combofix log
ComboFix 12-03-29.02 - Administrator 03/29/2012 23:51:19.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.778 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Guest.JAII\WINDOWS
c:\documents and settings\Guest\WINDOWS
c:\program files\Internet Explorer\SET10F.tmp
c:\program files\Internet Explorer\SET114.tmp
c:\program files\Internet Explorer\SET1B1.tmp
c:\program files\Internet Explorer\SET1B2.tmp
c:\program files\Internet Explorer\SET1B4.tmp
c:\program files\Internet Explorer\SET1BC.tmp
c:\program files\Internet Explorer\SET1BD.tmp
c:\program files\Internet Explorer\SET1BF.tmp
c:\program files\Internet Explorer\SET1DD.tmp
c:\program files\Internet Explorer\SET1E2.tmp
c:\program files\Internet Explorer\SET1E3.tmp
c:\program files\Internet Explorer\SET1E4.tmp
c:\program files\Internet Explorer\SET1E5.tmp
c:\program files\Internet Explorer\SET26C.tmp
c:\program files\Internet Explorer\SET26D.tmp
c:\program files\Internet Explorer\SET26F.tmp
c:\program files\Internet Explorer\SET30B.tmp
c:\program files\Internet Explorer\SET310.tmp
c:\program files\Internet Explorer\SETAB.tmp
c:\program files\Internet Explorer\SETB0.tmp
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\kb913800.exe
c:\windows\SET6A1.tmp
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\ndassvc.dll
c:\windows\system32\pdfcreatormessages.dll
c:\windows\system32\ps2.bat
c:\windows\system32\raspti.dll
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\mqac.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
.
.
2012-03-30 02:13 . 2012-03-30 02:13 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-30 01:23 . 2012-03-30 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-30 01:23 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-29 23:10 . 2012-03-29 23:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tific
2012-03-29 23:10 . 2012-03-29 23:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2012-03-29 04:26 . 2012-03-29 04:26 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2012-03-29 02:03 . 2012-03-29 02:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-03-29 02:03 . 2012-03-29 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-28 22:20 . 2012-03-28 22:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-03-28 22:20 . 2012-03-28 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-28 22:13 . 2012-03-28 22:13 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-03-28 22:12 . 2012-03-28 22:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-03-28 22:05 . 2012-03-28 22:05 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-03-28 03:22 . 2012-03-28 03:22 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-03-27 01:20 . 2012-03-27 01:20 -------- d-----w- c:\documents and settings\All Users\CrypKey
2012-03-27 00:37 . 2012-03-27 00:37 -------- d-----w- C:\Log
2012-03-27 00:37 . 2008-05-07 23:29 122880 ----a-w- c:\windows\system32\Crypserv.exe
2012-03-27 00:37 . 2008-03-17 16:45 19584 ----a-w- c:\windows\system32\Ckldrv.sys
2012-03-27 00:37 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe
2012-03-27 00:37 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe
2012-03-27 00:37 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll
2012-03-27 00:37 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe
2012-03-27 00:37 . 2006-04-17 15:56 1207808 ----a-w- c:\windows\system32\PhoenixDll.dll
2012-03-27 00:37 . 2004-10-17 01:46 178176 ----a-w- c:\windows\system32\StellarProfile.dll
2012-03-27 00:37 . 2012-03-27 02:46 -------- d-----w- c:\program files\Stellar Phoenix Windows Data Recovery
2012-03-26 14:31 . 1998-06-18 04:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2012-03-23 00:36 . 2012-03-23 00:44 -------- d-----w- c:\documents and settings\Guest.JAII\Application Data\HPAppData
2012-03-13 23:52 . 2012-03-13 23:52 -------- d-----w- c:\documents and settings\Guest.JAII\Local Settings\Application Data\Temp
2012-03-13 23:52 . 2012-03-13 23:52 -------- d-----w- c:\documents and settings\Guest.JAII\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 02:14 . 2004-08-10 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-27 00:02 . 2012-02-27 00:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-27 00:02 . 2011-05-10 01:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22 . 2004-08-10 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 06:30 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-10 12:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-11 180269]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-10 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-10 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\symds.sys [2/7/2012 6:31 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\symefa.sys [2/7/2012 6:31 PM 744568]
S0 ujpcjh;ujpcjh;c:\windows\system32\drivers\ggav.sys --> c:\windows\system32\drivers\ggav.sys [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120317.002\BHDrvx86.sys [3/19/2012 8:53 PM 820856]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\ironx86.sys [2/7/2012 6:31 PM 136312]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/29/2012 9:23 PM 652360]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.2.0.13\ccsvchst.exe [2/7/2012 6:31 PM 130008]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/3/2012 10:43 PM 106104]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120327.002\IDSXpx86.sys [3/27/2012 10:24 PM 356280]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/29/2012 9:23 PM 20464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
acedrv05
lxrsge10s
vproeventmonitor
enodpl
se45bus
acrsch2svc
pensup
tphdexlgsvc
rasirda
anydvd
nimdbgk
WINFLASH
citrixwmiservice
rt2500usb
cnxtdiag
avfilter
portio
SQTECH905C
Usb20Scan
bthmodem
SE2Emdfl
elaunidr
CTSYN
s217nd5
Ncrc710
PPPoEWin
qkbfiltr
zppinger
mfcom
wlankeeper
CA561
RSAFAL
Blfp
WUSB54GCSVC
https-nassry
riomsc
sentinel
w810mgmt
rrrspy
de_serv
rslinxng
sbservice
pdlndtdl
DfwWebAgent
ifxtcs
IBM_LLC2
pdlndqll
arrayssl_vpn_service3,0,1,9
spbbcsvc
procmon10
AppnApi
SWUMX51
irsir
toscosrv
mfesmfk
rpcnet
mfebopk
sqlagent$pinnaclesys
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
MHN
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-hpqSRMon - (no file)
HKLM-RunOnce-Malwarebytes Anti-Malware (cleanup) - c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll
SafeBoot-24836039.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-30 00:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1461445284-2792725786-2666702911-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fc,4d,27,63,c7,94,51,46,ac,68,9e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fc,4d,27,63,c7,94,51,46,ac,68,9e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(472)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-03-30 00:01:47
ComboFix-quarantined-files.txt 2012-03-30 04:01
.
Pre-Run: 163,065,720,832 bytes free
Post-Run: 164,189,040,640 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D9E97C3394B6BC831683831DD27C4CBA
ComboFix 12-03-29.02 - Administrator 03/29/2012 23:51:19.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.778 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Guest.JAII\WINDOWS
c:\documents and settings\Guest\WINDOWS
c:\program files\Internet Explorer\SET10F.tmp
c:\program files\Internet Explorer\SET114.tmp
c:\program files\Internet Explorer\SET1B1.tmp
c:\program files\Internet Explorer\SET1B2.tmp
c:\program files\Internet Explorer\SET1B4.tmp
c:\program files\Internet Explorer\SET1BC.tmp
c:\program files\Internet Explorer\SET1BD.tmp
c:\program files\Internet Explorer\SET1BF.tmp
c:\program files\Internet Explorer\SET1DD.tmp
c:\program files\Internet Explorer\SET1E2.tmp
c:\program files\Internet Explorer\SET1E3.tmp
c:\program files\Internet Explorer\SET1E4.tmp
c:\program files\Internet Explorer\SET1E5.tmp
c:\program files\Internet Explorer\SET26C.tmp
c:\program files\Internet Explorer\SET26D.tmp
c:\program files\Internet Explorer\SET26F.tmp
c:\program files\Internet Explorer\SET30B.tmp
c:\program files\Internet Explorer\SET310.tmp
c:\program files\Internet Explorer\SETAB.tmp
c:\program files\Internet Explorer\SETB0.tmp
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\kb913800.exe
c:\windows\SET6A1.tmp
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\ndassvc.dll
c:\windows\system32\pdfcreatormessages.dll
c:\windows\system32\ps2.bat
c:\windows\system32\raspti.dll
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\mqac.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
.
.
2012-03-30 02:13 . 2012-03-30 02:13 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-30 01:23 . 2012-03-30 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-30 01:23 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-29 23:10 . 2012-03-29 23:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tific
2012-03-29 23:10 . 2012-03-29 23:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2012-03-29 04:26 . 2012-03-29 04:26 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2012-03-29 02:03 . 2012-03-29 02:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-03-29 02:03 . 2012-03-29 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-28 22:20 . 2012-03-28 22:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-03-28 22:20 . 2012-03-28 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-28 22:13 . 2012-03-28 22:13 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-03-28 22:12 . 2012-03-28 22:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-03-28 22:05 . 2012-03-28 22:05 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-03-28 03:22 . 2012-03-28 03:22 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-03-27 01:20 . 2012-03-27 01:20 -------- d-----w- c:\documents and settings\All Users\CrypKey
2012-03-27 00:37 . 2012-03-27 00:37 -------- d-----w- C:\Log
2012-03-27 00:37 . 2008-05-07 23:29 122880 ----a-w- c:\windows\system32\Crypserv.exe
2012-03-27 00:37 . 2008-03-17 16:45 19584 ----a-w- c:\windows\system32\Ckldrv.sys
2012-03-27 00:37 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe
2012-03-27 00:37 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe
2012-03-27 00:37 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll
2012-03-27 00:37 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe
2012-03-27 00:37 . 2006-04-17 15:56 1207808 ----a-w- c:\windows\system32\PhoenixDll.dll
2012-03-27 00:37 . 2004-10-17 01:46 178176 ----a-w- c:\windows\system32\StellarProfile.dll
2012-03-27 00:37 . 2012-03-27 02:46 -------- d-----w- c:\program files\Stellar Phoenix Windows Data Recovery
2012-03-26 14:31 . 1998-06-18 04:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2012-03-23 00:36 . 2012-03-23 00:44 -------- d-----w- c:\documents and settings\Guest.JAII\Application Data\HPAppData
2012-03-13 23:52 . 2012-03-13 23:52 -------- d-----w- c:\documents and settings\Guest.JAII\Local Settings\Application Data\Temp
2012-03-13 23:52 . 2012-03-13 23:52 -------- d-----w- c:\documents and settings\Guest.JAII\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 02:14 . 2004-08-10 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-27 00:02 . 2012-02-27 00:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-27 00:02 . 2011-05-10 01:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22 . 2004-08-10 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 06:30 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-10 12:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-11 180269]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-10 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-10 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502000.00D\symds.sys [2/7/2012 6:31 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502000.00D\symefa.sys [2/7/2012 6:31 PM 744568]
S0 ujpcjh;ujpcjh;c:\windows\system32\drivers\ggav.sys --> c:\windows\system32\drivers\ggav.sys [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120317.002\BHDrvx86.sys [3/19/2012 8:53 PM 820856]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502000.00D\ironx86.sys [2/7/2012 6:31 PM 136312]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/29/2012 9:23 PM 652360]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.2.0.13\ccsvchst.exe [2/7/2012 6:31 PM 130008]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/3/2012 10:43 PM 106104]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120327.002\IDSXpx86.sys [3/27/2012 10:24 PM 356280]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/29/2012 9:23 PM 20464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
acedrv05
lxrsge10s
vproeventmonitor
enodpl
se45bus
acrsch2svc
pensup
tphdexlgsvc
rasirda
anydvd
nimdbgk
WINFLASH
citrixwmiservice
rt2500usb
cnxtdiag
avfilter
portio
SQTECH905C
Usb20Scan
bthmodem
SE2Emdfl
elaunidr
CTSYN
s217nd5
Ncrc710
PPPoEWin
qkbfiltr
zppinger
mfcom
wlankeeper
CA561
RSAFAL
Blfp
WUSB54GCSVC
https-nassry
riomsc
sentinel
w810mgmt
rrrspy
de_serv
rslinxng
sbservice
pdlndtdl
DfwWebAgent
ifxtcs
IBM_LLC2
pdlndqll
arrayssl_vpn_service3,0,1,9
spbbcsvc
procmon10
AppnApi
SWUMX51
irsir
toscosrv
mfesmfk
rpcnet
mfebopk
sqlagent$pinnaclesys
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
MHN
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-hpqSRMon - (no file)
HKLM-RunOnce-Malwarebytes Anti-Malware (cleanup) - c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll
SafeBoot-24836039.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-30 00:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.2.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1461445284-2792725786-2666702911-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fc,4d,27,63,c7,94,51,46,ac,68,9e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fc,4d,27,63,c7,94,51,46,ac,68,9e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(472)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-03-30 00:01:47
ComboFix-quarantined-files.txt 2012-03-30 04:01
.
Pre-Run: 163,065,720,832 bytes free
Post-Run: 164,189,040,640 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D9E97C3394B6BC831683831DD27C4CBA