Combofix found rootkit and rebooted, It scanned again, rebooted and produced this log:
ComboFix 11-11-26.04 - user1 11/26/2011 18:47:47.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1976.1414 [GMT -6:00]
Running from: c:\documents and settings\user1\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
FW: Trend Micro Personal Firewall *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\privacy.exe
c:\documents and settings\All Users\Desktop\Privacy Protection.lnk
c:\windows\$NtUninstallKB18020$\3095921390
c:\windows\$NtUninstallKB18020$\925200705\@
c:\windows\$NtUninstallKB18020$\925200705\bckfg.tmp
c:\windows\$NtUninstallKB18020$\925200705\cfg.ini
c:\windows\$NtUninstallKB18020$\925200705\Desktop.ini
c:\windows\$NtUninstallKB18020$\925200705\kwrd.dll
c:\windows\$NtUninstallKB18020$\925200705\L\cbnuiuud
c:\windows\$NtUninstallKB18020$\925200705\lsflt7.ver
c:\windows\$NtUninstallKB18020$\925200705\U\00000001.@
c:\windows\$NtUninstallKB18020$\925200705\U\00000002.@
c:\windows\$NtUninstallKB18020$\925200705\U\00000004.@
c:\windows\$NtUninstallKB18020$\925200705\U\80000000.@
c:\windows\$NtUninstallKB18020$\925200705\U\80000004.@
c:\windows\$NtUninstallKB18020$\925200705\U\80000032.@
c:\windows\CSC\d6
c:\windows\svcs.exe
c:\windows\system32\0.35658658577462654.exe
c:\windows\system32\0.49672985443144646.exe
c:\windows\system32\6to4ex.dll
c:\windows\$NtUninstallKB18020$ . . . . Failed to delete
.
c:\windows\system32\upnphost.dll . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
-------\Legacy_NetworkLog
-------\Service_NetworkLog
.
.
((((((((((((((((((((((((( Files Created from 2011-10-27 to 2011-11-27 )))))))))))))))))))))))))))))))
.
.
2067-05-27 20:16 . 2011-11-08 15:56 1249280 ----a-w- c:\program files\Microsoft Games\Impossible Creatures\InsectMod.dll
2067-05-22 03:35 . 2003-06-05 22:40 106496 ----a-w- c:\program files\Microsoft Games\Impossible Creatures\Filesystem.dll
2011-11-26 12:22 . 2011-11-26 12:23 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2011-11-25 22:30 . 2011-11-25 22:30 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-11-25 16:01 . 2011-11-25 17:36 -------- d-----w- c:\documents and settings\user1\DoctorWeb
2011-11-25 15:37 . 2011-11-25 15:37 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\uTorrent
2011-11-23 15:06 . 2011-11-23 15:06 -------- d-----w- C:\_OTL
2011-11-22 19:08 . 2004-03-09 22:45 224016 ----a-w- c:\windows\system32\TABCTL32.OCX
2011-11-21 14:34 . 2011-11-21 14:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-11-21 14:32 . 2011-11-21 14:32 -------- d-----w- c:\documents and settings\user1\Application Data\Itsth
2011-11-21 14:31 . 2011-11-21 14:31 -------- d-----w- c:\program files\Easy2Sync for Outlook
2011-11-21 14:26 . 2011-11-21 14:26 3584 ----a-r- c:\documents and settings\user1\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2011-11-21 14:26 . 2011-11-21 14:26 -------- d-----w- c:\program files\Windows Installer Clean Up
2011-11-17 14:24 . 2011-11-16 23:58 133208 ----a-w- c:\windows\system32\drivers\54562378.sys
2011-11-17 02:24 . 2011-11-17 02:24 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-16 23:06 . 2011-11-16 23:06 -------- d-sh--w- c:\documents and settings\user1\IECompatCache
2011-11-16 15:14 . 2011-11-16 23:58 133208 ----a-w- c:\windows\system32\drivers\82388117.sys
2011-11-16 14:42 . 2011-11-16 23:58 133208 ----a-w- c:\windows\system32\drivers\42497254.sys
2011-11-14 21:38 . 2010-02-24 11:57 457216 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
2011-11-14 21:38 . 2010-02-24 11:57 457216 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-11-10 20:18 . 2011-11-10 20:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-11-10 20:18 . 2011-11-10 20:26 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-11-10 20:04 . 2011-11-10 20:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-09 03:30 . 2011-11-25 15:41 -------- d-----w- c:\documents and settings\user1\Application Data\Skype
2011-11-09 03:29 . 2011-11-09 03:29 -------- d-----w- c:\program files\Common Files\Skype
2011-11-09 03:29 . 2011-11-09 03:29 -------- d-----r- c:\program files\Skype
2011-11-09 03:13 . 2011-11-09 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-11-08 15:56 . 2011-11-08 15:56 442368 ----a-w- c:\program files\Microsoft Games\Impossible Creatures\Locale\German\Insect\ModText.dll
2011-11-08 15:56 . 2011-11-08 15:56 442368 ----a-w- c:\program files\Microsoft Games\Impossible Creatures\Locale\French\Insect\ModText.dll
2011-11-08 15:56 . 2011-11-08 15:56 389120 ----a-w- c:\program files\Microsoft Games\Impossible Creatures\Locale\english\Insect\ModText.dll
2011-11-05 02:21 . 2010-07-07 01:36 301696 ----a-w- c:\windows\system32\UCI32A59.dll
2011-11-05 01:57 . 2011-11-05 01:57 -------- d-----w- c:\documents and settings\user1\TruePianos Settings
2011-11-05 01:55 . 2011-11-05 01:56 -------- d-----w- c:\documents and settings\user1\Application Data\Cakewalk
2011-11-05 01:53 . 2011-11-05 01:53 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{D69A48BF-7653-4AA8-94BC-5847522A4573}
2011-11-05 01:51 . 2011-11-05 01:51 -------- d-----w- c:\program files\Common Files\Digidesign
2011-11-05 01:51 . 2011-11-05 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Native Instruments
2011-11-05 01:51 . 2011-11-05 01:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{0CC51CB2-911C-40BB-BC1B-BD3CAC590222}
2011-11-05 01:50 . 2011-11-05 01:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{D7CFB71A-972A-44FF-AE44-8780EB53ABB2}
2011-11-05 01:50 . 2011-11-05 01:51 -------- d-----w- c:\program files\Common Files\Native Instruments
2011-11-05 01:50 . 2011-11-05 01:51 -------- d-----w- c:\program files\Native Instruments
2011-11-05 01:21 . 2006-02-24 14:00 344064 ----a-w- c:\windows\system32\msvcr70.dll
2011-11-05 01:21 . 2006-02-24 14:00 487424 ----a-w- c:\windows\system32\msvcp70.dll
2011-11-05 01:04 . 2011-11-15 18:25 -------- d-----w- c:\program files\Cakewalk
2011-11-05 01:04 . 2011-11-15 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Cakewalk
2011-11-04 22:59 . 2011-11-04 23:18 -------- d-----w- c:\documents and settings\user1\Application Data\ImgBurn
2011-11-04 22:50 . 2011-11-04 22:50 -------- d-----w- c:\program files\ImgBurn
2011-11-03 03:18 . 2011-11-03 03:18 -------- d-----w- c:\documents and settings\user1\Application Data\Voxatron
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 18:17 . 2011-09-20 17:19 102400 ----a-w- c:\windows\RegBootClean.exe
2011-08-31 23:00 . 2009-06-10 18:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-18 03:08 . 2011-10-18 03:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-10-17 . BA3D691CBA9DFDB3D50C16F6AA62F18B . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
[-] 2008-04-14 09:42 . 022A00180AE900C90AA9BA5DE8BD961C . 185856 . . [------] . . c:\windows\system32\upnphost.dll
[7] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\upnphost.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\user1\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\user1\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\user1\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\user1\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-11-25 642424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-11 143360]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-12-30 874832]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3776512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2011-07-05 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\user1\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\user1\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2009-03-19 08:55 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-09-11 15:17 172032 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntivirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Documents and Settings\\user1\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\LeapFTP\\LeapFTP.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:TCP"= 4899:TCP:RAdmin
"48900:UDP"= 48900:UDP:RAdmin-UDP
"54601:TCP"= 54601:TCP:Trend Micro OfficeScan Listener
"6112:TCP"= 6112:TCP:Blizzard Downloader
.
R0 42497254;42497254;c:\windows\system32\drivers\42497254.sys [11/16/2011 8:42 AM 133208]
R0 54562378;54562378;c:\windows\system32\drivers\54562378.sys [11/17/2011 8:24 AM 133208]
R1 82388117;82388117;c:\windows\system32\drivers\82388117.sys [11/16/2011 9:14 AM 133208]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [3/19/2009 2:48 AM 1680632]
R2 DB2MGMTSVC_TAEVAL10;DB2 Management Service (TAEVAL10);c:\program files\Quest Software\Toad for Data Analysis Trial 1.0\DB2 Client\BIN\db2mgmtsvc.exe [11/6/2006 6:33 PM 35880]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [3/19/2009 2:53 AM 98304]
R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [7/17/2009 7:32 AM 3576320]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [4/2/2010 12:19 PM 57424]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/26/2008 7:42 PM 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/26/2008 7:42 PM 36624]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [10/17/2008 8:34 AM 243856]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [12/23/2010 3:25 PM 28160]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [1/23/2009 7:21 AM 341584]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [1/23/2009 7:17 AM 497080]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [1/23/2009 7:17 AM 689416]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [5/14/2009 4:19 PM 33920]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\user1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\user1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\user1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\user1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2010 7:03 PM 136176]
S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [3/19/2009 2:52 AM 106496]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/7/2009 2:26 AM 482176]
S3 DB2NTSECSERVER_TAEVAL10;DB2 Security Server (TAEVAL10);c:\program files\Quest Software\Toad for Data Analysis Trial 1.0\DB2 Client\BIN\db2sec.exe [11/6/2006 6:35 PM 14376]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [5/8/2009 10:01 AM 10752]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [3/19/2009 2:55 AM 118784]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2010 7:03 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/16/2011 8:24 PM 41272]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 6:15 AM 1120752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [8/10/2011 10:53 PM 229376]
S4 r_server;Remote Administrator Service;"c:\windows\system32\r_server.exe" /service --> c:\windows\system32\r_server.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CWBNETNT
*NewlyCreated* - MDM
*NewlyCreated* - OSE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 19:34]
.
2011-11-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-20 20:43]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 01:03]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 01:03]
.
2011-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4027829005-1107895287-290554039-19765Core.job
- c:\documents and settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 02:13]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4027829005-1107895287-290554039-19765UA.job
- c:\documents and settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 02:13]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.hyperionics.com/index.asp?Page=hsdx/changelog.asp
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\slul1wop.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Privacy Protection - c:\documents and settings\All Users\Application Data\privacy.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-11-26 19:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,44,1f,00,69,bf,c2,56,49,84,a3,d0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,44,1f,00,69,bf,c2,56,49,84,a3,d0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1532)
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(5148)
c:\documents and settings\user1\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\program files\Common Files\New Boundary\PrismXL\PrismXL.sys
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\fxssvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-26 19:31:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-27 01:31
.
Pre-Run: 95,641,882,624 bytes free
Post-Run: 96,161,468,416 bytes free
.
- - End Of File - - F4A2143D0F7D659F0289BEE173EAA83C
Edited by Maxihup, 26 November 2011 - 07:45 PM.