ComboFix 10-11-09.01 - user 11/09/2010 13:07:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.609 [GMT -5:00]
Running from: e:\antispyware\combo fix\ComboFix5.exe
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Install.exe
c:\program files\Internet Explorer\SET11B.tmp
c:\program files\Internet Explorer\SET11C.tmp
c:\program files\Internet Explorer\SET11D.tmp
.
((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.
2010-11-10 04:49 . 2010-09-09 13:38 468480 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-10 04:49 . 2010-09-09 13:38 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-10 04:49 . 2010-09-09 13:38 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-10 04:49 . 2010-09-09 13:38 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-11-10 04:49 . 2010-08-31 12:09 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-11-10 04:49 . 2010-09-09 13:38 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-11-10 04:49 . 2010-02-22 22:04 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-11-10 04:49 . 2010-09-09 13:38 6075904 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-11-10 04:42 . 2010-11-10 04:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\McAfee
2010-11-10 04:39 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D8D5CB2-C817-4A5F-8291-3E6C3C3CBC54}\mpengine.dll
2010-11-10 04:37 . 2010-11-10 05:03 -------- d-----w- c:\windows\LastGood
2010-11-10 04:36 . 2009-06-25 18:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2010-10-26 22:12 . 2008-04-14 09:42 8704 -c--a-w- c:\windows\system32\dllcache\snmptrap.exe
2010-10-26 22:11 . 2008-04-14 09:42 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-10-26 22:10 . 2008-04-14 09:42 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe
2010-10-26 22:06 . 2001-08-23 04:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-10-26 22:06 . 2001-08-23 04:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2010-10-26 21:56 . 2008-04-14 02:05 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-10-26 21:53 . 2001-08-23 04:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-10-26 21:53 . 2001-08-23 04:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-10-26 21:53 . 2001-08-23 04:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-10-26 21:53 . 2001-08-23 04:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-10-26 21:52 . 2008-04-14 11:34 16535 ----a-r- c:\windows\SETB7.tmp
2010-10-26 21:52 . 2008-04-14 11:34 1088840 ----a-r- c:\windows\SETAB.tmp
2010-10-26 21:52 . 2008-04-14 11:40 1296669 ----a-r- c:\windows\SETA8.tmp
2010-10-26 21:00 . 2010-11-10 04:40 -------- d-----w- c:\program files\VS Revo Group
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 22:52 . 2010-08-25 17:42 6084944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-09 13:38 . 2008-11-08 20:43 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2008-11-08 20:43 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2008-11-08 20:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2008-11-08 20:42 17408 ----a-w- c:\windows\system32\corpol.dll
2010-08-31 12:10 . 2008-11-08 20:42 389120 ----a-w- c:\windows\system32\html.iec
.
------- Sigcheck -------
[-] 2008-11-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2010-01-18 770728]
"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2010-01-18 139944]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]
c:\documents and settings\user\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2007-10-25 6144]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-08-03 09:12 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 16:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxeccoms.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Whale Communications\\Client Components\\3.1.0\\WhlClnt3.exe"=
R2 IQ.Core.UpdateFoundation.WindowsService;iQmetrix Installation Manager Service;c:\program files\iQmetrix\IQ.Core.UpdateFoundation.WindowsService.exe [10/30/2009 2:19 PM 6656]
R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
R2 WinRT;WinRT;c:\windows\system32\drivers\WINRT.SYS [12/17/2007 10:55 AM 99360]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/5/2009 2:00 PM 135664]
S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [8/25/2010 5:38 PM 98984]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [8/25/2010 12:37 PM 428184]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [12/17/2007 10:56 AM 42112]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - KLMD24
*Deregistered* - klmd24
.
Contents of the 'Scheduled Tasks' folder
2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-05 19:00]
2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-05 19:00]
2010-11-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
2010-11-10 c:\windows\Tasks\User_Feed_Synchronization-{E055F4C0-135C-4037-A6F7-EABA55F0530E}.job
- c:\windows\system32\msfeedssync.exe [2008-11-08 20:43]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-09 13:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2010-11-09 13:15:00
ComboFix-quarantined-files.txt 2010-11-09 18:14
Pre-Run: 26,431,782,912 bytes free
Post-Run: 27,109,883,904 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 8E960123D81A8A92CF1A3098032F41FC
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:10 PM, on 11/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\iQmetrix\IQ.Core.UpdateFoundation.WindowsService.exe
C:\WINDOWS\system32\lxeccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe
C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
E:\antispyware\Hijack this\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [lxecmon.exe] "C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 3354324546
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://iscportal.sprint.com/InternalSi ... ompMgr.cab
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iQmetrix Installation Manager Service (IQ.Core.UpdateFoundation.WindowsService) - iQmetrix Software Development Corporation - C:\Program Files\iQmetrix\IQ.Core.UpdateFoundation.WindowsService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxecCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxecserv.exe
O23 - Service: lxec_device - - C:\WINDOWS\system32\lxeccoms.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 5966 bytes