ComboFix 10-07-29.04 - Administrator 07/30/2010 13:18:20.4.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.536 [GMT -4:00]
Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Greg\Desktop\CFScript.txt
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *enabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\system32\dllcache\termsrv.dll --> c:\windows\System32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.
2010-07-30 17:18 . 2008-04-14 10:42 295424 ----a-w- c:\windows\system32\termsrv.dll
2010-07-28 07:40 . 2010-07-28 07:40 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-27 16:31 . 2008-04-14 05:10 36352 -c--a-w- c:\windows\system32\dllcache\disk.sys
2010-07-27 16:31 . 2008-04-14 05:10 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-07-27 05:13 . 2010-07-27 05:13 388096 ----a-r- c:\documents and settings\Greg\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-27 04:48 . 2010-07-27 04:48 -------- d-sh--w- c:\documents and settings\Greg\IECompatCache
2010-07-27 04:33 . 2010-07-27 04:33 -------- d-----w- c:\documents and settings\Greg\Application Data\JAM Software
2010-07-27 04:32 . 2010-07-27 04:32 -------- d-----w- c:\program files\JAM Software
2010-07-27 02:47 . 2010-07-28 05:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 16:39 . 2010-07-26 16:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-26 09:27 . 2010-07-26 09:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-26 09:00 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-26 08:27 . 2010-07-28 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-26 03:20 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-26 03:20 . 2010-07-26 03:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-26 03:20 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 03:14 . 2010-01-04 10:29 69720 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-07-25 03:14 . 2010-01-04 10:29 13400 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-07-25 03:08 . 2010-07-25 03:08 -------- d-----w- c:\documents and settings\Greg\Application Data\Sunbelt
2010-07-25 03:08 . 2010-07-25 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-07-25 03:06 . 2010-04-28 19:12 86232 ----a-w- c:\windows\system32\drivers\sbhips.sys
2010-07-25 03:06 . 2010-04-28 19:12 204632 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-07-25 03:05 . 2010-01-14 09:42 67800 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-07-25 03:05 . 2010-04-28 19:12 322904 ----a-w- c:\windows\system32\drivers\SbFw.sys
2010-07-23 08:12 . 2010-07-23 08:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2010-07-23 06:01 . 2010-07-23 06:01 -------- d-----w- c:\program files\Sunbelt Software
2010-07-23 05:19 . 2010-07-23 05:19 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2010-07-23 05:18 . 2010-07-23 05:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-07-23 05:16 . 2010-07-23 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-08 09:30 . 2010-07-08 09:30 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-07-08 09:10 . 2010-07-08 09:10 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-07 03:45 . 2010-07-07 03:45 -------- d-----w- c:\documents and settings\Greg\Local Settings\Application Data\TheWeatherNetwork
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 16:40 . 2010-02-10 23:34 -------- d-----w- c:\documents and settings\Greg\Application Data\uTorrent
2010-07-23 05:53 . 2010-07-23 05:53 37760 ----a-w- c:\windows\system32\drivers\amdk7.sys5B84D6EB
2010-07-20 05:20 . 2010-03-22 06:05 -------- d-----w- c:\documents and settings\Greg\Application Data\FileZilla
2010-07-15 02:49 . 2010-02-11 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-11 20:28 . 2010-02-26 06:16 -------- d-----w- c:\documents and settings\Greg\Application Data\vlc
2010-06-26 00:37 . 2010-03-26 15:27 -------- d-----w- c:\program files\CCP
2010-06-26 00:35 . 2010-02-15 02:08 -------- d-----w- c:\program files\DivX
2010-06-25 05:59 . 2010-02-12 22:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-24 00:11 . 2010-03-27 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-24 00:07 . 2010-06-24 00:07 -------- d-----w- c:\program files\NOS
2010-06-14 14:31 . 2010-02-10 13:45 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 04:56 . 2010-02-13 01:25 737280 ----a-w- c:\windows\iun6002.exe
2010-06-10 04:53 . 2010-03-17 04:28 69584 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-10 04:47 . 2010-06-10 04:47 -------- d-----w- c:\program files\Phyxion.net
2010-06-10 04:38 . 2010-02-12 22:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-10 03:23 . 2010-06-10 03:23 -------- d-----w- c:\program files\Radeon Omega Drivers
2010-06-10 02:53 . 2010-03-08 17:22 -------- d-----w- c:\program files\MagicISO
2010-06-10 02:53 . 2010-02-15 02:08 -------- d-----w- c:\program files\Google
2010-06-05 23:26 . 2010-02-11 15:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 20:03 . 2010-02-11 00:53 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-05-06 10:41 . 2008-04-14 04:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-04-30 1291600]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G Configuration Utility.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Greg^Start Menu^Programs^Startup^MagicDisc.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-02-22 11:30 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 22:05 81920 ----a-w- c:\program files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-03-25 15:06 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 18:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-02-02 15:41 692316 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-02-02 15:42 102492 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-27 05:50 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX6000]
2010-01-29 05:04 764784 ----a-w- c:\windows\vVX6000.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [3/9/2010 12:53 AM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [3/9/2010 12:53 AM 5248]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:02 AM 95024]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [4/30/2010 12:31 PM 2730120]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [4/30/2010 12:30 PM 181584]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/24/2010 11:14 PM 13400]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [7/24/2010 11:05 PM 322904]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [7/24/2010 11:06 PM 204632]
S2 .vipre_reset;Vipre Trial Reset;c:\program files\Vipre_Reset.exe --> c:\program files\Vipre_Reset.exe [?]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [7/24/2010 11:14 PM 69720]
S3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2/17/2004 9:28 AM 292352]
S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2/17/2004 9:29 AM 273536]
S3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [7/15/2004 9:01 AM 18432]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [7/24/2010 11:05 PM 67800]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [7/24/2010 11:06 PM 86232]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/29/2010 1:04 AM 2074480]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/11/2010 8:51 PM 716272]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9a18gyat.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-07-30 13:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83600AB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf80e7f28
\Driver\ACPI -> ACPI.sys @ 0xf8034cb8
\Driver\atapi -> 0x83600ab0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(180)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-07-30 13:30:26
ComboFix-quarantined-files.txt 2010-07-30 17:30
ComboFix2.txt 2010-07-27 16:59
Pre-Run: 11,696,455,680 bytes free
Post-Run: 11,685,265,408 bytes free
- - End Of File - - 48CFF07B22EC5365B2348C552EB62D40