ComboFix 09-08-10.06 - Klearxos 08/13/2009 2:11.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1023.618 [GMT -7:00] Running from: c:\documents and settings\Klearxos\Desktop\ComboFix.exe AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Installer\24db8.msp c:\windows\Installer\4510a.msp c:\windows\Installer\4a0a1.msp c:\windows\Installer\4e0f6.msp c:\windows\Installer\5092f.msp . ---- Previous Run ------- . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Klearxos\Local Settings\Temporary Internet Files\bestwiner.stt c:\documents and settings\Klearxos\Local Settings\Temporary Internet Files\CPV.stt c:\documents and settings\Klearxos\Local Settings\Temporary Internet Files\Cpvff.stt c:\documents and settings\Klearxos\Local Settings\Temporary Internet Files\fbk.sts c:\program files\Mozilla Firefox\extensions\{A5136ADB-C12D-4B53-A3C4-AF6534CE4BDB}\chrome.manifest c:\program files\Mozilla Firefox\extensions\{A5136ADB-C12D-4B53-A3C4-AF6534CE4BDB}\chrome\content\overlay.xul c:\program files\Mozilla Firefox\extensions\{A5136ADB-C12D-4B53-A3C4-AF6534CE4BDB}\install.rdf c:\windows\Installer\14f71f6.msp c:\windows\Installer\161a34.msp c:\windows\Installer\1a159c.msp c:\windows\Installer\1d6758.msp c:\windows\Installer\1e1b56.msp c:\windows\Installer\21c0d.msp c:\windows\Installer\21e59c.msp c:\windows\Installer\21e5e.msp c:\windows\Installer\2213d.msp c:\windows\Installer\22c4a.msp c:\windows\Installer\230ec.msp c:\windows\Installer\2315a.msp c:\windows\Installer\23244.msp c:\windows\Installer\23380.msp c:\windows\Installer\2362f.msp c:\windows\Installer\23736.msp c:\windows\Installer\23ab0.msp c:\windows\Installer\2401c.msp c:\windows\Installer\24020.msp c:\windows\Installer\2409c.msp c:\windows\Installer\240cb.msp c:\windows\Installer\24232.msp c:\windows\Installer\2430d.msp c:\windows\Installer\2435b.msp c:\windows\Installer\24417.msp c:\windows\Installer\2456e.msp c:\windows\Installer\245dc.msp c:\windows\Installer\24636.msp c:\windows\Installer\24668.msp c:\windows\Installer\2485c.msp c:\windows\Installer\248ca.msp c:\windows\Installer\248cb.msp c:\windows\Installer\24927.msp c:\windows\Installer\249ec1.msp c:\windows\Installer\24be7.msp c:\windows\Installer\24cd7.msp c:\windows\Installer\24d4e.msp c:\windows\Installer\24daf.msp c:\windows\Installer\24ea4.msp c:\windows\Installer\2531a.msp c:\windows\Installer\25491.msp c:\windows\Installer\25879.msp c:\windows\Installer\25935.msp c:\windows\Installer\25a8e.msp c:\windows\Installer\25b71.msp c:\windows\Installer\25bb8.msp c:\windows\Installer\25f20.msp c:\windows\Installer\2600b.msp c:\windows\Installer\2623d.msp c:\windows\Installer\2624d.msp c:\windows\Installer\262fc.msp c:\windows\Installer\263f3.msp c:\windows\Installer\26422.msp c:\windows\Installer\26700.msp c:\windows\Installer\2680a.msp c:\windows\Installer\26865.msp c:\windows\Installer\26981.msp c:\windows\Installer\26af8.msp c:\windows\Installer\26c01.msp c:\windows\Installer\26d59.msp c:\windows\Installer\26f21.msp c:\windows\Installer\272f7.msp c:\windows\Installer\2747d.msp c:\windows\Installer\275f1.msp c:\windows\Installer\2773c.msp c:\windows\Installer\277dc.msp c:\windows\Installer\27a88.msp c:\windows\Installer\27b66.msp c:\windows\Installer\27b72.msp c:\windows\Installer\2818d.msp c:\windows\Installer\28342.msp c:\windows\Installer\283bf.msp c:\windows\Installer\2844c.msp c:\windows\Installer\28536.msp c:\windows\Installer\2864e.msp c:\windows\Installer\28813.msp c:\windows\Installer\28cf7.msp c:\windows\Installer\297d7.msp c:\windows\Installer\29b61.msp c:\windows\Installer\29e8e.msp c:\windows\Installer\29eab.msp c:\windows\Installer\2a4b5.msp c:\windows\Installer\2a5bc.msp c:\windows\Installer\2b0ab.msp c:\windows\Installer\2c126.msp c:\windows\Installer\2c3c6.msp c:\windows\Installer\2c8f6.msp c:\windows\Installer\2cdc7.msp c:\windows\Installer\2f8855.msp c:\windows\Installer\31e57.msp c:\windows\Installer\327fe.msp c:\windows\Installer\32ae0.msp c:\windows\Installer\33481.msp c:\windows\Installer\3354d.msp c:\windows\Installer\33bf4.msp c:\windows\Installer\33c83.msp c:\windows\Installer\34470.msp c:\windows\Installer\34683.msp c:\windows\Installer\346d1.msp c:\windows\Installer\34990.msp c:\windows\Installer\349af.msp c:\windows\Installer\34d49.msp c:\windows\Installer\34d68.msp c:\windows\Installer\35074.msp c:\windows\Installer\351a2.msp c:\windows\Installer\357a6.msp c:\windows\Installer\35834.msp c:\windows\Installer\35f29.msp c:\windows\Installer\360ff.msp c:\windows\Installer\364ad.msp c:\windows\Installer\36843.msp c:\windows\Installer\368a1.msp c:\windows\Installer\36a86.msp c:\windows\Installer\36c6a.msp c:\windows\Installer\37282.msp c:\windows\Installer\3738b.msp c:\windows\Installer\377b5.msp c:\windows\Installer\379a9.msp c:\windows\Installer\379ff.msp c:\windows\Installer\38e8b.msp c:\windows\Installer\396e5.msp c:\windows\Installer\3988b.msp c:\windows\Installer\47ec2b.msp c:\windows\Installer\54c829.msp c:\windows\Installer\5a0885.msp c:\windows\Installer\6d0a7d.msp c:\windows\Installer\72aa3f.msp c:\windows\Installer\7a5a24.msp c:\windows\Installer\a12897.msp c:\windows\Installer\a86e49.msp c:\windows\Installer\addb24.msp c:\windows\Installer\b38cf7.msp c:\windows\Installer\bd4cf0.msp c:\windows\Installer\bfc3c.msp c:\windows\Installer\d9e61a.msp c:\windows\Installer\fb91db.msp c:\windows\run.log c:\windows\system32\beromavu.dll c:\windows\system32\drivers\ovfsthysmwsflfioypycjealtehrivxpposoqe.sys c:\windows\system32\lizazopi.exe c:\windows\system32\ovfsthhiugbvsaupxtfgwwjlytgramgmulaadv.dat c:\windows\system32\ovfsthjtbprhvlodbmvlxgbsqhujspisgbwsjx.dll c:\windows\system32\ovfsthkiwuodvlwrapkkjmbipofqqbsxwwmpgx.dat c:\windows\system32\ovfsthouelewdfvljeanriwnvdeigieljympuk.dll c:\windows\system32\ovfsthuxakcpvqakfkdxurtriiwumxcavhobqf.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ovfsthvrblametbqqhxlkmycmetjkvxfaqbrpu ((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 ))))))))))))))))))))))))))))))) . 2009-08-13 08:37 . 2009-08-13 08:37 -------- d-----w- c:\windows\system32\xircom 2009-08-13 08:37 . 2009-08-13 08:37 -------- d-----w- c:\windows\system32\wbem\snmp 2009-08-13 08:37 . 2009-08-13 08:37 -------- d-----w- c:\program files\microsoft frontpage 2009-08-11 12:22 . 2009-08-11 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-11 12:22 . 2009-08-11 12:23 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-11 12:19 . 2009-08-11 12:19 -------- d-----w- c:\documents and settings\Klearxos\Application Data\Malwarebytes 2009-08-11 12:19 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-11 12:19 . 2009-08-11 12:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-11 12:19 . 2009-08-11 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-11 12:19 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-11 11:59 . 2009-08-11 11:59 -------- d-----w- c:\program files\Trend Micro 2009-08-11 11:54 . 2009-08-11 11:54 -------- d-----w- c:\documents and settings\Klearxos\Local Settings\Application Data\ESET 2009-08-11 11:53 . 2009-08-11 11:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET 2009-08-11 11:49 . 2009-08-11 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-12 20:58 . 2008-05-12 03:38 -------- d-----w- c:\program files\Eset 2009-08-11 11:48 . 2009-07-13 11:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-07-13 12:03 . 2008-05-18 00:19 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-07-13 12:03 . 2008-05-18 19:34 -------- d-----w- c:\documents and settings\Klearxos\Application Data\Symantec 2009-07-13 11:57 . 2009-07-13 11:57 -------- d-----w- c:\program files\AVG 2009-07-13 11:55 . 2008-05-18 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-07-13 11:26 . 2009-07-13 11:26 -------- d-----w- c:\documents and settings\Klearxos\Application Data\TeamViewer 2009-06-27 07:53 . 2009-06-27 07:53 2713 --sh--w- c:\windows\system32\pojabese.exe 2009-06-27 07:53 . 2009-06-27 07:53 2713 --sh--w- c:\windows\system32\ketoyibo.dll 2009-06-27 07:53 . 2009-06-27 07:53 2713 --sh--w- c:\windows\system32\rezigepa.dll 2009-04-01 05:47 . 2008-05-18 00:22 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll 2008-05-18 13:29 . 2008-04-19 07:44 457 --sh--w- c:\windows\system32\boothide.reg 2008-05-18 13:31 . 2008-04-19 07:44 172 --sh--w- c:\windows\system32\bootrun.reg . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-12-08 1253376] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-23 344064] "DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2006-12-28 61952] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-12-08 1253376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-02-20 124928] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "NoSMHelp"= 1 (0x1) "StartMenuLogoff"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"= "c:\\WINDOWS\\system32\\tftp.exe"= "c:\\WINDOWS\\system32\\tlntsvr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360] R2 ekrn;ESET Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Sidebar] c:\windows\system32\hidec /W c:\vaio\Tools\REGTLIB.EXE "c:\program files\Windows Sidebar\sidebar.exe" [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}] "c:\program files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}] "c:\program files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}] regsvr32 /s c:\vaio\.\vshellext.dll . Contents of the 'Scheduled Tasks' folder 2009-08-12 c:\windows\Tasks\User_Feed_Synchronization-{70F73720-CAF2-4A69-9A37-02F7BE14FB7B}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 02:36] . - - - - ORPHANS REMOVED - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com mStart Page = hxxp://www.yahoo.com IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Klearxos\Application Data\Mozilla\Firefox\Profiles\lcjxi5ia.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo! Search . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-13 02:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1408) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-08-13 2:16 ComboFix-quarantined-files.txt 2009-08-13 09:16 Pre-Run: 36,774,719,488 bytes free Post-Run: 36,753,858,560 bytes free 315 --- E O F --- 2009-05-02 14:50