ComboFix 11-10-04.04 - mitch 04/10/2011 20:24:01.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.3062.2473 [GMT 1:00] Running from: c:\documents and settings\mitch\Desktop\Combo-Fix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\mitch\Local Settings\Application Data\decqggqq.log c:\documents and settings\mitch\Local Settings\Application Data\fwsnsiut.log c:\documents and settings\mitch\Local Settings\Application Data\hhjibrqn\pkbulrae.exe c:\documents and settings\mitch\Local Settings\Application Data\jlldxour.log c:\documents and settings\mitch\Local Settings\Application Data\rfidiqma.log c:\documents and settings\mitch\Local Settings\Application Data\scxsgxpq.log c:\documents and settings\mitch\Local Settings\Application Data\vxvkomyu.log c:\documents and settings\mitch\My Documents\~WRL0003.tmp c:\documents and settings\mitch\WINDOWS C:\install.exe c:\program files\messenger\msmsgsin.exe C:\Thumbs.db c:\windows\system32\d3d9caps.dat c:\windows\system32\MSMAsk32.ocx . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_MICORSOFT_WINDOWS_SERVICE -------\Service_Micorsoft Windows Service . . ((((((((((((((((((((((((( Files Created from 2011-09-04 to 2011-10-04 ))))))))))))))))))))))))))))))) . . 2011-10-04 12:45 . 2011-10-04 12:45 -------- d-----w- c:\documents and settings\mitch\Application Data\Malwarebytes 2011-10-04 12:44 . 2011-10-04 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-10-04 12:44 . 2011-10-04 12:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-10-04 12:44 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-10-04 12:17 . 2011-10-04 12:17 -------- d-----w- c:\windows\Internet Logs 2011-10-03 21:31 . 2011-10-03 21:31 -------- d-----w- c:\documents and settings\mitch\Application Data\MSN6 2011-10-03 21:31 . 2011-10-03 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6 2011-10-03 20:36 . 2011-10-04 19:31 -------- d-----w- c:\documents and settings\mitch\Local Settings\Application Data\hhjibrqn 2011-10-03 19:04 . 2011-10-04 13:23 -------- d-----w- c:\documents and settings\mitch\Local Settings\Application Data\confWebNotifier 2011-09-28 19:03 . 2011-09-28 19:03 107480 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe 2011-09-11 15:43 . 2001-08-17 12:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys 2011-09-11 15:43 . 2001-08-17 12:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys 2011-09-11 15:37 . 2010-11-16 20:10 527208 ------w- c:\windows\system32\HPDiscoPM9311.dll 2011-09-11 15:37 . 2010-10-07 18:04 1792872 ----a-w- c:\windows\system32\HPScanMiniDrv_DJ3050_J610.dll 2011-09-11 15:37 . 2010-10-07 18:04 267112 ----a-w- c:\windows\system32\hpinksts9311LM.dll 2011-09-11 15:37 . 2010-10-07 18:04 232296 ----a-w- c:\windows\system32\hpinksts9311.dll 2011-09-11 15:37 . 2010-10-07 18:04 213864 ----a-w- c:\windows\system32\hpinkcoi9311.dll 2011-09-11 15:36 . 2011-09-11 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\HP 2011-09-11 15:36 . 2011-09-11 15:36 -------- d-----w- c:\program files\HP 2011-09-11 15:35 . 2011-09-11 15:35 -------- d-----w- c:\documents and settings\mitch\Local Settings\Application Data\HP . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 1997-07-25 17:11 . 2009-12-31 07:59 304128 ----a-w- c:\program files\mozilla firefox\plugins\Pngdll.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200] . [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200] . [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\System32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\System32\igfxpers.exe" [2006-03-23 118784] "RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464] "SkyTel"="SkyTel.EXE" [2006-05-16 2879488] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203] "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-02-13 536576] "openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328] . c:\documents and settings\mitch\Start Menu\Programs\Startup\ Seagate Product Registration.lnk - c:\documents and settings\mitch\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2011-1-26 1731736] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ faxdrive.bat [2008-1-10 38] RAMASST.lnk - c:\windows\system32\RAMASST.exe [2007-7-5 155648] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\mitch\Local Settings\Application Data\hhjibrqn\pkbulrae.exe" . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart . [COLOR=RED] SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [/COLOR] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system] @="Driver Group" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}] @="DiskDrive" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}] @="Hdc" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}] @="Keyboard" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}] @="Mouse" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}] @="System" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}] @="Volume" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Monitor.lnk backup=c:\windows\pss\Bluetooth Monitor.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^mitch^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\mitch\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^mitch^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\mitch\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^mitch^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] path=c:\documents and settings\mitch\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] 2008-10-14 20:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2008-01-11 22:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-09-01 07:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-02-18 11:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe"= "c:\\Program Files\\Microsoft SQL Server\\MSSQL.1\\MSSQL\\Binn\\sqlservr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= . R2 DavidReplica;DvISE Replica;c:\progra~1\TOBITI~1\David\APPS\REPLICA\CODE\REPLICA.EXE [05/07/2007 11:38 286720] R2 DavidServiceLayer;DvISE Service Layer;c:\progra~1\TOBITI~1\David\CODE\SL.EXE [05/07/2007 11:39 1019904] R2 MSSQL$SKYBLUESUPPORT;SQL Server (SKYBLUESUPPORT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 22:31 29263712] R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [01/10/2006 13:37 26624] S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?] S3 B-Service;B-Service;c:\documents and settings\mitch\My Documents\Downloads\B-Service.exe [17/07/2009 12:14 185640] S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [07/09/2008 14:54 138112] S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [07/09/2008 14:54 8320] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MICORSOFT_WINDOWS_SERVICE . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uDefault_Search_URL = hxxp://google.co.uk uSearchURL,(Default) = hxxp://google.co.uk IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\documents and settings\mitch\Application Data\Mozilla\Firefox\Profiles\b2v3hyv5.default\ FF - prefs.js: browser.startup.homepage - www.google.co.uk FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} FF - Ext: IE Tab Plus: ietab@ip.cn - %profile%\extensions\ietab@ip.cn . - - - - ORPHANS REMOVED - - - - . HKCU-Run-PkbUlrae - c:\documents and settings\mitch\Local Settings\Application Data\hhjibrqn\pkbulrae.exe HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe AddRemove-HMRC Employer CD-ROM 2009 - p:\kay\Payroll\uninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-10-04 20:31 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\mitch\Start Menu\Programs\Startup\pkbulrae.exe 113424 bytes executable . scan completed successfully hidden files: 1 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(544) c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\System32\DVDRAMSV.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\AGRSMMSG.exe . ************************************************************************** . Completion time: 2011-10-04 20:37:42 - machine was rebooted ComboFix-quarantined-files.txt 2011-10-04 19:37 . Pre-Run: 29,635,616,768 bytes free Post-Run: 29,481,050,112 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn . - - End Of File - - 407CDDE39463D69510FD478759637F63