ComboFix 12-09-27.03 - Owner 09/27/2012 14:59:47.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1538 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Owner\Application Data\upama.dll c:\documents and settings\Owner\Application Data\wltps.dll C:\install.exe c:\recycler\S-1-5-18\$387d6269db79bc00b47b8a7aa844a079\@ c:\recycler\S-1-5-18\$387d6269db79bc00b47b8a7aa844a079\n c:\recycler\S-1-5-21-1993962763-1965331169-1801674531-1003\$387d6269db79bc00b47b8a7aa844a079\n c:\windows\assembly\GAC\Desktop.ini c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe . . ((((((((((((((((((((((((( Files Created from 2012-08-27 to 2012-09-27 ))))))))))))))))))))))))))))))) . . 2012-09-27 14:17 . 2012-09-27 14:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla 2012-09-27 14:01 . 2012-09-27 14:01 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc 2012-09-27 14:01 . 2012-09-27 14:01 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss 2012-09-27 08:59 . 2012-09-27 08:59 -------- d-----w- C:\FRST 2012-09-27 08:01 . 2012-09-27 13:46 -------- d-----w- c:\program files\Common Files\Symantec Shared 2012-09-27 08:01 . 2012-09-27 08:02 -------- d-----w- c:\program files\Symantec 2012-09-27 08:01 . 2012-09-27 08:01 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL 2012-09-27 08:01 . 2012-09-27 08:01 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2012-09-27 08:01 . 2012-09-27 19:20 -------- d-----w- c:\windows\system32\drivers\N360 2012-09-27 08:01 . 2012-09-27 08:01 -------- d-----w- c:\program files\Norton 360 2012-09-27 08:01 . 2012-09-27 08:01 -------- d-----w- c:\program files\Windows Sidebar 2012-09-27 08:01 . 2012-09-27 08:01 -------- d-----w- c:\program files\NortonInstaller 2012-09-27 08:00 . 2012-09-27 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-09-27 07:11 . 2012-09-27 07:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2012-09-26 12:24 . 2012-09-26 12:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{1A2BD932-07D5-11E2-8271-B8AC6F996F26} 2012-08-31 12:16 . 2012-08-31 12:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple 2012-08-31 00:17 . 2012-08-31 00:17 -------- d-----w- c:\windows\Sun . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-09-21 12:40 . 2012-08-20 16:42 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-09-21 12:40 . 2012-08-20 16:42 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-08-28 15:14 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec 2012-08-20 16:43 . 2012-08-20 16:43 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2012-08-20 16:43 . 2012-08-20 16:43 821736 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-08-20 16:43 . 2012-08-20 16:43 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-08-20 16:43 . 2012-08-20 16:43 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-07-06 13:58 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\browser.dll 2012-07-04 14:05 . 2012-08-17 23:07 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-07-03 13:40 . 2008-04-14 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys 2012-07-14 00:17 . 2012-08-20 16:41 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-08-25 39408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-08 421776] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502010.003\symds.sys [9/27/2012 1:40 PM 340088] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502010.003\symefa.sys [9/27/2012 1:40 PM 744568] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120919.001\BHDrvx86.sys [9/19/2012 10:28 PM 995488] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502010.003\ironx86.sys [9/27/2012 1:40 PM 136312] R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.1.3\ccsvchst.exe [9/27/2012 1:40 PM 130008] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/27/2012 1:40 PM 106656] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120926.001\IDSXpx86.sys [9/26/2012 3:45 PM 373728] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/24/2012 7:36 PM 136176] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [8/17/2012 6:43 PM 20160] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [8/20/2012 11:42 AM 250288] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/24/2012 7:36 PM 136176] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [8/20/2012 11:41 AM 113120] . Contents of the 'Scheduled Tasks' folder . 2012-09-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-20 12:40] . 2012-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2012-08-20 23:57] . 2012-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-08-25 00:36] . 2012-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-08-25 00:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?ilc=1 uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\v3jxi7j8.default\ . - - - - ORPHANS REMOVED - - - - . HKLM-Run-wltps - c:\documents and settings\Owner\Application Data\wltps.dll . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-09-27 15:06 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360] "ImagePath"="\"c:\program files\Norton 360\Engine\5.2.1.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.1.3\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*] @="?????????????????? v1" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID] @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*] @="?????????????????? v2" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID] @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}" . Completion time: 2012-09-27 15:08:11 ComboFix-quarantined-files.txt 2012-09-27 20:08 . Pre-Run: 421,795,909,632 bytes free Post-Run: 424,149,958,656 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect . - - End Of File - - 17C5B340DABB4601683BF958824485D8