ComboFix 12-01-04.03 - Administrator 01/05/2012 0:00.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1624 [GMT -5:00] Running from: e:\virus removal tools\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\windows\$NtUninstallKB19203$ c:\windows\$NtUninstallKB19203$\1932015659\@ c:\windows\$NtUninstallKB19203$\1932015659\bckfg.tmp c:\windows\$NtUninstallKB19203$\1932015659\cfg.ini c:\windows\$NtUninstallKB19203$\1932015659\Desktop.ini c:\windows\$NtUninstallKB19203$\1932015659\keywords c:\windows\$NtUninstallKB19203$\1932015659\kwrd.dll c:\windows\$NtUninstallKB19203$\1932015659\L\iahonoel c:\windows\$NtUninstallKB19203$\1932015659\lsflt7.ver c:\windows\$NtUninstallKB19203$\1932015659\U\00000001.@ c:\windows\$NtUninstallKB19203$\1932015659\U\00000002.@ c:\windows\$NtUninstallKB19203$\1932015659\U\00000004.@ c:\windows\$NtUninstallKB19203$\1932015659\U\80000000.@ c:\windows\$NtUninstallKB19203$\1932015659\U\80000004.@ c:\windows\$NtUninstallKB19203$\1932015659\U\80000032.@ c:\windows\$NtUninstallKB19203$\4095787169 c:\windows\system32\SET234.tmp c:\windows\system32\winsrc.dll.tmp . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_6TO4 -------\Service_6to4 . . ((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 ))))))))))))))))))))))))))))))) . . 2012-01-05 04:16 . 2012-01-05 04:16 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-01-05 03:06 . 2012-01-05 03:06 -------- d-----w- C:\TDSSKiller_Quarantine 2012-01-05 02:48 . 2012-01-05 02:48 -------- d-sh--w- c:\documents and settings\administrator.LCMDDS.000\IECompatCache 2012-01-05 02:47 . 2012-01-05 02:47 -------- d-sh--w- c:\documents and settings\administrator.LCMDDS.000\PrivacIE 2012-01-05 02:46 . 2012-01-05 02:46 -------- d-----w- c:\documents and settings\administrator.LCMDDS.000\Application Data\Malwarebytes 2012-01-05 02:46 . 2012-01-05 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-01-05 02:46 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-01-05 02:46 . 2012-01-05 02:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-01-05 02:46 . 2012-01-05 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2012-01-05 02:37 . 2012-01-05 02:35 8704 ----a-w- c:\windows\system32\drivers\drkrgcqmxwim.sys 2012-01-05 02:28 . 2012-01-05 04:36 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-01-05 02:27 . 2012-01-05 02:27 -------- d-----w- c:\documents and settings\administrator.LCMDDS.000\Application Data\FLEXnet 2012-01-05 02:27 . 2005-09-20 19:31 135168 ----a-w- c:\windows\system32\igfxres.dll 2012-01-05 02:23 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll 2012-01-05 02:23 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll 2012-01-02 19:14 . 2012-01-02 19:14 -------- d-sh--w- c:\documents and settings\NetworkService\UserData 2012-01-02 15:38 . 2012-01-02 15:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-01-05 03:01 . 2004-08-11 21:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys 2011-12-16 13:33 . 2010-05-04 20:16 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2011-12-16 13:33 . 2010-05-04 20:16 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2011-12-16 13:33 . 2010-05-04 20:16 30592 ----a-w- c:\windows\system32\LMIport.dll 2011-12-16 13:33 . 2010-05-04 20:16 87424 ----a-w- c:\windows\system32\LMIinit.dll 2011-11-23 13:25 . 2004-08-11 21:00 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-04 19:20 . 2004-08-11 21:00 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20 . 2004-08-11 21:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20 . 2004-08-11 21:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23 . 2004-08-11 21:00 385024 ----a-w- c:\windows\system32\html.iec 2011-11-01 16:07 . 2004-08-11 21:00 1288704 ----a-w- c:\windows\system32\ole32.dll 2011-10-28 05:31 . 2004-08-11 21:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:33 . 2004-08-11 21:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52 . 2004-08-04 02:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-18 11:13 . 2004-08-11 21:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-10-10 14:22 . 2004-08-11 21:12 692736 ----a-w- c:\windows\system32\inetcomm.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-01 344064] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941] "KDISBridge"="c:\tw\KDISBridge.exe" [2006-01-30 483840] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "DLPSP"="c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2007-07-25 393944] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193] DataLink.LNK - \\Fs1\PDATA\DataLink\DataLink.exe [N/A] PA Manager.lnk - c:\program files\Dentrix\PAMgr.exe [2009-1-28 857872] WebSync Reminder.lnk - c:\program files\Dentrix\WebSyncReminder.exe [2009-1-28 91408] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2011-12-16 13:33 87424 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1115\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1121\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1122\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1123\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1124\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1125\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1127\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1129\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1130\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1141\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1142\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-1143\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1291385962-4088891128-34703830-500\Scripts\Logon\0\0] "Script"=startup.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4155129212-1082037474-2456316276-1114\Scripts\Logon\0\0] "Script"=mappeddrives.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4155129212-1082037474-2456316276-1115\Scripts\Logon\0\0] "Script"=mappeddrives.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4155129212-1082037474-2456316276-500\Scripts\Logon\0\0] "Script"=mappeddrives.bat . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152 "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153 . R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [1/26/2007 1:24 PM 58048] R2 APCPBEAgent;APC PBE Agent;c:\progra~1\APC\POWERC~1\agent\pbeagent.exe [7/8/2011 12:32 PM 34168] R2 APCPBEServer;APC PBE Server;c:\progra~1\APC\POWERC~1\server\PBESER~1.EXE [7/8/2011 12:37 PM 54728] R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [7/31/2008 10:41 AM 140184] R2 GuruLELicensing;Guru Limited Edition Licensing;c:\program files\Guru Limited Edition Server\GuruLEService.exe [4/28/2008 6:53 PM 60416] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/6/2010 10:38 AM 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856] R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [5/4/2010 3:18 PM 1590216] S0 13947153;13947153;c:\windows\system32\DRIVERS\13947153.sys --> c:\windows\system32\DRIVERS\13947153.sys [?] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\asapp\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\asapp\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\asapp\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\asapp\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?] S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [8/11/2004 4:00 PM 14336] S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\drivers\GKUPRO2D.sys [5/9/2006 9:42 AM 62048] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/4/2012 11:16 PM 40776] S3 net2860_usb;net2860_usb;c:\windows\system32\drivers\net2860_usb.sys [4/26/2007 11:50 AM 29184] S3 SASENUM;SASENUM;\??\c:\docume~1\asapp\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\asapp\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [9/7/2010 10:58 AM 11520] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] NecUsbSevice REG_MULTI_SZ NecUsb . Contents of the 'Scheduled Tasks' folder . 2012-01-05 c:\windows\Tasks\User_Feed_Synchronization-{A58A6BF6-5896-4558-9006-AFE49615062D}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dell.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - . HKLM-Run-ShStatEXE - c:\program files\Network Associates\VirusScan\SHSTAT.EXE Notify-USB3Nw32 - USB3Nw32.dll SafeBoot-02944266.sys SafeBoot-72153963.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-05 08:20 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-4155129212-1082037474-2456316276-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,8e,6f,5a,4f,b1,39,4a,ba,d9,e4,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,8e,6f,5a,4f,b1,39,4a,ba,d9,e4,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(664) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll . - - - - - - - > 'explorer.exe'(2552) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\LMIRfsClientNP.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\SCardSvr.exe c:\program files\Dell\OpenManage\Client\Iap.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE c:\program files\Windows Media Player\WMPNetwk.exe . ************************************************************************** . Completion time: 2012-01-05 08:23:53 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-05 13:23 . Pre-Run: 26,937,942,016 bytes free Post-Run: 28,775,337,984 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - F2D1D0E0F5A0AAF8A41F879AB4C424A3