ComboFix 09-03-26.03 - Em 2009-03-27 15:31:20.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.1122 [GMT -5:00] Running from: c:\documents and settings\Em\Desktop\ComboFix.exe FW: Symantec Endpoint Protection *enabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Install.txt c:\windows\system32\fhpatch.dll c:\windows\system32\fiplock.dll c:\windows\system32\hack.ini c:\windows\system32\iphy.dll c:\windows\system32\riphy.dll c:\windows\system32\tmp0_20957613908.bk c:\windows\system32\windows.txt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_360TAY -------\Legacy_AFISICX -------\Legacy_MABIDWE -------\Legacy_NOYTCYR -------\Legacy_ROYTCTM -------\Legacy_SOPIDKC -------\Legacy_SOXPECA -------\Legacy_TDYDOWKC -------\Legacy_WINDOWS -------\Legacy_WSLDOEKD ((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 ))))))))))))))))))))))))))))))) . 2009-03-27 12:22 . 2003-08-21 16:47 162,400 --a------ c:\windows\system32\iuctl.dll 2009-03-27 12:11 . 2009-03-27 12:11 d-------- c:\program files\Support Tools 2009-03-27 09:11 . 2009-03-27 09:11 d-------- C:\_OTScanIt 2009-03-26 20:02 . 2009-03-26 20:30 d-------- C:\tshoot 2009-03-26 18:42 . 2009-03-26 18:42 0 --a------ c:\documents and settings\Em\settings.dat 2009-03-24 16:55 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys 2009-03-23 15:32 . 2009-03-23 15:32 d-------- c:\windows\ERUNT 2009-03-22 09:37 . 2009-03-22 09:37 d-------- c:\documents and settings\Em\Application Data\Malwarebytes 2009-03-21 23:37 . 2009-03-21 23:37 d-------- c:\program files\AVG 2009-03-21 11:35 . 2009-03-21 11:45 d-------- c:\documents and settings\Em\Application Data\AdobeUM 2009-03-15 13:17 . 2009-03-26 20:11 d--hs---- c:\documents and settings\Em\UserData 2009-03-15 12:38 . 2009-03-26 18:42 d-------- c:\documents and settings\Em 2009-03-08 14:44 . 2009-03-26 20:12 d-------- c:\program files\Lavasoft 2009-03-08 14:44 . 2009-03-26 20:12 d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-03-08 14:18 . 2009-03-26 20:15 d-------- c:\program files\Spybot - Search & Destroy 2009-03-08 14:18 . 2009-03-26 20:15 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-08 12:27 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-07 16:23 . 2009-03-07 16:23 d-------- c:\documents and settings\jokoloc\Application Data\Malwarebytes 2009-03-05 21:48 . 2009-03-05 22:56 d-------- c:\documents and settings\jokoloc\.housecall6.6 2009-03-05 21:24 . 2009-03-05 21:24 d-------- c:\program files\Trend Micro 2009-03-02 16:01 . 2009-03-02 16:01 0 --a------ c:\windows\nsreg.dat 2009-03-02 15:26 . 2009-03-02 15:26 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-02 15:23 . 2009-03-05 20:58 d-------- c:\program files\VS Revo Group . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-26 19:44 --------- d-----w c:\program files\Java 2009-03-22 05:50 --------- d-----w c:\program files\Symantec AntiVirus 2009-03-22 05:42 --------- d-----w c:\program files\Microsoft MapPoint 2009-03-22 05:42 --------- d-----w c:\program files\Microsoft Firewall Client 2004 2009-03-22 05:32 --------- d-----w c:\program files\Common Files\Motive 2009-03-22 05:29 --------- d-----w c:\program files\Apple Software Update 2009-03-22 04:04 4,224 ----a-w c:\windows\system32\drivers\beep.sys 2009-03-21 16:28 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-03-21 14:30 --------- d-----w c:\program files\Microsoft Works 2009-03-08 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\Aventail 2009-03-08 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2009-03-08 02:58 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-08 02:54 --------- d-----w c:\program files\Logitech 2009-03-07 21:17 --------- d-----w c:\documents and settings\jokoloc\Application Data\LimeWire 2009-03-06 01:57 --------- d-----w c:\program files\Common Files\Sonic Shared 2009-03-02 19:23 --------- d-----w c:\program files\Yahoo! 2009-03-02 18:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2009-02-24 21:12 --------- d-----w c:\documents and settings\jokoloc\Application Data\uTorrent 2009-02-22 22:02 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-17 05:31 --------- d-----w c:\program files\Common Files\Adobe 2009-02-13 23:57 --------- d-----w c:\documents and settings\LocalService\Application Data\AdobeUM 2009-02-09 23:30 --------- d-----w c:\program files\WinSCP3 2009-02-09 23:29 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-09 23:22 --------- d---a-w c:\program files\SAV_win 2009-02-09 23:22 --------- d---a-w c:\program files\SAV_VISTA . ------- Sigcheck ------- 2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll 2004-08-04 07:00 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB935839$\kernel32.dll 2009-02-09 15:32 984576 3ea8b19f01d786fcae249ea2336fbf39 c:\windows\system32\kernel32.dll 2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\system32\dllcache\kernel32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "StartMenuLogOff"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SetupLD.exe] "Debugger"=ntsd -d [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sndsrvc.exe] "Debugger"=ntsd -d [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spbbcsvc.exe] "Debugger"=ntsd -d [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vcr32.exe] "Debugger"=ntsd -d [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vcrmon.exe] "Debugger"=ntsd -d [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vstskmgr.exe] "Debugger"=ntsd -d [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vstskmgr.exe ] "Debugger"=ntsd -d [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xnlscn.exe] "Debugger"=ntsd -d [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2076597496-1563261944-1256410061-83411\Scripts\Logon\[u]0[/u]\[u]0[/u]] "Script"=REG_Conf.cmd [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Firewall Client Management.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Firewall Client Management.lnk backup=c:\windows\pss\Microsoft Firewall Client Management.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 07:00 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2009-03-09 05:19 148888 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Portable Media Serial"=2 (0x2) "mstsc"=2 (0x2) "MDM"=2 (0x2) "LiveUpdate"=3 (0x3) "LBTServ"=3 (0x3) "KingDuuBa"=2 (0x2) "iPassConnectEngine"=3 (0x3) "idsvc"=3 (0x3) "HCE13QIBP"=2 (0x2) "FwcAgent"=2 (0x2) "DWMRCS"=2 (0x2) "DgVip_Service"=2 (0x2) "ClipSrv"=2 (0x2) "ccwiz"=2 (0x2) "Symantec AntiVirus"=2 (0x2) "SNAC"=3 (0x3) "SmcService"=2 (0x2) "NgVpnMgr"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "iPod Service"=2 (0x2) "iPCAgent"=2 (0x2) "ccSetMgr"=2 (0x2) "ccEvtMgr"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "As32Svc"=2 (0x2) "Apple Mobile Device"=2 (0x2) "ose"=3 (0x3) "odserv"=3 (0x3) "IBMPMSVC"=2 (0x2) "Lavasoft Ad-Aware Service"=3 (0x3) "avg8wd"=2 (0x2) "avg8emc"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2967:TCP"= 2967:TCP:*:Disabled:Sav Management S2 arxmxo;arxmxo;c:\windows\system32\SVCHOST.EXE -k arxmxo [2004-08-04 14336] S2 MediapCentere;MS Mediae Control pCenter;c:\windows\System32\svchost.exe -k krnlsvc [2004-08-04 14336] S2 ResMan;Remote Access Manager Connection ;c:\windows\System32\svchost.exe -k ResMan [2004-08-04 14336] S2 Symants;Symantec Network Servic;c:\windows\system32\SVCHOST.EXE -k Symants [2004-08-04 14336] S2 uzdoax;Windows Acquisition Manager;c:\windows\system32\svchost.exe -k uzdoax [2004-08-04 14336] S2 winErs;Windows System Reporting Manager;c:\windows\System32\svchost.exe -k winErs [2004-08-04 14336] S3 ap1394;ap1394;\??\c:\windows\system32\ap1394.sys --> c:\windows\system32\ap1394.sys [?] S3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys --> c:\windows\system32\DRIVERS\ngfilter.sys [?] S3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys --> c:\windows\system32\DRIVERS\nglog.sys [?] S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys --> c:\windows\system32\DRIVERS\ngvpn.sys [?] S4 FwcAgent;Firewall Client Agent;c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe [2004-06-09 115544] S4 mstsc;mstsc;c:\windows\RemoteAbc.exe --> c:\windows\RemoteAbc.exe [?] --- Other Services/Drivers In Memory --- *Deregistered* - Dnsresolve [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] snwery REG_MULTI_SZ snwery cxkwkp REG_MULTI_SZ cxkwkp ResMan REG_MULTI_SZ ResMan uzdoax REG_MULTI_SZ uzdoax WinErp REG_MULTI_SZ WinErp winErs REG_MULTI_SZ winErs xxcsdl REG_MULTI_SZ xxcsdl krnlsvc REG_MULTI_SZ MediapCentere Symants REG_MULTI_SZ Symants netsvc REG_MULTI_SZ netsvc irorcj REG_MULTI_SZ irorcj arxmxo REG_MULTI_SZ arxmxo . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe MSConfigStartUp-Explorer - c:\windows\system32\msrstart.exe MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe . ------- Supplementary Scan ------- . mStart Page = hxxp://www.yahoo.com uInternet Settings,ProxyOverride = IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\Microsoft Firewall Client 2004\FwcWsp.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-27 15:36:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\arxmxo] "ServiceDll"="%SystemRoot%\System32\nrifnn.fsl" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lqyfef] "ServiceDll"="%SystemRoot%\System32\slztel.fsl" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Symants] "ServiceDll"="%SystemRoot%\System32\dikqnt.fdf" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,76,8c,5c,d5,01,63,41,b9,8d,7a,\ "3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,76,8c,5c,d5,01,63,41,b9,8d,7a,\ [HKEY_USERS\S-1-5-21-2147800216-2383975547-74669015-1021\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(716) c:\windows\system32\Ati2evxx.dll c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll . Completion time: 2009-03-27 15:38:21 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-27 20:38:19 Pre-Run: 40,272,130,048 bytes free Post-Run: 40,176,893,952 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4 272 --- E O F --- 2009-01-16 19:08:27