ComboFix 09-06-15.04 - USER1 06/19/2009 12:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.476 [GMT -4:00]
Running from: C:\Combo-Fix.exe
AV: eTrust ITM *On-access scanning enabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\SKYNETpwmdtgbw.sys
c:\windows\system32\drivers\UACcmcrjipmbmoobvc.sys
c:\windows\system32\UACksvjelemovbsswu.dat
c:\windows\system32\UAClfamdturatnsesx.dll
c:\windows\system32\drivers\SKYNETpwmdtgbw.sys
c:\windows\system32\drivers\UACcmcrjipmbmoobvc.sys
c:\windows\system32\SKYNETaieabbpf.dll
c:\windows\system32\SKYNETjupaordb.dll
c:\windows\system32\SKYNETnjgrneos.dll
c:\windows\system32\SKYNETorenemui.dll
c:\windows\system32\SKYNETpofyabdw.dat
c:\windows\system32\SKYNETtyubmhil.dat
c:\windows\system32\tmp.reg
c:\windows\system32\UAClfamdturatnsesx.dll
c:\windows\system32\uactmp.db
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
-------\Service_SKYNETjbgsilxt
((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.
2009-06-18 20:34 . 2009-06-15 22:49 3027283 ----a-r- C:\Combo-Fix.exe
2009-06-17 12:26 . 2009-06-17 12:26 -------- d-----w- c:\documents and settings\USER1\Application Data\Malwarebytes
2009-06-15 19:09 . 2009-06-15 19:17 -------- d-----w- C:\SmitfraudFix
2009-06-15 19:09 . 2009-06-15 19:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 20:11 . 2009-06-12 20:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-06-12 17:09 . 2009-06-12 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\10501094
2009-06-11 16:41 . 2009-06-11 16:41 676224 ----a-w- c:\windows\system32\ogacheckcontrol.dll
2009-06-11 14:43 . 2009-06-11 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-29 17:59 . 2009-05-29 17:59 845800 ----a-w- c:\documents and settings\USER1\Application Data\MSNInstaller\msnauins.exe
2009-05-29 17:59 . 2009-05-29 17:59 -------- d-----w- c:\documents and settings\USER1\Application Data\MSNInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 14:18 . 2007-09-29 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2008-02-08 407368]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2007-08-03 53248]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
c:\documents and settings\USER1\Start Menu\Programs\Startup\
Outlook Express.lnk - c:\program files\Outlook Express\msimn.exe [2004-8-4 60416]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-5-22 262144]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\OLRSubmission\\OLRSubmission.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [4/14/2006 1:07 PM 28933976]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [10/3/2006 2:03 PM 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [5/30/2007 6:30 PM 14616]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-installnet.exe - c:\acer\LANScope Agent\Installnet.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.kbctools.com/can/main.cfmuInternet Connection Wizard,ShellNext =
hxxp://en.ca.acer.yahoo.com/uSearchURL,(Default) =
hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {BCED07BB-62BB-4239-B92A-9380A4066C90} = 204.50.251.17,201.107.254.9
TCP: {CFA6B775-0E90-4FFF-BC04-A6B99288DB53} = 204.50.251.17,201.107.254.9
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-06-19 12:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3364)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\CA\SharedComponents\iTechnology\igateway.exe
c:\program files\CA\eTrustITM\InoRPC.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\eTrustITM\InoTask.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\LANScope Agent\lockkm.exe
c:\windows\system32\wscntfy.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-06-19 12:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 16:45
Pre-Run: 28,853,694,464 bytes free
Post-Run: 29,002,002,432 bytes free
150