ComboFix 12-04-07.02 - Amir 07/04/2012  19:42:14.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.989.483 [GMT 1:00]
Running from: c:\documents and settings\Amir\Desktop\ComboFix.exe
FW: Sygate Personal Firewall *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Amir\Local Settings\Application Data\alnjnbhr\irfvxbnf.exe
c:\documents and settings\Amir\Local Settings\Application Data\cppbhbiv.log
c:\documents and settings\Amir\Local Settings\Application Data\jsfnydve.log
c:\documents and settings\Amir\Local Settings\Application Data\kjmbradb.log
c:\documents and settings\Amir\Local Settings\Application Data\lgcqphdu.log
c:\documents and settings\Amir\Local Settings\Application Data\ocaibvmy.log
c:\documents and settings\Amir\Local Settings\Application Data\vigrsser.log
c:\documents and settings\Amir\Local Settings\Application Data\xbwlfrix.log
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
(((((((((((((((((((((((((   Files Created from 2012-03-07 to 2012-04-07  )))))))))))))))))))))))))))))))
.
.
2012-04-07 16:37 . 2012-04-07 18:49	--------	d-----w-	c:\documents and settings\Amir\Local Settings\Application Data\alnjnbhr
2012-04-07 16:37 . 2012-04-07 18:48	100464	---ha-w-	c:\windows\system32\237zms3
2012-04-07 16:33 . 2012-04-07 16:33	--------	d-----w-	C:\_OTL
2012-04-07 14:49 . 2012-04-07 14:47	593920	----a-w-	C:\OTL.exe
2012-04-07 14:49 . 2012-04-07 14:36	4831232	----a-w-	C:\aswMBR.exe
2012-04-07 13:30 . 2012-04-07 13:30	388096	----a-r-	c:\documents and settings\Amir\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-07 13:30 . 2012-04-07 13:30	--------	d-----w-	c:\program files\HT
2012-04-07 11:31 . 2012-04-07 11:31	--------	d-sh--w-	c:\documents and settings\LocalService\IETldCache
2012-04-07 11:27 . 2012-04-07 11:27	40776	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-07 11:27 . 2012-04-07 11:27	--------	d-----w-	c:\documents and settings\Amir\Application Data\Malwarebytes
2012-04-07 11:27 . 2012-04-07 11:27	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-03 09:15 . 2012-04-03 09:15	--------	d-----w-	c:\documents and settings\All Users\Application Data\Juniper Networks
2012-04-03 09:15 . 2012-04-04 07:47	--------	d-----w-	c:\documents and settings\Amir\Application Data\Juniper Networks
2012-04-01 13:42 . 2012-04-01 13:42	--------	d-----w-	c:\windows\Sun
2012-03-17 20:56 . 2012-03-17 20:56	592824	----a-w-	c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-17 20:56 . 2012-03-17 20:56	44472	----a-w-	c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-19 15:57 . 2011-06-30 11:03	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2007-07-22 13:31	1860096	----a-w-	c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 07:37	3072	------w-	c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-05-02 20:03	139784	----a-w-	c:\windows\system32\drivers\rdpwd.sys
2012-03-17 20:56 . 2011-05-07 13:50	97208	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-04-07_11.54.09   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-07 18:48 . 2012-04-07 18:48	16384              c:\windows\Temp\Perflib_Perfdata_7ac.dat
+ 2012-04-07 18:50 . 2012-04-07 18:50	349255              c:\windows\Temp\jna2921946674445329421.dll
+ 2012-04-07 13:30 . 2012-04-07 13:30	1094656              c:\windows\Installer\47bc54.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IrfVxbnf"="c:\documents and settings\Amir\Local Settings\Application Data\alnjnbhr\irfvxbnf.exe" [2012-04-07 97964]
.
c:\documents and settings\Amir\Start Menu\Programs\Startup\
irfvxbnf.exe [2012-4-1 97964]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Amir\Local Settings\Application Data\alnjnbhr\irfvxbnf.exe"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Amir^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\Amir\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37	843712	----a-w-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58	37296	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20	159744	----a-w-	c:\program files\SlySoft\CloneCD\CloneCDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2006-06-13 04:20	127036	----a-w-	c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2007-07-16 16:54	311984	----a-w-	c:\program files\Lexmark Fax Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 18:36	30040	----a-w-	c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-06-25 04:51	166912	----a-r-	c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-06-25 04:52	134656	----a-r-	c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IrfVxbnf]
2012-04-07 18:50	97964	----a-w-	c:\documents and settings\Amir\Local Settings\Application Data\alnjnbhr\irfvxbnf.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdiamon]
2007-07-16 16:54	25264	----a-w-	c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdimon.exe]
2007-07-16 16:54	434864	----a-w-	c:\program files\Lexmark 3500-4500 Series\lxdimon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-06-25 04:51	136192	----a-r-	c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-08-14 06:08	18702336	----a-w-	c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-06-15 14:02	15141768	----a-r-	c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
2004-10-15 18:40	2577632	----a-w-	c:\progra~1\Sygate\SPF\Smc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 12:59	252136	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WordWeb]
2009-11-08 23:18	65216	------w-	c:\program files\WordWeb\wweb32.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\WINDOWS\\system32\\lxdicfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Amir\\My Documents\\Downloads\\utorrent(2).exe"=
.
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [17/11/2010 17:49 99248]
R2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [17/05/2011 08:27 366872]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [20/04/2011 15:45 2280312]
R3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\drivers\Pcouffin.sys [16/02/2011 15:39 47360]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [02/05/2010 21:47 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [07/04/2012 12:27 40776]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [23/04/2007 13:54 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [23/04/2007 13:54 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [23/04/2007 13:54 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [23/04/2007 13:54 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [23/04/2007 13:54 98568]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Amir\Application Data\Mozilla\Firefox\Profiles\mj87znzk.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-07 19:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ےےےےہ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(304)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\smc.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\lxdicoms.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\windows\system32\java.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-04-07  19:52:58 - machine was rebooted
ComboFix-quarantined-files.txt  2012-04-07 18:52
ComboFix2.txt  2012-04-07 12:00
.
Pre-Run: 10,433,613,824 bytes free
Post-Run: 10,397,224,960 bytes free
.
- - End Of File - - 85F78D5B88F4D997A4093CCB0470D251