ComboFix 10-07-06.05 - Judy 07/07/2010 17:17:59.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.62 [GMT -5:00] Running from: c:\documents and settings\Judy\Desktop\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Thumbs.db c:\windows\system32\2617176621.dat c:\windows\system32\Thumbs.db c:\windows\system32\tmp.reg c:\windows\xpsp1hfm.log Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_EHSCHEDNETDDE -------\Legacy_RASAUTOWSCSVC -------\Service_ehSchedNetDDE -------\Service_RasAutowscsvc ((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 ))))))))))))))))))))))))))))))) . 2010-07-07 23:23 . 2010-07-07 23:23 -------- d-----w- c:\windows\LastGood 2010-07-07 22:38 . 2010-07-07 22:38 32 ----a-w- c:\windows\system32\2617176621.dat 2010-07-07 18:25 . 2010-07-07 18:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2010-06-30 14:38 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-30 14:38 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-30 14:35 . 2010-06-30 14:35 -------- d-----w- c:\program files\ERUNT 2010-06-22 13:55 . 2010-06-22 13:55 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-06-14 16:00 . 2010-06-14 16:00 -------- d-----w- c:\documents and settings\Judy\Application Data\SUPERAntiSpyware.com 2010-06-11 14:00 . 2010-06-11 14:00 -------- d-----w- c:\documents and settings\Judy\Local Settings\Application Data\PCHealth 2010-06-10 23:56 . 2010-06-10 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix 2010-06-10 23:47 . 2010-06-10 23:47 -------- d-----w- c:\program files\Citrix 2010-06-10 23:46 . 2010-06-10 23:46 -------- d-----w- c:\documents and settings\Judy\Local Settings\Application Data\Citrix 2010-06-10 22:27 . 2010-06-10 22:28 -------- d-----w- c:\program files\McAfeeMOBK 2010-06-10 22:25 . 2010-02-06 02:13 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys 2010-06-10 22:23 . 2010-06-10 22:25 -------- d-----w- c:\program files\McAfee Online Backup 2010-06-09 22:41 . 2010-06-11 13:10 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-06-09 22:41 . 2010-06-11 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-06-09 19:56 . 2010-06-09 19:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee 2010-06-09 18:26 . 2010-06-09 18:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2010-06-09 16:45 . 2010-06-09 16:45 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-06-09 06:58 . 2010-06-09 06:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth 2010-06-09 02:15 . 2010-06-09 21:10 -------- d-----w- c:\documents and settings\Judy\Local Settings\Application Data\ncsawcan 2010-06-09 01:53 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-07 18:24 . 2006-02-25 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-30 14:38 . 2010-05-14 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-16 15:25 . 2010-06-14 16:01 63488 ----a-w- c:\documents and settings\Judy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-16 15:25 . 2010-06-14 16:01 117760 ----a-w- c:\documents and settings\Judy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-14 16:01 . 2010-06-14 16:01 52224 ----a-w- c:\documents and settings\Judy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-06-11 13:13 . 2007-10-01 20:44 -------- d-----w- c:\program files\Windows Live Safety Center 2010-06-10 23:25 . 2010-06-10 23:25 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll 2010-06-10 23:25 . 2009-11-14 18:09 300384 ----a-w- c:\documents and settings\Judy\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll 2010-06-10 23:07 . 2010-06-10 23:07 49152 ----a-r- c:\documents and settings\Judy\Application Data\Microsoft\Installer\{8F1A20DC-251D-47B0-91B7-DCA2523EE6C9}\Icon49FA793C.exe 2010-06-09 20:04 . 2008-08-18 13:32 -------- d-----w- c:\program files\PhoTags Express 2010-05-22 04:40 . 2009-09-15 16:12 -------- d-----w- c:\program files\McAfee 2010-05-22 04:40 . 2009-11-14 03:41 -------- d-----w- c:\documents and settings\Judy\Application Data\McAfee 2010-05-21 00:57 . 2010-01-30 15:42 -------- d-----w- c:\documents and settings\Judy\Application Data\Skype 2010-05-21 00:44 . 2010-01-30 15:45 -------- d-----w- c:\documents and settings\Judy\Application Data\skypePM 2010-05-14 19:05 . 2010-05-14 19:05 -------- d-----w- c:\documents and settings\Judy\Application Data\Malwarebytes 2010-05-14 19:04 . 2010-05-14 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-14 18:10 . 2009-11-16 22:53 -------- d-----w- c:\program files\McAfee.com 2010-05-14 15:52 . 2009-09-15 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2010-05-14 15:50 . 2009-11-16 22:53 -------- d-----w- c:\program files\Common Files\McAfee 2010-05-14 14:43 . 2010-05-14 14:43 75264 ----a-w- c:\windows\system32\drivers\xudfvziu.sys 2010-05-09 21:39 . 2008-09-28 03:20 256 ----a-w- c:\windows\system32\pool.bin 2010-05-09 20:25 . 2010-05-09 20:25 53248 ----a-r- c:\documents and settings\Judy\Application Data\Microsoft\Installer\{070B059B-F742-4532-B9D1-11E1E3887C6C}\ARPPRODUCTICON.exe 2010-04-27 22:16 . 2010-05-14 15:43 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys 2010-04-27 22:16 . 2010-05-14 15:43 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2010-04-27 22:16 . 2010-05-14 15:43 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys 2010-04-27 22:16 . 2010-05-14 15:43 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2010-04-27 22:16 . 2010-05-14 15:43 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2010-04-27 22:16 . 2010-05-14 15:43 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2010-04-27 22:16 . 2010-05-14 15:43 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys 2010-04-27 22:16 . 2009-11-16 22:55 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2010-04-27 22:16 . 2009-11-16 22:55 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2010-04-27 22:16 . 2009-11-16 22:55 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2010-04-11 23:12 . 2010-04-11 23:12 249856 ------w- c:\windows\Setup1.exe 2010-04-11 23:11 . 2010-04-11 23:11 73216 ----a-w- c:\windows\ST6UNST.EXE 2006-08-30 02:27 . 2006-08-30 02:27 251 ----a-w- c:\program files\wt3d.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK] @="{3c3f3c1a-9153-7c05-f938-622e7003894d}" [HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}] 2010-02-06 02:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2] @="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}" [HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}] 2010-02-06 02:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3] @="{b4caf489-1eec-c617-49ad-8d7088598c06}" [HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}] 2010-02-06 02:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-11-07 95536] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320] "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203] "dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-11-07 54576] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "V0500Mon.exe"="c:\windows\V0500Mon.exe" [2007-11-03 32768] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-05 202256] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-21 1193336] "McPvTray"="c:\program files\McAfee\Anti-Theft\McPvTray.exe" [2009-11-17 670312] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\Nigel's Laptop\Start Menu\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2006-6-5 329472] RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] 2005-08-05 21:56 64512 ----a-w- c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2008-02-15 17:46 135168 ----a-w- c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless] 2006-08-02 05:32 696320 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig] 2006-08-02 05:38 802816 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] 2005-04-27 00:13 122880 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2005-12-16 08:32 761945 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] 2005-12-16 08:34 82009 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol] 2005-03-11 23:03 73728 ----a-w- c:\windows\system32\TDispVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey] 2006-01-05 22:02 352256 ----a-w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD] 2004-12-30 08:32 65536 ----a-w- c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain] 2005-06-01 05:00 282624 ----a-w- c:\windows\system32\TPSMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs] 2005-11-30 20:25 73728 ----a-w- c:\program files\TOSHIBA\Tvs\TvsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL ACS"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/14/2010 10:43 AM 82952] R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [6/10/2010 5:25 PM 54776] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/16/2009 6:00 PM 210216] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/14/2010 10:42 AM 271480] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [5/14/2010 10:42 AM 271480] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [5/14/2010 10:43 AM 188136] R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [5/14/2010 10:43 AM 141792] R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2/5/2010 9:14 PM 229688] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 6:31 AM 92008] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/14/2010 10:43 AM 55456] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/14/2010 10:43 AM 312616] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/14/2010 10:43 AM 88480] S2 McAfeeMcProxy;McAfee SiteAdvisor Service McAfeeMcProxy;c:\windows\system32\aaaamony.exe srv --> c:\windows\system32\aaaamony.exe srv [?] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/14/2010 10:43 AM 88480] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/14/2010 10:43 AM 83496] S3 V0500Dev;Dynex 1.3MP Webcam Driver;c:\windows\system32\drivers\V0500Vid.sys [1/29/2010 11:32 PM 251264] --- Other Services/Drivers In Memory --- *Deregistered* - mfeavfk01 . Contents of the 'Scheduled Tasks' folder 2010-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] 2010-07-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2102392488-2322073675-3800741003-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09] 2010-06-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2102392488-2322073675-3800741003-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart uInternet Settings,ProxyOverride = uInternet Settings,ProxyServer = http=127.0.0.1:1055 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: internet Trusted Zone: mcafee.com . - - - - ORPHANS REMOVED - - - - Toolbar-Locked - (no file) HKCU-Run-Exetender - c:\program files\Verizon Games on Demand Player\GPlayer.exe MSConfigStartUp-TFncKy - TFncKy.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-07 19:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2102392488-2322073675-3800741003-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync] "Name"="ActiveSync" "DisplayName"="Microsoft ActiveSync" "Param1"="ActiveSync" "Type"="wellknown" "Order"=dword:00000001 "State"=dword:0000000b [HKEY_USERS\S-1-5-21-2102392488-2322073675-3800741003-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings] "Name"="IESettings" "Type"="IESettings" "Order"=dword:00000004 "State"=dword:00000003 [HKEY_USERS\S-1-5-21-2102392488-2322073675-3800741003-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles] "Name"="MediaFiles" "Type"="MediaFiles" "Order"=dword:00000003 "State"=dword:00000003 [HKEY_USERS\S-1-5-21-2102392488-2322073675-3800741003-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW] "Name"="NPW" "Param1"="NPW" "Type"="wellknown" "Order"=dword:00000002 "State"=dword:00000007 [HKEY_USERS\S-1-5-21-2102392488-2322073675-3800741003-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook] "Name"="Outlook" "DisplayName"="Microsoft Outlook" "Param1"="Outlook" "Type"="wellknown" "Order"=dword:00000000 "State"=dword:00000020 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2884) c:\windows\system32\WININET.dll c:\program files\McAfee\SiteAdvisor\saHook.dll c:\program files\McAfee Online Backup\MOBKshell.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\windows\system32\DVDRAMSV.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\toshiba\IVP\swupdate\swupdtmr.exe c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Common Files\McAfee\SystemCore\mcshield.exe c:\windows\system32\dllhost.exe c:\windows\AGRSMMSG.exe c:\windows\system32\igfxsrvc.exe c:\progra~1\mcafee.com\agent\mcagent.exe c:\program files\Microsoft ActiveSync\wcescomm.exe c:\progra~1\MICROS~4\rapimgr.exe c:\progra~1\METAMA~1\METAMA~1\METAMA~2.EXE c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-07-07 19:44:23 - machine was rebooted ComboFix-quarantined-files.txt 2010-07-08 00:44 Pre-Run: 84,102,803,456 bytes free Post-Run: 84,130,480,128 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - C9020545FE74662B4B3FB447F40C1808