ComboFix 12-04-18.02 - Administrator 04/19/2012 7:25.1.8 - x86 Microsoft Windows XP Professional 5.1.2600.3.874.1.1033.18.3543.2972 [GMT 7:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\windows\system32\PPro20g.ocx . c:\windows\system32\drivers\i8042prt.sys . . . is missing!! . . ((((((((((((((((((((((((( Files Created from 2012-03-19 to 2012-04-19 ))))))))))))))))))))))))))))))) . . 2012-04-16 00:16 . 2012-04-16 00:17 -------- d-----w- C:\wamp 2012-04-14 02:17 . 2012-04-14 02:17 -------- d-----w- C:\NVTech Download Modules 2012-04-11 09:01 . 2012-04-18 05:41 -------- d-----r- C:\Program Files 2012-04-11 09:00 . 2012-04-11 06:56 -------- d-----w- C:\Documents and Settings . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-03-01 10:58 . 2011-04-25 16:09 919552 ----a-w- c:\windows\system32\wininet.dll 2012-03-01 10:58 . 2011-04-25 16:09 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-03-01 10:58 . 2011-04-25 16:09 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-02-29 23:58 . 2009-06-10 10:33 5918720 ----a-w- c:\windows\system32\nvcuda.dll 2012-02-29 23:58 . 2009-06-10 10:33 4309760 ----a-w- c:\windows\system32\nv4_disp.dll 2012-02-29 23:58 . 2009-06-10 10:33 2522944 ----a-w- c:\windows\system32\nvcuvid.dll 2012-02-29 23:58 . 2009-06-10 10:33 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll 2012-02-29 23:58 . 2009-06-10 10:33 2291712 ----a-w- c:\windows\system32\nvapi.dll 2012-02-29 23:58 . 2009-06-10 10:33 18624512 ----a-w- c:\windows\system32\nvoglnt.dll 2012-02-29 23:58 . 2009-06-10 10:33 13417632 ----a-w- c:\windows\system32\drivers\nv4_mini.sys 2012-02-29 20:30 . 2009-06-10 01:29 54272 ----a-w- c:\windows\system32\nvwddi.dll 2012-02-29 20:30 . 2009-06-10 01:28 15494464 ----a-w- c:\windows\system32\nvcpl.dll 2012-02-29 20:30 . 2009-06-10 01:28 143680 ----a-w- c:\windows\system32\nvcolor.exe 2012-02-29 20:30 . 2009-06-10 01:28 164160 ----a-w- c:\windows\system32\nvsvc32.exe 2012-02-29 20:30 . 2009-06-10 01:28 108352 ----a-w- c:\windows\system32\nvmctray.dll 2012-02-29 12:30 . 2011-04-25 11:36 385024 ----a-w- c:\windows\system32\html.iec 1998-04-26 17:00 . 1998-04-26 17:00 570128 ----a-w- c:\program files\Common Files\dao350.dll 2012-03-13 04:39 . 2012-04-11 03:58 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2011-06-17 . EA22DA5C7AE7192A12E37A7C546220C6 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys . [-] 2011-06-17 . 1C891C955AAA123C937B82E3AE7610CF . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2006-10-26 434528] "BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-15 375000] "RTHDCPL"="RTHDCPL.EXE" [2010-03-26 19522592] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-04 638976] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-24 202296] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-29 15494464] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2012-02-29 108352] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "KB976002-v5"="advpack.dll" [2009-03-08 128512] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ MightyFAX Controller.lnk - c:\program files\MightyFax\MFNTCTL.EXE [2012-4-11 491520] MsgPopup.lnk - c:\program files\MsgPopupEN\MsgPopup.exe [2006-1-3 1282048] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0\0sdnclean.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon] 2011-09-27 00:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2011-10-24 07:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-01-17 04:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [4/11/2012 09:54 19496] R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [3/4/2011 13:23 11352] R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/15/2009 14:06 223464] R2 MSSQL$QLOCALINSTANCE;SQL Server (QLOCALINSTANCE);c:\program files\Pearson\Q Local System 2\SSEE\MSSQL.1\MSSQL\Binn\sqlservr.exe [4/14/2006 10:07 28933976] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [4/11/2012 13:56 2348352] R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [4/11/2012 09:52 2320920] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [3/10/2011 18:34 34608] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 20:27 19472] S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [8/18/2009 19:50 9472] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4/11/2012 09:35 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2012 11:07 136176] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/29/2012 08:50 158856] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/12/2012 07:31 253088] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/11/2012 09:53 1691480] S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2012 11:07 136176] S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [4/11/2012 10:00 24944] S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 13:37 517096] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [10/3/2008 18:54 14848] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM . Contents of the 'Scheduled Tasks' folder . 2012-04-19 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 05:05] . 2012-04-11 c:\windows\Tasks\AdobeAAMUpdater-1.0-JESUITS-A7A3CC2-Administrator.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-04-11 20:44] . 2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-04-11 04:07] . 2012-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-04-11 04:07] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tb2iqqip.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.radioswissclassic.ch/en/webradio . - - - - ORPHANS REMOVED - - - - . HKCU-Run-AdobeBridge - (no file) Notify-RailNotification - (no file) MSConfigStartUp-SDTray - c:\program files\Spybot - Search & Destroy 2\SDTray.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-04-19 07:29 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . c:\windows\system32\zshp2600.exe [2404] 0x89424020 . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2000478354-920026266-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,22,01,1a,a2,5b,eb,43,4b,a1,fe,f7,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,22,01,1a,a2,5b,eb,43,4b,a1,fe,f7,\ . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG12.00.00.01PROFESSIONAL"="E8EA0CBD8CD110FA27119AA3DAC585EAA087C564973B17ECC242F28129C92EC34F4C15E682EDD0DFD558760167BF80DB3B212020407F9DC3D919BDACFA69DAB428EAA4ADFCE3C8CB7449DD99A7F0685CAF134580E8FA5484C53F38795F6FF4018BA055EC0C23CA6136F24926140BBF7F673F2FB993C790CDC88B7B388379C37334590032256FAF3BEC75F4108A18104A709C1AB4A7D0AC32CAE8E6EDF4F8914C0214C4419EDDD1E4140660F84CF2E5B6FCB3088C6F5885B9D4571BD5A834AB4079E7851037DB1360C5ED4F33FECBD0B2E125BE939972FD5F186900DB75C365F5437AEA488E25FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A9C6AECB7A5D1407A6A0AC4980AC7933A6A0AC4980AC7933AB9AA262C579B6DF4A8432F075A5A9AEBE70B971576B4B50B53B937C98675CB3BF956B543751A1D58EE4212542400F2EB9704697273D0F6615562B2D8F2BD3DF166072F6D3F8368ECB1DC40F73A6B022E34B0170A79AD87DC21A13908144F57EAA2F3FD39893A41A6D8B1DCDC6B9073E393083D1F84188906B9F1DD0106FAFF2F7297C0C487B7FDF60844D174090EF8EB8BD882600A5E4EE3FF53EAC1F1E4E6F03E97952E83EBF9899D09F32277629F1E60C716865EF963DF21E1375D77283FD4FFD296E451EBE528EAAFDFB8669D89ACB21C3AB14F9ABF23F105713A84867FA666A213BEA10BCEFB945F8E3AC9C0711717B28953DD594DCE033ED7E4229F31857271DA62CBC5E259AC1456E2E74A0AD698BEC5DD344269919675D4699578659339CFC371E83A87D32393934618DF4A046B600D111BE9B9C2BFCCD0DE7C6E2968EACC1019C7409D509B75161E1363A6C9FD6F8D3716F132FDF3C8D892A212EFE84A794B0C5554DE0283D2DB68E6F876811B70FD833B70B6B065D0F04A1407311B155BD84FAA02AA21F3E92078AF158BDBA1AA06ADBA86A426B0FE85D54B7A022B8F1AED16103377780A1E63C3DA60F6C40B4ADA4B38B7A76E5F3D2060AC90ADA3EAC79FDE55DED8A6344B6D1D02DEE47C82FD9BAC65C68A14F21AD84CFF0E2B9EC26D2853447AF5FE17633583657217501A6F0EFE449472D83A078F3F7D7C78D727719F6BE883F4B9AFBAF749F2B31F017ABDD9EA236895BE1715B8197DF37FBFE2B49F5BC9E44F6B00CA2DD83E48F09BF453233573A8B3E50051FF0079D127DC8C0073A283B4962C9D32ADF1DF0115F32EAA2B0202208BC37C03117E3D9A05F0BAA988DBE453E5D91F2845CECF36EEB2A8A082A5D6CA2958300A4DE10100CC1014FE85082D4F68E37FC9647B5C243F86804DECA324CDFD5258F2FC62F726299EE0A0776B9B82BEF6BFAE7A87DE81026AE2DC84F872AA76312322A602A6417AF982B27056FEF74CD65E6" . Completion time: 2012-04-19 07:30:57 ComboFix-quarantined-files.txt 2012-04-19 00:30 . Pre-Run: 148,574,896,128 bytes free Post-Run: 148,579,397,632 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 4376D731EEBA342DA0FDDB4C212459F8