ComboFix 10-02-05.04 - Lakshmi Thumma 02/06/2010 15:25:44.1.1 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.769 [GMT -5:00] Running from: c:\documents and settings\Lakshmi Thumma\My Documents\downloads\ComboFix.exe AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\EventSystem.log c:\windows\jestertb.dll c:\windows\system32\ccrpTmr6.dll c:\windows\system32\pwdmon.dll c:\windows\wiaserviv.log . ((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 ))))))))))))))))))))))))))))))) . 2010-01-31 22:44 . 2010-01-31 22:44 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll 2010-01-31 22:44 . 2010-01-31 22:44 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll 2010-01-31 22:44 . 2010-01-31 22:44 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll 2010-01-31 22:44 . 2010-01-31 22:44 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll 2010-01-31 22:44 . 2010-01-31 22:44 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll 2010-01-31 22:42 . 2010-01-31 22:42 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll 2010-01-31 22:42 . 2010-01-31 22:42 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll 2010-01-31 22:34 . 2010-01-31 22:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat 2010-01-31 22:34 . 2010-01-31 22:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat 2010-01-31 22:32 . 2010-02-06 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2010-01-31 22:32 . 2010-01-31 22:32 -------- d-----w- c:\program files\Kaspersky Lab 2010-01-31 22:22 . 2010-02-01 04:43 79488 ----a-w- c:\documents and settings\Lakshmi Thumma\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2010-01-31 03:51 . 2010-01-31 03:51 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-30 22:13 . 2010-01-30 22:13 -------- d-----w- c:\windows\system32\wbem\Repository 2010-01-30 20:29 . 2010-01-30 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-06 20:00 . 2008-02-01 11:51 -------- d-----w- c:\program files\Google 2010-01-31 22:20 . 2006-07-30 15:11 -------- d-----w- c:\documents and settings\Lakshmi Thumma\Application Data\Lavasoft 2010-01-31 22:09 . 2009-01-11 05:54 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-01-31 22:06 . 2006-03-07 18:57 -------- d-----w- c:\program files\Symantec 2010-01-31 22:06 . 2006-03-07 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-01-31 21:57 . 2006-03-14 19:42 -------- d-----w- c:\documents and settings\Lakshmi Thumma\Application Data\Symantec 2010-01-31 03:51 . 2009-01-17 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-07 21:07 . 2009-01-17 23:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 21:07 . 2009-01-17 23:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2006-03-20 05:37 . 2006-03-20 05:37 0 ----a-w- c:\program files\error.dat 2007-01-15 22:02 . 2007-01-15 22:02 13386 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll 2007-01-15 22:02 . 2007-01-15 22:02 92746 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-24 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000] "TpShocks"="TpShocks.exe" [2005-04-05 106496] "TP4EX"="tp4ex.exe" [2004-11-12 40960] "IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112] "QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-24 180269] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-18 136600] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-7 24576] hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina] 2005-03-18 11:07 262144 ----a-w- c:\windows\system32\QConGina.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2004-08-13 04:11 24576 ----a-w- c:\windows\system32\tphklock.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk backup=c:\windows\pss\BTTray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Harmony Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Harmony Monitor.lnk backup=c:\windows\pss\Harmony Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WebSphere MQ Task Bar.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WebSphere MQ Task Bar.lnk backup=c:\windows\pss\WebSphere MQ Task Bar.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Lakshmi Thumma^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Lakshmi Thumma\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\71900Tray] 2007-05-11 20:56 2170880 ----a-w- c:\program files\VTech\Whiz Kid\System\WhizKidTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] 2005-06-07 04:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-11-20 18:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Drive Mapping Utility] 2007-06-08 13:34 278144 ----a-w- c:\program files\Linksys\Network Storage\Network Drive Mapping Utility.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2008-05-24 20:14 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 2006-12-01 02:49 4662776 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UleadBurningHelper"=2 (0x2) "SQLWriter"=2 (0x2) "SQLBrowser"=2 (0x2) "SQLAgent$SONY_MEDIAMGR"=3 (0x3) "NeatReceipts Database Controller"=2 (0x2) "navapsvc"=2 (0x2) "MSSQL$SONY_MEDIAMGR"=3 (0x3) "MSSQL$NR2007"=3 (0x3) "MQSeriesServices"=2 (0x2) "Lotus Domino Server (ProgramFilesLotusDominodata)"=3 (0x3) "ccSetMgr"=2 (0x2) "SPBBCSvc"=2 (0x2) "ccProxy"=2 (0x2) "SNDSrvc"=2 (0x2) "ccISPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "Symantec Core LC"=2 (0x2) "SAVScan"=3 (0x3) "ACS"=3 (0x3) "Adobe LM Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "Automatic LiveUpdate Scheduler"=2 (0x2) "Bonjour Service"=2 (0x2) "comHost"=3 (0x3) "gusvc"=3 (0x3) "JavaQuickStarterService"=2 (0x2) "LiveUpdate"=3 (0x3) "LiveUpdate Notice Service"=2 (0x2) "NSCService"=3 (0x3) "OpenLDAP-slapd"=2 (0x2) "iPod Service"=3 (0x3) "mnmsrvc"=3 (0x3) "Irmon"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Linksys\\Network Storage\\Network Drive Mapping Utility.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880] R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [3/7/2006 1:43 PM 14208] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272] R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [3/7/2006 1:43 PM 6016] R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 3:00 AM 14336] S2 VRDVC10;Sony VRD-VC10 [Video Capture];c:\windows\system32\drivers\VRDVC10X.SYS [11/9/2004 9:02 AM 31104] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\33.tmp --> c:\windows\system32\33.tmp [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [3/7/2006 2:08 PM 12288] S4 Lotus Domino Server (ProgramFilesLotusDominodata);Lotus Domino Server (ProgramFilesLotusDominodata);c:\program files\Lotus\Domino\nservice.exe [12/28/2006 7:14 PM 61440] S4 MQSeriesServices;IBM MQSeries;c:\program files\IBM\WebSphere MQ\bin\amqsvc.exe [5/18/2005 7:00 PM 69632] S4 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 8:29 AM 29178224] S4 NeatReceipts Database Controller;NeatReceipts Database Controller;c:\program files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [8/29/2007 3:15 PM 230760] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.cnn.com/ mStart Page = about:blank uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm Trusted Zone: accountonline.com\www FF - ProfilePath - c:\documents and settings\Lakshmi Thumma\Application Data\Mozilla\Firefox\Profiles\h5aprpvb.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . - - - - ORPHANS REMOVED - - - - HKLM-Run-TPHOTKEY - c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AddRemove-QQ BlackJack - c:\program files\Tencent\QQ Games\QQ BlackJack\Uninstall.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-06 15:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\33.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCDRSRVC] "ImagePath"="system32\drivers\PCDRSRVC.pkms" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2654753423-1684741367-569257590-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1676) c:\windows\system32\Ati2evxx.dll c:\windows\system32\tphklock.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\brss01a.exe c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe c:\windows\System32\QCONSVC.EXE c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\System32\TPHDEXLG.EXE c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\windows\system32\Ati2evxx.exe c:\windows\system32\TpShocks.exe c:\windows\system32\rundll32.exe . ************************************************************************** . Completion time: 2010-02-06 16:06:32 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-06 21:06 Pre-Run: 13,365,616,640 bytes free Post-Run: 12,721,340,416 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect - - End Of File - - 598EAEEEFD9DCD7E62FD3461D0B2E8C9