majekho
2011-06-20, 23:36
Please help me!!!! Thank you!!!!
Here's the combofix log:
ComboFix 11-06-17.04 - Bonny & Karen 06/20/2011 16:28:06.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.645 [GMT -4:00]
Running from: c:\documents and settings\Bonny & Karen\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000023_.tmp.dll
c:\windows\system32\_000024_.tmp.dll
c:\windows\system32\_000025_.tmp.dll
c:\windows\system32\_000026_.tmp.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_INPUT_MANAGER
-------\Legacy_LOCAL_ACCOUNT_AUTHORITY_SERVICE
-------\Legacy_MOUSEDRIVER
-------\Legacy_NWSAPAGENT
-------\Legacy_PLUG_MANAGER
-------\Service_Nwsapagent
.
.
((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))
.
.
2011-06-20 20:42 . 2011-06-20 20:42 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKsl9513f534.sys
2011-06-20 17:22 . 2011-06-20 17:22 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKsldd3742d3.sys
2011-06-20 17:06 . 2011-05-09 17:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-06-20 17:06 . 2011-05-09 17:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\mpengine.dll
2011-06-20 13:12 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-20 13:11 . 2011-06-20 13:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-20 13:11 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-20 12:52 . 2011-06-20 12:52 -------- d-----w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\PCHealth
2011-06-20 02:43 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-20 02:29 . 2011-06-20 02:30 -------- d-----w- c:\program files\Microsoft Security Client
2011-06-20 01:50 . 2011-06-20 01:50 -------- d-----w- C:\9823707c8a43499f45
2011-06-18 11:00 . 2011-06-18 11:00 -------- d-----w- c:\windows\system32\NtmsData
2011-06-15 03:53 . 2011-06-15 03:53 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-06-15 03:52 . 2011-06-15 03:53 -------- d-----w- c:\windows\ShellNew
2011-06-15 01:58 . 2011-06-15 01:59 -------- d-----w- c:\documents and settings\Bonny & Karen\Application Data\vlc
2011-06-15 01:57 . 2011-06-15 01:57 -------- d-----w- c:\program files\VideoLAN
2011-06-11 21:56 . 2011-06-11 21:57 -------- d-----w- c:\documents and settings\Bonny & Karen\Application Data\Apple Computer
2011-06-11 21:55 . 2011-06-11 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-06-11 21:54 . 2011-06-11 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-06-11 21:54 . 2011-06-11 21:54 -------- d-----w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\Apple
2011-06-11 21:54 . 2011-06-11 21:54 -------- d-----w- c:\program files\Apple Software Update
2011-06-11 21:54 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-06-11 21:54 . 2011-05-10 12:06 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-06-11 21:54 . 2011-06-11 21:54 -------- d-----w- c:\program files\Bonjour
2011-06-11 21:53 . 2011-06-11 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-06-11 21:53 . 2011-06-11 21:55 -------- d-----w- c:\program files\Common Files\Apple
2011-06-11 21:53 . 2011-06-11 21:56 -------- d-----w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\Apple Computer
2011-06-10 03:58 . 2011-06-10 03:58 -------- d-----w- c:\documents and settings\Bonny & Karen\Application Data\Malwarebytes
2011-06-10 03:58 . 2011-06-10 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-10 03:50 . 2011-06-10 03:52 -------- d-----w- c:\documents and settings\Administrator
2011-06-10 02:03 . 2011-06-10 02:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-09 03:49 . 2011-06-09 03:49 -------- d-----w- c:\documents and settings\Default User\Tracing
2011-06-09 03:47 . 2011-06-09 03:47 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-06-09 03:35 . 2011-06-09 03:35 188 ----a-w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\cW0MbqTy.bat
2011-06-09 03:34 . 2011-06-09 03:34 190 ----a-w- c:\documents and settings\Bonny & Karen\Application Data\26oO9ItR.bat
2011-06-09 03:34 . 2011-06-09 03:34 188 ----a-w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\9PrIJEnU.bat
2011-06-09 03:34 . 2011-06-09 03:34 148 ----a-w- c:\documents and settings\Bonny & Karen\Application Data\nftmgpxl.bat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-17 02:18 . 2011-05-17 02:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2009-11-07 17:55 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-30 03:58 . 2010-06-23 18:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-30 03:58 . 2010-06-23 18:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-29 16:19 . 2009-11-07 17:35 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2009-11-07 17:35 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2009-11-07 17:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2009-11-07 17:35 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2009-11-07 17:35 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2009-11-07 17:35 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-04-30 273544]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
Launch WhiteSmoke.lnk - c:\program files\WhiteSmoke\WSEnrichment.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"winmgmt"=2 (0x2)
"Updater Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\EyeSpyFX\\MyWebcamBroadcasterSetup\\MyWebcamBroadcaster.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/23/2011 9:30 PM 13496]
R1 MpKsl9513f534;MpKsl9513f534;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKsl9513f534.sys [6/20/2011 4:42 PM 28752]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [11/7/2009 1:36 PM 38912]
S1 MpKslcdf58676;MpKslcdf58676;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKslcdf58676.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKslcdf58676.sys [?]
S1 MpKsldd3742d3;MpKsldd3742d3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKsldd3742d3.sys [6/20/2011 1:22 PM 28752]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/7/2009 4:19 PM 1684736]
S3 CAM1690;USB PC Camera;c:\windows\system32\drivers\cam1690.sys [11/21/2007 5:37 PM 181888]
S3 CXFALCON;TD3101_3104 Video/Audio Card;c:\windows\system32\drivers\TD3101_3104AV.sys [1/18/2011 12:52 PM 78592]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/7/2009 4:14 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/7/2009 1:35 PM 14336]
S4 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [11/7/2009 4:38 PM 240160]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL9513F534
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-26 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2010-08-24 15:08]
.
2011-06-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2647865256-3477723857-56604596-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-06-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2647865256-3477723857-56604596-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKU-Default-Run-msnmsgr - ~c:\program files\Windows Live\Messenger\msnmsgr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-20 16:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,5a,d6,2a,fe,49,2d,44,8e,aa,c6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,5a,d6,2a,fe,49,2d,44,8e,aa,c6,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3544)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\StkASv2K.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2011-06-20 16:48:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-20 20:48
.
Pre-Run: 136,526,577,664 bytes free
Post-Run: 136,677,707,776 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 3E1ECFFF10142289F7980881EEF70EE8
Here's the combofix log:
ComboFix 11-06-17.04 - Bonny & Karen 06/20/2011 16:28:06.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.645 [GMT -4:00]
Running from: c:\documents and settings\Bonny & Karen\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000023_.tmp.dll
c:\windows\system32\_000024_.tmp.dll
c:\windows\system32\_000025_.tmp.dll
c:\windows\system32\_000026_.tmp.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_INPUT_MANAGER
-------\Legacy_LOCAL_ACCOUNT_AUTHORITY_SERVICE
-------\Legacy_MOUSEDRIVER
-------\Legacy_NWSAPAGENT
-------\Legacy_PLUG_MANAGER
-------\Service_Nwsapagent
.
.
((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))
.
.
2011-06-20 20:42 . 2011-06-20 20:42 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKsl9513f534.sys
2011-06-20 17:22 . 2011-06-20 17:22 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKsldd3742d3.sys
2011-06-20 17:06 . 2011-05-09 17:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-06-20 17:06 . 2011-05-09 17:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\mpengine.dll
2011-06-20 13:12 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-20 13:11 . 2011-06-20 13:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-20 13:11 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-20 12:52 . 2011-06-20 12:52 -------- d-----w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\PCHealth
2011-06-20 02:43 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-20 02:29 . 2011-06-20 02:30 -------- d-----w- c:\program files\Microsoft Security Client
2011-06-20 01:50 . 2011-06-20 01:50 -------- d-----w- C:\9823707c8a43499f45
2011-06-18 11:00 . 2011-06-18 11:00 -------- d-----w- c:\windows\system32\NtmsData
2011-06-15 03:53 . 2011-06-15 03:53 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-06-15 03:52 . 2011-06-15 03:53 -------- d-----w- c:\windows\ShellNew
2011-06-15 01:58 . 2011-06-15 01:59 -------- d-----w- c:\documents and settings\Bonny & Karen\Application Data\vlc
2011-06-15 01:57 . 2011-06-15 01:57 -------- d-----w- c:\program files\VideoLAN
2011-06-11 21:56 . 2011-06-11 21:57 -------- d-----w- c:\documents and settings\Bonny & Karen\Application Data\Apple Computer
2011-06-11 21:55 . 2011-06-11 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-06-11 21:54 . 2011-06-11 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2011-06-11 21:54 . 2011-06-11 21:54 -------- d-----w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\Apple
2011-06-11 21:54 . 2011-06-11 21:54 -------- d-----w- c:\program files\Apple Software Update
2011-06-11 21:54 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-06-11 21:54 . 2011-05-10 12:06 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-06-11 21:54 . 2011-06-11 21:54 -------- d-----w- c:\program files\Bonjour
2011-06-11 21:53 . 2011-06-11 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-06-11 21:53 . 2011-06-11 21:55 -------- d-----w- c:\program files\Common Files\Apple
2011-06-11 21:53 . 2011-06-11 21:56 -------- d-----w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\Apple Computer
2011-06-10 03:58 . 2011-06-10 03:58 -------- d-----w- c:\documents and settings\Bonny & Karen\Application Data\Malwarebytes
2011-06-10 03:58 . 2011-06-10 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-10 03:50 . 2011-06-10 03:52 -------- d-----w- c:\documents and settings\Administrator
2011-06-10 02:03 . 2011-06-10 02:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-09 03:49 . 2011-06-09 03:49 -------- d-----w- c:\documents and settings\Default User\Tracing
2011-06-09 03:47 . 2011-06-09 03:47 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-06-09 03:35 . 2011-06-09 03:35 188 ----a-w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\cW0MbqTy.bat
2011-06-09 03:34 . 2011-06-09 03:34 190 ----a-w- c:\documents and settings\Bonny & Karen\Application Data\26oO9ItR.bat
2011-06-09 03:34 . 2011-06-09 03:34 188 ----a-w- c:\documents and settings\Bonny & Karen\Local Settings\Application Data\9PrIJEnU.bat
2011-06-09 03:34 . 2011-06-09 03:34 148 ----a-w- c:\documents and settings\Bonny & Karen\Application Data\nftmgpxl.bat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-17 02:18 . 2011-05-17 02:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2009-11-07 17:55 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-30 03:58 . 2010-06-23 18:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-30 03:58 . 2010-06-23 18:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-29 16:19 . 2009-11-07 17:35 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2009-11-07 17:35 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2009-11-07 17:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2009-11-07 17:35 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2009-11-07 17:35 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2009-11-07 17:35 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-04-30 273544]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
Launch WhiteSmoke.lnk - c:\program files\WhiteSmoke\WSEnrichment.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"winmgmt"=2 (0x2)
"Updater Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\EyeSpyFX\\MyWebcamBroadcasterSetup\\MyWebcamBroadcaster.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/23/2011 9:30 PM 13496]
R1 MpKsl9513f534;MpKsl9513f534;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKsl9513f534.sys [6/20/2011 4:42 PM 28752]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [11/7/2009 1:36 PM 38912]
S1 MpKslcdf58676;MpKslcdf58676;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKslcdf58676.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKslcdf58676.sys [?]
S1 MpKsldd3742d3;MpKsldd3742d3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7C9C0B34-3CFD-4DBB-9C22-85E1153B7BAC}\MpKsldd3742d3.sys [6/20/2011 1:22 PM 28752]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/7/2009 4:19 PM 1684736]
S3 CAM1690;USB PC Camera;c:\windows\system32\drivers\cam1690.sys [11/21/2007 5:37 PM 181888]
S3 CXFALCON;TD3101_3104 Video/Audio Card;c:\windows\system32\drivers\TD3101_3104AV.sys [1/18/2011 12:52 PM 78592]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/7/2009 4:14 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/7/2009 1:35 PM 14336]
S4 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [11/7/2009 4:38 PM 240160]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL9513F534
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-26 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2010-08-24 15:08]
.
2011-06-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2647865256-3477723857-56604596-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-06-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2647865256-3477723857-56604596-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKU-Default-Run-msnmsgr - ~c:\program files\Windows Live\Messenger\msnmsgr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-20 16:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,5a,d6,2a,fe,49,2d,44,8e,aa,c6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,41,5a,d6,2a,fe,49,2d,44,8e,aa,c6,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3544)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\StkASv2K.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2011-06-20 16:48:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-20 20:48
.
Pre-Run: 136,526,577,664 bytes free
Post-Run: 136,677,707,776 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 3E1ECFFF10142289F7980881EEF70EE8