Results from combofix.txt.....
ComboFix 09-12-06.09 - Randy Pierce 12/06/2009 21:24.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.151 [GMT -5:00]
Running from: c:\documents and settings\Randy Pierce\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
c:\program files\Shared
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\drivers\geyekrtlesspuc.sys
c:\windows\system32\geyekrvpfhlvts.dat
c:\windows\system32\geyekrxurxqphp.dat
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_geyekrijlnralk
-------\Service_geyekrijlnralk
((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))
.
2009-12-06 23:22 . 2009-12-06 23:22 4096 ----a-w- c:\windows\d3dx.dat
2009-12-05 23:39 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-05 23:39 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 02:53 . 2009-12-04 02:53 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-04 02:31 . 2009-12-04 02:31 -------- d-----w- c:\program files\Trend Micro
2009-12-03 00:02 . 2009-12-03 00:02 -------- d-----w- c:\documents and settings\Randy Pierce\Application Data\Malwarebytes
2009-12-03 00:01 . 2009-12-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 00:01 . 2009-12-05 23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-02 03:24 . 2009-12-02 03:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2009-12-02 03:15 . 2009-12-02 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
2009-11-25 23:27 . 2009-11-25 23:27 152576 ----a-w- c:\documents and settings\Randy Pierce\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-25 23:27 . 2009-11-25 23:27 79488 ----a-w- c:\documents and settings\Randy Pierce\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 02:05 . 2009-11-01 04:51 -------- d-----w- c:\program files\RealArcade
2009-12-07 02:04 . 2007-05-08 01:43 -------- d-----w- c:\program files\Java
2009-12-05 13:00 . 2007-05-14 13:27 -------- d-----w- c:\documents and settings\Randy Pierce\Application Data\AdobeUM
2009-12-04 06:33 . 2009-03-26 00:06 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-22 01:13 . 2009-08-03 02:59 -------- d-----w- c:\program files\McAfee
2009-11-03 01:42 . 2009-10-03 01:48 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 23:08 . 2009-10-29 23:08 152576 ----a-w- c:\documents and settings\Randy Pierce\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-20 19:01 . 2009-10-09 01:23 -------- d-----w- c:\program files\PackLedgerME
2009-10-17 00:13 . 2009-07-15 00:53 -------- d-----w- c:\documents and settings\Randy Pierce\Application Data\U3
2009-10-11 09:17 . 2009-02-07 00:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 23:41 . 2007-05-08 12:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-27 02:19 . 2009-09-27 02:19 152576 ----a-w- c:\documents and settings\Randy Pierce\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-24 03:52 . 2007-05-08 00:44 79432 ----a-w- c:\documents and settings\Randy Pierce\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-24 03:49 . 2009-09-24 03:49 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-16 14:22 . 2009-08-03 03:03 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2009-08-03 03:03 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2009-08-03 03:03 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2009-08-03 03:03 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2009-08-03 02:50 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:33 . 2009-03-26 00:06 133632 ----a-w- c:\windows\system32\msv1_0.dll
2006-11-30 20:35 . 2007-05-12 10:59 1259960 ----a-w- c:\program files\winzip8.0.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-09 77824]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2007-5-8 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-10 98304]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://us.mc388.mail.yahoo.com/mc/welcome?.gx=1&.tm=1256799833&.rand=6g4f8q2dljokpIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: facebook.com\www
DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} -
hxxp://www3.authentium.com/cssrelease/bin/wizard.exeDPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} -
hxxp://141.238.49.9/activex/AMC.cab.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Nero PhotoShow Media Manager - c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
HKLM-Run-NWEReboot - (no file)
Notify-dimsntfy - (no file)
AddRemove-airportmania - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf
AddRemove-alicesmagicalmahjong - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf
AddRemove-ancienttrijong - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose
AddRemove-RealArcade - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-12-06 21:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(540)
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(3348)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-12-06 21:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-07 02:43
Pre-Run: 43,339,423,744 bytes free
Post-Run: 43,307,859,968 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 340A40BD4B4B0BE2891D5BD4E0E0F6B1