[HKLM\~\startupfolder\C:^Documents and Settings^PPSO88^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]
backup=c:\windows\pss\CorelCENTRAL Alarms.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^PPSO88^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
backup=c:\windows\pss\Desktop Application Director 9.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^PPSO88^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^PPSO88^Start Menu^Programs^Startup^map.lnk]
backup=c:\windows\pss\map.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
registrybooster [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-09-13 22:33 155648 ----a-w- c:\program files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-05-13 03:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-09-01 23:24 684032 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-05-31 10:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-26 14:04 53248 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 05:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-06-25 17:09 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"8614:TCP"= 8614:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"1820:TCP"= 1820:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3819:TCP"= 3819:TCP:Services
"9959:TCP"= 9959:TCP:Services
"4068:TCP"= 4068:TCP:Services
"9505:TCP"= 9505:TCP:Services
"6317:TCP"= 6317:TCP:Services
"8131:TCP"= 8131:TCP:Services
"3131:TCP"= 3131:TCP:Services
"9348:TCP"= 9348:TCP:Services
"8659:TCP"= 8659:TCP:Services
"8660:TCP"= 8660:TCP:Services
"1990:TCP"= 1990:TCP:Services
"2480:TCP"= 2480:TCP:Services
"3427:TCP"= 3427:TCP:Services
"5354:TCP"= 5354:TCP:Services
"9676:TCP"= 9676:TCP:Services
"9677:TCP"= 9677:TCP:Services
"8266:TCP"= 8266:TCP:Services
"8265:TCP"= 8265:TCP:Services
"6710:TCP"= 6710:TCP:Services
"6711:TCP"= 6711:TCP:Services
"5598:TCP"= 5598:TCP:Services
"9696:TCP"= 9696:TCP:Services
"2542:TCP"= 2542:TCP:Services
"3584:TCP"= 3584:TCP:Services
"6302:TCP"= 6302:TCP:Services
"6303:TCP"= 6303:TCP:Services
"6598:TCP"= 6598:TCP:Services
"6599:TCP"= 6599:TCP:Services
"4584:TCP"= 4584:TCP:Services
"7668:TCP"= 7668:TCP:Services
"8099:TCP"= 8099:TCP:Services
"8100:TCP"= 8100:TCP:Services
"4335:TCP"= 4335:TCP:Services
"7170:TCP"= 7170:TCP:Services
"6508:TCP"= 6508:TCP:Services
"6507:TCP"= 6507:TCP:Services
"7984:TCP"= 7984:TCP:Services
"4742:TCP"= 4742:TCP:Services
"9630:TCP"= 9630:TCP:Services
"9631:TCP"= 9631:TCP:Services
"4490:TCP"= 4490:TCP:Services
"7480:TCP"= 7480:TCP:Services
"8913:TCP"= 8913:TCP:Services
"8914:TCP"= 8914:TCP:Services
"3413:TCP"= 3413:TCP:Services
"5326:TCP"= 5326:TCP:Services
"5820:TCP"= 5820:TCP:Services
"5819:TCP"= 5819:TCP:Services
"6975:TCP"= 6975:TCP:Services
"6976:TCP"= 6976:TCP:Services
"7336:TCP"= 7336:TCP:Services
"7335:TCP"= 7335:TCP:Services
"6584:TCP"= 6584:TCP:Services
"6585:TCP"= 6585:TCP:Services
"9974:TCP"= 9974:TCP:Services
"9975:TCP"= 9975:TCP:Services
"9552:TCP"= 9552:TCP:Services
"9553:TCP"= 9553:TCP:Services
"5040:TCP"= 5040:TCP:Services
"8580:TCP"= 8580:TCP:Services
"6318:TCP"= 6318:TCP:Services
"6319:TCP"= 6319:TCP:Services
"7318:TCP"= 7318:TCP:Services
"7319:TCP"= 7319:TCP:Services
"3196:TCP"= 3196:TCP:Services
"2348:TCP"= 2348:TCP:Services
"7912:TCP"= 7912:TCP:Services
"7913:TCP"= 7913:TCP:Services
"4638:TCP"= 4638:TCP:Services
"3069:TCP"= 3069:TCP:Services
"3383:TCP"= 3383:TCP:Services
"5266:TCP"= 5266:TCP:Services
"8644:TCP"= 8644:TCP:Services
"8645:TCP"= 8645:TCP:Services
"7629:TCP"= 7629:TCP:Services
"7630:TCP"= 7630:TCP:Services
"6566:TCP"= 6566:TCP:Services
"6567:TCP"= 6567:TCP:Services
"3444:TCP"= 3444:TCP:Services
"5388:TCP"= 5388:TCP:Services
"9741:TCP"= 9741:TCP:Services
"9742:TCP"= 9742:TCP:Services
"6757:TCP"= 6757:TCP:Services
"6758:TCP"= 6758:TCP:Services
"8069:TCP"= 8069:TCP:Services
"8070:TCP"= 8070:TCP:Services
"2888:TCP"= 2888:TCP:Services
"2194:TCP"= 2194:TCP:Services
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/5/2010 2:02 AM 135336]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 5:04 PM 110984]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [11/23/2005 7:23 PM 80384]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 MotDev;Motorola Inc. USB Device; [x]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [3/24/2008 5:58 PM 899884]
.
Contents of the 'Scheduled Tasks' folder
2010-07-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3473567101-1286528376-471160672-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
2010-07-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3473567101-1286528376-471160672-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
2010-07-20 c:\windows\Tasks\User_Feed_Synchronization-{31E80B77-D5EB-4B02-AE6A-0B4BF5752994}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\PPSO88\Application Data\Mozilla\Firefox\Profiles\nc6b34uq.default\
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-MPFExe - c:\program files\mcafee.com\personal firewall\MPfTray.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-07-19 22:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x863EF78A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75dff28
\Driver\ACPI -> ACPI.sys @ 0xf7472cb8
\Driver\atapi -> ntkrnlpa.exe @ 0x8057c2df
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Intel(R) PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> 0x86455b60
PacketIndicateHandler -> NDIS.sys @ 0xf72d6a21
SendHandler -> NDIS.sys @ 0xf72b487b
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-07-19 22:19:00
ComboFix-quarantined-files.txt 2010-07-20 03:18
ComboFix2.txt 2010-02-26 07:57
ComboFix3.txt 2010-02-26 05:04
ComboFix4.txt 2007-09-17 05:08
Pre-Run: 26,605,989,888 bytes free
Post-Run: 26,635,599,872 bytes free
- - End Of File - - 510974A13C937A3385C96B7178D80095