Downloaded, renamed and ran Combo-Fix as instructed and Combofix.txt contents are listed further below. ** Please note per previous post(s) about apparent the loss of a personal data folder. I don't know whether this happened after running OTL or Malwarebytes; however, the data folder in question somehow moved on its own under a separate, randomly generated folder (which folder has a self-generated cryptic alpha-numeric name and file names listed in my last post).
When I right-click and select 'Properties' on the data folde, it shows "0 files" and "0 bytes" and when I attempt to open the folder by double-clicking on it I receive error message "[Path\filename] is not accessible. Access is denied." I had hoped upon hope that this folder might be recovered after running Comb-fix, but nothing has changed. Am I out of luck recovering this data?
Combofix.txt contents:
ComboFix 11-03-05.01 - Rick 03/05/2011 23:32:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.522 [GMT -8:00]
Running from: c:\documents and settings\Rick\Desktop\Combo-Fix.exe
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rick\g2mdlhlpx.exe
c:\documents and settings\Rick\GoToAssistDownloadHelper.exe
C:\LOG1.tmp
C:\LOG10DB.tmp
C:\LOG1CE.tmp
C:\LOG1E8.tmp
C:\LOG256.tmp
C:\LOG257.tmp
C:\LOG274.tmp
C:\LOG2C2.tmp
C:\LOG2D7.tmp
C:\LOG2E4.tmp
C:\LOG2F1.tmp
C:\LOG2F8.tmp
C:\LOG304.tmp
C:\LOG310.tmp
C:\LOG343.tmp
C:\LOG344.tmp
C:\LOG352.tmp
C:\LOG35B.tmp
C:\LOG36.tmp
C:\LOG367.tmp
C:\LOG39F.tmp
C:\LOG3C3.tmp
C:\LOG3CD.tmp
C:\LOG3D1.tmp
C:\LOG3E0.tmp
C:\LOG3F3.tmp
C:\LOG409.tmp
C:\LOG427.tmp
C:\LOG447.tmp
C:\LOG44C.tmp
C:\LOG468.tmp
C:\LOG4BD.tmp
C:\LOG58D.tmp
C:\LOG6A.tmp
C:\LOG6C.tmp
C:\LOG7B.tmp
C:\LOG90F.tmp
C:\LOG934E.tmp
C:\LOG94F4.tmp
C:\LOGB4.tmp
C:\LOGCF.tmp
c:\windows\Downloaded Program Files\ODCTOOLS
.
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
.
2011-03-04 22:00 . 2011-03-06 06:28 -------- d-----w- C:\USPS-temp
2011-03-04 18:24 . 2011-03-06 06:28 -------- d-----w- C:\Business Facilitating
2011-03-04 02:27 . 2011-03-04 02:27 -------- d-----w- c:\documents and settings\Rick\Application Data\Malwarebytes
2011-02-27 04:20 . 2011-02-27 04:20 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-02-27 04:20 . 2011-02-27 04:20 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-02-27 04:19 . 2011-02-27 04:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2011-02-26 23:14 . 2011-02-26 23:14 -------- d-----w- c:\documents and settings\Administrator\ContentWatch
2011-02-26 22:56 . 2011-02-26 22:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-26 22:56 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 22:56 . 2011-02-26 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-26 22:56 . 2011-03-04 02:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-26 22:56 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 22:55 . 2011-02-26 22:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2011-02-26 21:15 . 2011-02-26 21:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-02-26 19:03 . 2011-02-26 19:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Threat Expert
2011-02-26 18:49 . 2011-03-06 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-02-26 18:49 . 2011-03-06 07:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 17:04 . 2008-08-13 14:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 17:04 . 2011-02-02 17:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44 . 2004-08-11 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-10-14 02:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-10-14 02:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-11 23:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-10-14 02:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-10-14 02:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2008-10-14 02:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-10-14 02:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Google Update"="c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-27 136176]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-16 1831936]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-30 202256]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2010-11-23 112632]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2010-11-23 1062224]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-14 217193]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2009-12-18 40368]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2009-12-18 738776]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-3-9 221295]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Radmin\\radmin.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Rick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [11/22/2010 9:21 PM 196320]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/22/2010 9:24 PM 64080]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/16/2010 11:24 AM 136176]
S2 r_server;Remote Administrator Service;"c:\windows\system32\r_server.exe" /service --> c:\windows\system32\r_server.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-16 19:24]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-16 19:24]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2783445133-3881002321-2059250095-1006Core.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 03:37]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2783445133-3881002321-2059250095-1006UA.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 03:37]
.
2011-03-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2783445133-3881002321-2059250095-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
.
2011-03-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2783445133-3881002321-2059250095-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://lds.org/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: ameritrade.com
Trusted Zone: stamps.com
Trusted Zone: tdameritrade.com
Trusted Zone: unishippers.com
DPF: Web-Based Email Tools - hxxp://email04.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\bg6oqru0.default\
FF - prefs.js: browser.startup.homepage - hxxp://lds.org/ldsorg/v/index.jsp?vgnextoid=e419fb40e21cef00VgnVCM1000001f5e340aRCRD
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\firefoxextension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-CRLEventnet - c:\documents and settings\Rick\Local Settings\Application Data\eapMouseaudio\CRLEventnet.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-05 23:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6V080E0 rev.VA131610 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0xF74C6864
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2783445133-3881002321-2059250095-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2644)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2011-03-06 00:14:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-06 08:13
.
Pre-Run: 49,032,679,424 bytes free
Post-Run: 49,425,539,072 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - BF51F3AC0B8FFC0253466D0B5082C3C5
When I right-click and select 'Properties' on the data folde, it shows "0 files" and "0 bytes" and when I attempt to open the folder by double-clicking on it I receive error message "[Path\filename] is not accessible. Access is denied." I had hoped upon hope that this folder might be recovered after running Comb-fix, but nothing has changed. Am I out of luck recovering this data?
Combofix.txt contents:
ComboFix 11-03-05.01 - Rick 03/05/2011 23:32:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.522 [GMT -8:00]
Running from: c:\documents and settings\Rick\Desktop\Combo-Fix.exe
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rick\g2mdlhlpx.exe
c:\documents and settings\Rick\GoToAssistDownloadHelper.exe
C:\LOG1.tmp
C:\LOG10DB.tmp
C:\LOG1CE.tmp
C:\LOG1E8.tmp
C:\LOG256.tmp
C:\LOG257.tmp
C:\LOG274.tmp
C:\LOG2C2.tmp
C:\LOG2D7.tmp
C:\LOG2E4.tmp
C:\LOG2F1.tmp
C:\LOG2F8.tmp
C:\LOG304.tmp
C:\LOG310.tmp
C:\LOG343.tmp
C:\LOG344.tmp
C:\LOG352.tmp
C:\LOG35B.tmp
C:\LOG36.tmp
C:\LOG367.tmp
C:\LOG39F.tmp
C:\LOG3C3.tmp
C:\LOG3CD.tmp
C:\LOG3D1.tmp
C:\LOG3E0.tmp
C:\LOG3F3.tmp
C:\LOG409.tmp
C:\LOG427.tmp
C:\LOG447.tmp
C:\LOG44C.tmp
C:\LOG468.tmp
C:\LOG4BD.tmp
C:\LOG58D.tmp
C:\LOG6A.tmp
C:\LOG6C.tmp
C:\LOG7B.tmp
C:\LOG90F.tmp
C:\LOG934E.tmp
C:\LOG94F4.tmp
C:\LOGB4.tmp
C:\LOGCF.tmp
c:\windows\Downloaded Program Files\ODCTOOLS
.
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
.
2011-03-04 22:00 . 2011-03-06 06:28 -------- d-----w- C:\USPS-temp
2011-03-04 18:24 . 2011-03-06 06:28 -------- d-----w- C:\Business Facilitating
2011-03-04 02:27 . 2011-03-04 02:27 -------- d-----w- c:\documents and settings\Rick\Application Data\Malwarebytes
2011-02-27 04:20 . 2011-02-27 04:20 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-02-27 04:20 . 2011-02-27 04:20 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-02-27 04:19 . 2011-02-27 04:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2011-02-26 23:14 . 2011-02-26 23:14 -------- d-----w- c:\documents and settings\Administrator\ContentWatch
2011-02-26 22:56 . 2011-02-26 22:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-26 22:56 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 22:56 . 2011-02-26 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-26 22:56 . 2011-03-04 02:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-26 22:56 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 22:55 . 2011-02-26 22:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2011-02-26 21:15 . 2011-02-26 21:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-02-26 19:03 . 2011-02-26 19:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Threat Expert
2011-02-26 18:49 . 2011-03-06 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-02-26 18:49 . 2011-03-06 07:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 17:04 . 2008-08-13 14:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 17:04 . 2011-02-02 17:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44 . 2004-08-11 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-10-14 02:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-10-14 02:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-11 23:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-10-14 02:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-10-14 02:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2008-10-14 02:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-10-14 02:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Google Update"="c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-27 136176]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-16 1831936]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-30 202256]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2010-11-23 112632]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2010-11-23 1062224]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-14 217193]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2009-12-18 40368]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2009-12-18 738776]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-3-9 221295]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Radmin\\radmin.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Rick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [11/22/2010 9:21 PM 196320]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/22/2010 9:24 PM 64080]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/16/2010 11:24 AM 136176]
S2 r_server;Remote Administrator Service;"c:\windows\system32\r_server.exe" /service --> c:\windows\system32\r_server.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-16 19:24]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-16 19:24]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2783445133-3881002321-2059250095-1006Core.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 03:37]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2783445133-3881002321-2059250095-1006UA.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 03:37]
.
2011-03-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2783445133-3881002321-2059250095-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
.
2011-03-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2783445133-3881002321-2059250095-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://lds.org/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: ameritrade.com
Trusted Zone: stamps.com
Trusted Zone: tdameritrade.com
Trusted Zone: unishippers.com
DPF: Web-Based Email Tools - hxxp://email04.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\bg6oqru0.default\
FF - prefs.js: browser.startup.homepage - hxxp://lds.org/ldsorg/v/index.jsp?vgnextoid=e419fb40e21cef00VgnVCM1000001f5e340aRCRD
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\firefoxextension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-CRLEventnet - c:\documents and settings\Rick\Local Settings\Application Data\eapMouseaudio\CRLEventnet.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-05 23:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6V080E0 rev.VA131610 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0xF74C6864
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2783445133-3881002321-2059250095-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2644)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2011-03-06 00:14:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-06 08:13
.
Pre-Run: 49,032,679,424 bytes free
Post-Run: 49,425,539,072 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - BF51F3AC0B8FFC0253466D0B5082C3C5