ComboFix log:
ComboFix 12-03-28.02 - Administrator 03/28/2012 20:46:14.1.2 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Application Data\Microsoft\Microsoft
c:\windows\$NtUninstallKB26824$
c:\windows\$NtUninstallKB26824$\147283983\@
c:\windows\$NtUninstallKB26824$\147283983\cfg.ini
c:\windows\$NtUninstallKB26824$\147283983\Desktop.ini
c:\windows\$NtUninstallKB26824$\147283983\L\aaekazwk
c:\windows\$NtUninstallKB26824$\147283983\oemid
c:\windows\$NtUninstallKB26824$\147283983\U\00000001.@
c:\windows\$NtUninstallKB26824$\147283983\U\00000002.@
c:\windows\$NtUninstallKB26824$\147283983\U\00000004.@
c:\windows\$NtUninstallKB26824$\147283983\U\80000000.@
c:\windows\$NtUninstallKB26824$\147283983\U\80000004.@
c:\windows\$NtUninstallKB26824$\147283983\U\80000032.@
c:\windows\$NtUninstallKB26824$\147283983\version
c:\windows\$NtUninstallKB26824$\1936226844
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\drivers\SirefefRemover.sys
c:\windows\system32\spool\prtprocs\w32x86\pcldll6l.dll
c:\windows\system32\spool\prtprocs\w32x86\zpp.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
.
.
2012-03-29 00:30 . 2012-03-29 00:30 -------- d-----w- C:\_OTL
2012-03-27 22:54 . 2012-03-27 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WinZip
2012-03-27 22:53 . 2012-03-27 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2012-03-27 22:23 . 2012-03-27 22:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-23 05:32 . 2012-03-23 05:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2012-03-23 03:43 . 2012-03-23 05:48 -------- d-----w- c:\program files\ESET
2012-03-23 03:43 . 2012-03-23 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2012-03-23 01:08 . 2012-03-23 01:08 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-23 01:08 . 2012-03-23 01:08 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-23 01:01 . 2012-03-23 01:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2012-03-23 00:39 . 2012-03-23 02:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn Rescue Applet
2012-03-23 00:27 . 2012-03-23 00:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tific
2012-03-22 02:16 . 2012-03-22 02:17 -------- d-----w- c:\windows\Temp8610514F-18B1-03A5-16C7-FED07C0DD337-Signatures
2012-03-20 04:42 . 2012-03-20 04:42 -------- d-----w- c:\program files\Conduit
2012-03-20 04:42 . 2012-03-22 05:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Somoto
2012-03-20 04:42 . 2012-03-22 05:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2012-03-20 04:03 . 2012-03-20 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-20 01:13 . 2012-03-20 01:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2012-03-17 03:43 . 2012-03-17 03:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-27 04:58 . 2012-03-27 04:58 162816 ----a-w- c:\windows\system32\drivers\netbt.sys.org
2012-03-22 01:35 . 2011-06-10 00:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2008-04-13 23:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-11-30 19:16 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06 . 2012-02-17 02:00 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-03-01 22:03 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-02 18:22 . 2012-01-02 18:22 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2012-03-23 01:08 . 2012-02-27 22:59 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-04-02 128232]
"hp 1000 firmware"="c:\program files\hp LaserJet 1000\fwdl.exe" [2001-12-15 36864]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 3080264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-12-23 611144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\GrabSample.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [8/4/2011 9:20 AM 118104]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/4/2011 9:20 AM 103112]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/22/2011 12:03 PM 974944]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [3/2/2010 9:57 AM 2521880]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2011 10:22 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/21/2011 10:22 AM 136176]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
btwhid
dcpflics
ativraxx
rvscc
SE27mgmt
viairda
ATWPKT2
zpjava
athr
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 14:22]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 14:22]
.
2012-03-29 c:\windows\Tasks\User_Feed_Synchronization-{D855DFAE-6614-4717-84E5-05867E2AD715}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jmokftwi.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-03-28 20:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-665178515-2749075302-3743144992-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@SACL=
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,21,61,8e,58,00,09,62,43,bc,e1,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,71,61,b9,8b,7f,25,4b,95,eb,0d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1648)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ICO.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\zstatus.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-28 20:57:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-29 00:57
.
Pre-Run: 58,067,873,792 bytes free
Post-Run: 58,034,397,184 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9870A6BFA80F567FEFB3034D112B53C0
Edited by malmbor, 28 March 2012 - 09:57 PM.