ComboFix 10-01-02.05 - David 03/01/2010 13:57:15.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.767.493 [GMT 0:00] Running from: c:\documents and settings\David\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\David\Start Menu\Programs\Mafia C:\test.txt c:\windows\a3kebook.ini c:\windows\akebook.ini c:\windows\ANS2000.INI c:\windows\Mafia c:\windows\Mafia \uninstall.exe c:\windows\system32\drivers\npf.sys c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\WanPacket.dll c:\windows\system32\wpcap.dll . original MBR restored successfully ! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSUPDATE -------\Legacy_NPF -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 ))))))))))))))))))))))))))))))) . 2009-12-22 15:12 . 2009-12-22 15:12 -------- d-----w- C:\_OTL 2009-12-21 11:43 . 2009-12-21 11:43 -------- d-----w- c:\program files\Trend Micro 2009-12-20 14:48 . 2004-08-03 23:32 84480 -c--a-w- c:\windows\system32\dllcache\ac97via.sys 2009-12-20 14:48 . 2004-08-03 23:32 84480 ----a-w- c:\windows\system32\drivers\ac97via.sys 2009-12-17 11:52 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll 2009-12-15 21:11 . 2009-05-18 14:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-12-15 21:11 . 2008-04-17 13:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2009-12-15 21:09 . 2009-12-15 21:09 -------- d-----w- c:\program files\iPod 2009-12-15 21:09 . 2009-12-15 21:11 -------- d-----w- c:\program files\iTunes 2009-12-15 21:05 . 2009-12-15 21:06 -------- d-----w- c:\program files\QuickTime 2009-12-15 20:58 . 2009-12-15 20:58 -------- d-----w- c:\program files\Apple Software Update 2009-12-15 20:53 . 2009-12-15 21:09 -------- d-----w- c:\program files\Common Files\Apple 2009-12-15 14:33 . 2009-12-15 17:50 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-15 14:33 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-12-15 14:33 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-12-15 14:33 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-12-15 14:33 . 2009-12-15 14:33 -------- d-----w- c:\program files\Avira 2009-12-15 14:33 . 2009-12-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-12-15 00:05 . 2009-12-15 00:05 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS 2009-12-15 00:05 . 2009-12-15 00:05 -------- d-----w- c:\documents and settings\HelpAssistant\UserData 2009-12-15 00:05 . 2009-12-15 00:05 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing 2009-12-15 00:05 . 2009-12-15 00:05 -------- d-----w- c:\documents and settings\HelpAssistant\Shared 2009-12-11 15:25 . 2009-12-11 15:25 -------- d-----w- c:\documents and settings\David\Application Data\Sammsoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-21 16:40 . 2008-07-15 22:32 -------- d-----w- c:\documents and settings\David\Application Data\GetRight 2009-12-20 22:14 . 2006-11-18 18:04 -------- d-----w- c:\documents and settings\David\Application Data\Azureus 2009-12-20 16:15 . 2008-11-16 19:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-20 15:09 . 2009-02-17 21:50 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-15 14:15 . 2005-12-28 10:44 -------- d-----w- c:\documents and settings\David\Application Data\Lavasoft 2009-12-15 12:26 . 2005-12-28 10:50 -------- d-----w- c:\program files\Ahead 2009-12-11 14:53 . 2009-08-04 22:28 -------- d-----w- c:\program files\E.M. Youtube Video Download Tool 2009-12-11 14:52 . 2005-12-28 10:50 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-12-11 14:50 . 2009-02-19 21:33 -------- d-----w- c:\program files\Yahoo! 2009-12-11 14:49 . 2005-12-28 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo! 2009-12-11 14:46 . 2009-11-27 12:27 -------- d-----w- c:\program files\jessops 2009-12-03 16:14 . 2008-11-16 19:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 16:13 . 2008-11-16 19:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-30 22:39 . 2006-02-24 00:37 -------- d-----w- c:\documents and settings\David\Application Data\Skype 2009-11-30 22:35 . 2009-07-20 15:50 -------- d-----w- c:\documents and settings\David\Application Data\skypePM 2009-11-27 12:45 . 2009-11-27 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\hps 2009-11-21 15:51 . 2001-08-18 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-19 12:24 . 2008-11-25 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive 2009-11-12 17:07 . 2009-11-12 17:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-11-06 19:57 . 2009-11-06 19:57 -------- d-----w- c:\program files\Cucusoft 2009-11-06 19:57 . 2007-07-28 17:13 -------- d-----w- c:\documents and settings\David\Application Data\GetRightToGo 2009-10-29 07:45 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2005-12-28 13:37 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-21 05:38 . 2005-12-28 13:37 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-20 16:20 . 2005-12-28 13:37 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30 . 2001-08-18 12:00 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2001-08-18 12:00 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2001-08-18 12:00 79872 ----a-w- c:\windows\system32\raschap.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2002-08-02 46592] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "nwiz"="nwiz.exe" [2003-07-28 323584] "LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Azureus\\Azureus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Documents and Settings\\David\\Application Data\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"= "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services "3246:TCP"= 3246:TCP:Services "2479:TCP"= 2479:TCP:Services "3389:TCP"= 3389:TCP:Remote Desktop "4680:TCP"= 4680:TCP:Services R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [24/06/2007 14:12 155136] R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [24/06/2007 14:12 5248] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [15/12/2009 14:33 108289] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [12/09/2006 19:19 17149] S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [28/07/2009 08:51 136704] S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [28/07/2009 08:51 8320] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27/10/2006 18:35 685816] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html uInternet Settings,ProxyOverride = 127.0.0.1;*.local uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/ IE: &Search IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html Trusted Zone: ketsujin.com\fighterace Trusted Zone: ketsujin.com\primary Trusted Zone: ketsujin.com\update Trusted Zone: ketsujin.com\www Trusted Zone: stormofaces.com\www DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\nhbszeor.default\ FF - prefs.js: browser.startup.homepage - google.co.uk FF - component: c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\nhbszeor.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll . - - - - ORPHANS REMOVED - - - - AddRemove-Uplink - c:\program files\Uplink\Uninst.isu AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-03 14:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82A14AE0]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf75a3f28 \Driver\ACPI -> ACPI.sys @ 0xf74d0cb8 \Driver\atapi -> 0x82a14ae0 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: Belkin 802.11g Wireless Card -> SendCompleteHandler -> NDIS.sys @ 0xf7345b0a PacketIndicateHandler -> NDIS.sys @ 0xf7350a21 SendHandler -> NDIS.sys @ 0xf7345949 Warning: possible MBR rootkit infection ! user & kernel MBR OK copy of MBR has been found in sector 0x04CAA48C malicious code @ sector 0x04CAA48F ! PE file found in sector at 0x04CAA4A5 ! ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2708) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~3\wmpband.dll c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\System32\tcpsvcs.exe c:\windows\System32\snmp.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\windows\SOUNDMAN.EXE c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-01-03 14:22:13 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-03 14:22 Pre-Run: 9,302,949,888 bytes free Post-Run: 9,345,015,808 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn Current=1 Default=1 Failed=0 LastKnownGood=2 Sets=,1,2,3 - - End Of File - - C38614336EA22A9EFCAA7127663C23E5