ComboFix 09-11-30.02 - rmac 11/30/2009 18:46.5.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.246 [GMT -8:00]
Running from: c:\documents and settings\rmac\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.
2010-04-28 21:44 . 2006-05-24 00:01 -------- d-----w- c:\documents and settings\itc\Application Data\Apple Computer
2010-04-28 21:43 . 2006-05-24 00:01 -------- d-----w- c:\documents and settings\itc\Local Settings\Application Data\Apple Computer
2009-11-29 02:16 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-29 02:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-29 01:57 . 2006-03-28 23:28 10880 ----a-r- c:\windows\system32\drivers\vmscsi_2.sys
2009-11-28 16:35 . 2009-11-28 16:50 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\jxrtsg
2009-11-26 19:15 . 2009-11-28 00:31 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\khgaul
2009-11-21 00:02 . 2009-11-21 00:02 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\Microsoft Help
2009-11-21 00:01 . 2009-11-25 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-20 23:39 . 2009-11-21 18:44 -------- d-----w- c:\documents and settings\rmac\Local Settings\Application Data\Amos 17.0
2009-11-20 23:36 . 2009-11-20 23:36 -------- d-----w- c:\program files\SPSSIncOEM
2009-11-20 23:25 . 2009-11-20 23:25 -------- d-----w- c:\program files\Common Files\Data Dynamics
2009-11-20 21:49 . 2009-11-20 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2009-11-20 21:49 . 2009-11-20 21:49 -------- d-----w- c:\program files\Common Files\SPSS
2009-11-20 21:27 . 2009-11-20 21:27 -------- d-----w- c:\documents and settings\rmac\.spss
2009-11-20 19:36 . 2009-11-20 23:24 -------- d-----w- c:\program files\SPSSInc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 15:57 . 2009-07-02 02:33 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-29 03:41 . 2006-04-27 23:55 -------- d-----w- c:\program files\Java
2009-11-29 02:19 . 2008-06-30 22:19 -------- d-----w- c:\program files\Replay Music
2009-11-26 19:22 . 2007-01-01 05:46 80768 ----a-w- c:\documents and settings\rmac\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-25 06:09 . 2006-04-27 22:19 -------- d-----w- c:\program files\Microsoft Works
2009-11-22 22:15 . 2007-01-11 17:49 -------- d-----w- c:\documents and settings\rmac\Application Data\Image Zone Express
2009-11-20 19:29 . 2006-09-12 15:18 -------- d-----w- c:\program files\SPSS
2009-10-29 03:50 . 2009-10-29 03:50 -------- d-----w- c:\program files\MSBuild
2009-10-29 03:50 . 2009-10-29 03:50 -------- d-----w- c:\program files\Reference Assemblies
2009-10-28 15:06 . 2008-04-02 19:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 2004-08-04 00:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:54 . 2009-07-02 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53 . 2009-07-02 21:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 00:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2001-05-24 20:59 . 2007-01-16 16:45 162304 ----a-w- c:\program files\UNWISE.EXE
2008-04-01 03:31 . 2008-04-01 03:30 80 --sha-r- c:\windows\system32\64B6FEA206.dll
2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-11-29_02.39.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-06-19 10:35 . 2009-11-29 02:40 72480 c:\windows\system32\perfc009.dat
+ 2003-06-19 10:35 . 2009-12-01 02:36 72480 c:\windows\system32\perfc009.dat
+ 2003-06-19 10:35 . 2009-12-01 02:36 445942 c:\windows\system32\perfh009.dat
- 2003-06-19 10:35 . 2009-11-29 02:40 445942 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-27 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-05-18 684032]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-31 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2003-01-31 311296]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"Malwarebytes Anti-Malware (reboot)"="c:\hold\Malwarebytes' Anti-Malware2\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-06-17 414992]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-10-6 1524776]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2001-04-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=APTRRNTm.dll
"wave"=APTRRNTm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microtek\\ScanWizard Pro\\LANServer.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\Statistics17\\paswstat.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\paswstat.com"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8/30/2006 3:56 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8/30/2006 3:56 PM 5248]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [4/27/2006 9:53 AM 10880]
R3 vmmemctl;VMware server memory controller;c:\windows\system32\drivers\vmmemctl.sys [3/28/2006 3:28 PM 5500]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/2/2009 1:27 PM 195856]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 5:55 PM 18864]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/2/2009 1:27 PM 19160]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 1:10 PM 32512]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [4/27/2006 9:52 AM 4608]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [4/27/2006 9:52 AM 15744]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [4/27/2006 9:53 AM 22528]
--- Other Services/Drivers In Memory ---
*Deregistered* - kfncqpow
.
Contents of the 'Scheduled Tasks' folder
2009-11-28 c:\windows\Tasks\Malwarebytes' Scheduled Update for rmac.job
- c:\hold\Malwarebytes' Anti-Malware2\mbam.exe [2009-11-26 22:53]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://news.myway.com/index/id/top%7Cap.htmluSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\rmac\Application Data\Mozilla\Firefox\Profiles\h8u0shrj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.myway.com/index.html
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.14); user_pref(general.useragent.extra.zencast, Creative ZENcast v2.00.14);user_pref(general.useragent.extra.zencast, c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 18:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83209B38]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf87bcf28
\Driver\ACPI -> ACPI.sys @ 0xf8689cb8
\Driver\atapi -> 0x83209b38
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Linksys Wireless-G PCI Network Adapter with SpeedBooster -> SendCompleteHandler -> NDIS.sys @ 0xf84b7bb0
PacketIndicateHandler -> NDIS.sys @ 0xf84c4a21
SendHandler -> NDIS.sys @ 0xf84a287b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(584)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-30 19:00
ComboFix-quarantined-files.txt 2009-12-01 03:00
ComboFix2.txt 2009-11-29 03:21
ComboFix3.txt 2009-11-29 02:52
ComboFix4.txt 2009-07-03 20:59
ComboFix5.txt 2009-12-01 02:45
Pre-Run: 9,514,438,656 bytes free
Post-Run: 9,463,459,840 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 6A2CF295925BD54A5FB80367ECF1C7D7