ComboFix 12-04-07.02 - Amir 07/04/2012 12:47:43.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.989.449 [GMT 1:00] Running from: G:\ComboFix.exe FW: Sygate Personal Firewall *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\SPL56F.tmp c:\documents and settings\Amir\Application Data\vso_ts_preview.xml c:\documents and settings\Amir\Local Settings\Application Data\alnjnbhr\irfvxbnf.exe c:\documents and settings\Amir\Local Settings\Application Data\cppbhbiv.log c:\documents and settings\Amir\Local Settings\Application Data\jsfnydve.log c:\documents and settings\Amir\Local Settings\Application Data\kjmbradb.log c:\documents and settings\Amir\Local Settings\Application Data\lgcqphdu.log c:\documents and settings\Amir\Local Settings\Application Data\ocaibvmy.log c:\documents and settings\Amir\Local Settings\Application Data\vigrsser.log c:\documents and settings\Amir\Local Settings\Application Data\xbwlfrix.log . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_MICORSOFT_WINDOWS_SERVICE -------\Service_Micorsoft Windows Service . . ((((((((((((((((((((((((( Files Created from 2012-03-07 to 2012-04-07 ))))))))))))))))))))))))))))))) . . 2012-04-07 11:31 . 2012-04-07 11:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2012-04-07 11:27 . 2012-04-07 11:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-04-07 11:27 . 2012-04-07 11:27 -------- d-----w- c:\documents and settings\Amir\Application Data\Malwarebytes 2012-04-07 11:27 . 2012-04-07 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-04-07 10:43 . 2012-04-07 11:53 100464 ---ha-w- c:\windows\system32\237zms3 2012-04-03 09:15 . 2012-04-03 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Juniper Networks 2012-04-03 09:15 . 2012-04-04 07:47 -------- d-----w- c:\documents and settings\Amir\Application Data\Juniper Networks 2012-04-01 13:43 . 2012-04-07 11:54 -------- d-----w- c:\documents and settings\Amir\Local Settings\Application Data\alnjnbhr 2012-04-01 13:42 . 2012-04-01 13:42 -------- d-----w- c:\windows\Sun 2012-03-17 20:56 . 2012-03-17 20:56 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll 2012-03-17 20:56 . 2012-03-17 20:56 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-03-19 15:57 . 2011-06-30 11:03 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-02-03 09:22 . 2007-07-22 13:31 1860096 ----a-w- c:\windows\system32\win32k.sys 2012-01-11 19:06 . 2012-02-15 07:37 3072 ------w- c:\windows\system32\iacenc.dll 2012-01-09 16:20 . 2010-05-02 20:03 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-03-17 20:56 . 2011-05-07 13:50 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WordWeb"="c:\program files\WordWeb\wweb32.exe" [2009-11-08 65216] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-25 134656] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-25 166912] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-25 136192] "RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336] "SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 311984] "lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864] "lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264] "CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "ShowDeskFix"="shell32" [X] . c:\documents and settings\Amir\Start Menu\Programs\Startup\ PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-8-4 333088] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Amir\Local Settings\Application Data\alnjnbhr\irfvxbnf.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2011-06-15 14:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\WINDOWS\\system32\\lxdicoms.exe"= "c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"= "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"= "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"= "c:\\WINDOWS\\system32\\lxdicfg.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"= "c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"= "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"= "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"= "c:\\Documents and Settings\\Amir\\My Documents\\Downloads\\utorrent(2).exe"= . R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?] R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [17/11/2010 17:49 99248] R2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [17/05/2011 08:27 366872] R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [20/04/2011 15:45 2280312] R3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\drivers\Pcouffin.sys [16/02/2011 15:39 47360] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [02/05/2010 21:47 1684736] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [07/04/2012 12:27 40776] S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [23/04/2007 13:54 83208] S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [23/04/2007 13:54 15112] S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [23/04/2007 13:54 108680] S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [23/04/2007 13:54 100488] S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [23/04/2007 13:54 98568] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MICORSOFT_WINDOWS_SERVICE *NewlyCreated* - WS2IFSL . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.2.1 FF - ProfilePath - c:\documents and settings\Amir\Application Data\Mozilla\Firefox\Profiles\mj87znzk.default\ FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKCU-Run-IrfVxbnf - c:\documents and settings\Amir\Local Settings\Application Data\alnjnbhr\irfvxbnf.exe AddRemove-{3108C217-BE83-42E4-AE9E-A56A2A92E549} - c:\program files\InstallShield Installation Information\{3108C217-BE83-42E4-AE9E-A56A2A92E549}\Setup.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-04-07 12:55 Windows 5.1.2600 Service Pack 3 NTFS . detected NTDLL code modification: ZwQueryDirectoryFile . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\documents and settings\Amir\Start Menu\Programs\Startup\irfvxbnf.exe 97964 bytes executable . scan completed successfully hidden files: 1 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant] "ImagePath"="" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*] "AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(652) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll c:\windows\system32\ieframe.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\SSSensor.dll c:\windows\system32\webcheck.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Sygate\SPF\smc.exe c:\program files\Java\jre7\bin\jqs.exe c:\windows\system32\lxdicoms.exe c:\program files\TeamViewer\Version6\TeamViewer.exe c:\windows\system32\igfxsrvc.exe c:\windows\RTHDCPL.EXE c:\windows\system32\java.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2012-04-07 13:00:12 - machine was rebooted ComboFix-quarantined-files.txt 2012-04-07 12:00 . Pre-Run: 8,490,897,408 bytes free Post-Run: 10,124,296,192 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 3E8204956D68E2B12202B00E3CB14471