ComboFix 11-09-04.01 - Administrator 09/04/2011 10:36:03.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.180 [GMT -7:00] Running from: f:\into laptop\ComboFix.exe AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\dcyfbhqkwq.tmp c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\PMW.exe.a5d74c84.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL239.tmp.edb0f421.ini c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL38.tmp.67528fae.ini c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat c:\documents and settings\Administrator\WINDOWS c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\SL239.tmp.edb0f421.ini c:\documents and settings\Guest\Local Settings\Application Data\ApplicationHistory\SL38.tmp.67528fae.ini C:\feed.txt c:\windows\system32\AutoRun.inf c:\windows\system32\comct332.ocx E:\AUTORUN.INF . . ((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 ))))))))))))))))))))))))))))))) . . 2011-09-01 23:07 . 2011-09-01 23:07 -------- d-----w- C:\_OTL 2011-08-14 21:27 . 2011-08-26 00:18 -------- d-----w- c:\program files\SpeedFan 2011-08-06 22:47 . 2011-08-06 22:47 11264 ----a-w- c:\windows\system32\drivers\uzg0ntay.sys 2011-08-06 22:14 . 2011-08-04 04:11 133208 ----a-w- c:\windows\system32\drivers\93306840.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-07-16 01:31 . 2011-06-28 07:28 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-07 02:52 . 2011-07-31 00:00 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-07 02:52 . 2011-07-31 00:00 22712 ----a-w- c:\windows\system32\drivers\mbam.sys . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe [-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe [-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe [7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe . c:\windows\System32\spoolsv.exe ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-05-20 399736] "CTRegRun"="c:\windows\CTRegRun.EXE" [2006-10-06 53248] "SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-05-20 2071904] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] . c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [N/A] . c:\documents and settings\Guest\Start Menu\Programs\Startup\ CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [N/A] . c:\documents and settings\Default User\Start Menu\Programs\Startup\ CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-09-18 06:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= . R0 93306840;93306840;c:\windows\system32\drivers\93306840.sys [8/6/2011 3:14 PM 133208] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2/7/2007 11:22 AM 100495] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 1:31 PM 44720] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 4:54 PM 13696] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/17/2010 11:35 PM 216400] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/17/2010 11:35 PM 243152] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2/7/2007 11:23 AM 5808] R1 uzg0ntay;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzg0ntay.sys [8/6/2011 3:47 PM 11264] R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:00 AM 14336] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:00 AM 14336] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [9/17/2010 11:34 PM 921952] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [9/17/2010 11:34 PM 308136] R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [3/29/2007 5:50 PM 221184] R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [10/4/2007 9:21 AM 540448] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [9/19/2006 9:58 AM 36608] S2 seclogon32;Secondary Logon ;c:\windows\system32\gpedit32.exe --> c:\windows\system32\gpedit32.exe [?] S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 4:42 AM 64000] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/30/2011 5:00 PM 22712] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/30/2011 5:00 PM 41272] S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/30/2011 5:00 PM 366640] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Cognizance REG_MULTI_SZ ASBroker ASChannel hpdevmgmt REG_MULTI_SZ hpqcxs08 . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyServer = http=127.0.0.1:1069 uInternet Settings,ProxyOverride = IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} Trusted Zone: att.net Trusted Zone: sbcglobal.net Trusted Zone: yahoo.com\clientapps DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - . BHO-{01D151C1-2054-4A48-B12A-6BB86C46069d} - c:\windows\system32\atikvmag32.dll Toolbar-Locked - (no file) AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-09-04 11:03 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: FUJITSU_MHY2080BH rev.890B -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully error: Read A device attached to the system is not functioning. kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x8468E2E0 user & kernel MBR OK . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pdfcDispatcher] "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2801489450-1910931656-4214862515-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,b7,6e,c2,a0,52,34,41,a0,43,94,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,33,b7,6e,c2,a0,52,34,41,a0,43,94,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1260) c:\windows\system32\Ati2evxx.dll c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll . - - - - - - - > 'explorer.exe'(1160) c:\windows\system32\WININET.dll c:\windows\system32\APSHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\msdtc.exe c:\program files\LSI SoftModem\agrsmsvc.exe c:\program files\Creative\Shared Files\CTDevSrv.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\AVG\AVG9\avgnsx.exe c:\windows\system32\mqsvc.exe c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\mqtgsvc.exe c:\program files\Hewlett-Packard\IAM\bin\asghost.exe c:\program files\Hewlett-Packard\Shared\HpqToaster.exe . ************************************************************************** . Completion time: 2011-09-04 11:14:24 - machine was rebooted ComboFix-quarantined-files.txt 2011-09-04 18:14 . Pre-Run: 23,874,473,984 bytes free Post-Run: 23,908,179,968 bytes free . - - End Of File - - DD8A407F4B55DB03B03454FA4A953380