combofix again
ComboFix 10-03-08.01 - Janet Duross 03/09/2010 1:17.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.546 [GMT -5:00]
Running from: c:\documents and settings\Janet Duross\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.
2010-03-07 04:39 . 2010-03-07 04:39 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-06 06:07 . 2010-03-06 06:07 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-06 06:02 . 2010-03-06 06:02 61440 ----a-w- c:\documents and settings\Janet Duross\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-69e74856-n\decora-sse.dll
2010-03-06 06:02 . 2010-03-06 06:02 503808 ----a-w- c:\documents and settings\Janet Duross\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-55f08ee6-n\msvcp71.dll
2010-03-06 06:02 . 2010-03-06 06:02 499712 ----a-w- c:\documents and settings\Janet Duross\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-55f08ee6-n\jmc.dll
2010-03-06 06:02 . 2010-03-06 06:02 348160 ----a-w- c:\documents and settings\Janet Duross\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-55f08ee6-n\msvcr71.dll
2010-03-06 06:02 . 2010-03-06 06:02 12800 ----a-w- c:\documents and settings\Janet Duross\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-69e74856-n\decora-d3d.dll
2010-03-06 06:02 . 2010-03-06 06:02 -------- d-----w- c:\program files\Java
2010-02-10 00:32 . 2010-02-10 00:32 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-09 22:55 . 2010-02-10 00:29 -------- d-----w- c:\windows\system32\autorun
2010-02-09 22:42 . 2010-02-10 00:29 -------- dc----w- c:\windows\ie8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 17:28 . 2009-11-03 17:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-06 06:02 . 2008-10-29 01:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-06 06:02 . 2009-08-21 17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-09 22:57 . 2008-10-29 01:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-07 21:07 . 2009-11-03 17:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-11-03 17:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2007-08-14 02:54 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-04-14 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-04-14 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-04-14 22:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-18 07:24 . 2008-10-29 01:04 1024 ---h--r- c:\windows\system32\NTIMP3.dll
2009-12-16 18:43 . 2008-04-14 22:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"5394:TCP"= 5394:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9083:TCP"= 9083:TCP:Services
"3246:TCP"= 3246:TCP:Services
"5318:TCP"= 5318:TCP:Services
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 4:11 PM 16384]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 1:42 AM 50424]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 6:03 AM 131072]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.yahoo.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0809&m=el1200-06w
uInternet Connection Wizard,ShellNext = iexplore
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 01:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(128)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-03-09 01:20:34
ComboFix-quarantined-files.txt 2010-03-09 06:20
ComboFix2.txt 2010-03-09 06:05
ComboFix3.txt 2010-03-07 21:33
Pre-Run: 60,029,521,920 bytes free
Post-Run: 60,050,149,376 bytes free
- - End Of File - - C5D756CEA4CAC3EA6C2A50F5DB5B9E4F