 7:06 PM 136176] . Contents of the 'Scheduled Tasks' folder . 2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 23:06] . 2011-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 23:06] . 2011-08-27 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] . 2011-08-25 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.stevefisk.net/start/work_start.htm uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: Interfaces\{15F3E135-1B79-42C0-9363-45F0626A4F56}: NameServer = 24.92.226.11,24.92.226.12 TCP: Interfaces\{2640A5B6-28DF-4929-879B-37938A9B0318}: NameServer = 24.92.226.11,24.92.226.12 FF - ProfilePath - c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\mcfmaym4.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.stevefisk.net/start/work_start.htm FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 51677 FF - prefs.js: network.proxy.type - 0 FF - user.js: yahoo.homepage.dontask - true . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-08-26 23:23 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: ST9120822AS rev.3.CDD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e . device: opened successfully user: MBR read successfully error: Read A device attached to the system is not functioning. kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x8666131B user & kernel MBR OK . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{380014DB-5CCC-4339-A514AAAB6A3B43B8}] "ImagePath"="\??\c:\windows\TEMP\1DB.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(928) c:\windows\System32\BCMLogon.dll . Completion time: 2011-08-26 23:26:18 ComboFix-quarantined-files.txt 2011-08-27 03:26 ComboFix2.txt 2011-08-27 01:50 ComboFix3.txt 2011-08-21 04:39 . Pre-Run: 10,655,457,280 bytes free Post-Run: 10,640,244,736 bytes free . - - End Of File - - D466BCC1C08CFF4269D20D95FC442EDD