That worked
ComboFix 09-03-26.03 - John 2009-03-27 15:59:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1633 [GMT -7:00]
Running from: c:\documents and settings\John\Desktop\ComboF.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *enabled*
FW: McAfee Personal Firewall *disabled*
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\test.txt
c:\windows\system32\drivers\UACemxfqptb.sys
c:\windows\system32\lowsec
c:\windows\system32\lsprst7.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\ssprs.dll
c:\windows\system32\UACbwbdmixb.dll
c:\windows\system32\UACdmtkyfwx.dll
c:\windows\system32\UACftobwrtl.log
c:\windows\system32\UACggxuwehq.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACiuplhxmu.log
c:\windows\system32\UACohklvngi.dll
c:\windows\system32\UACorodalig.dll
c:\windows\system32\UACqlrqjkvs.dll
c:\windows\system32\UACujojdyiu.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.
2009-03-25 14:43 . 2009-03-25 14:43 1,025 --a------ c:\windows\system32\sysprs7.tgz
2009-03-25 14:43 . 2009-03-25 14:43 1,025 --a------ c:\windows\system32\sysprs7.dll
2009-03-25 14:43 . 2009-03-25 14:43 1,025 --a------ c:\windows\system32\clauth2.dll
2009-03-25 14:43 . 2009-03-25 14:43 1,025 --a------ c:\windows\system32\clauth1.dll
2009-03-25 14:43 . 2009-03-25 14:45 351 --a------ c:\windows\system32\lsprst7.tgz
2009-03-25 14:43 . 2009-03-25 14:43 87 --a------ c:\windows\system32\ssprs.tgz
2009-03-25 14:43 . 2009-03-25 14:45 16 ---h----- c:\windows\system32\servdat.slm
2009-03-25 03:15 . 2009-03-25 03:53 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-03-23 16:36 . 2009-03-23 16:36 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-23 16:36 . 2009-03-23 16:36 73,728 --a------ c:\windows\system32\javacpl.cpl
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 09:41 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-27 09:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-27 09:25 --------- d-----w c:\documents and settings\John\Application Data\U3
2009-03-25 21:45 --------- d-----w c:\program files\SPSS
2009-03-23 23:36 --------- d-----w c:\program files\Java
2009-03-10 09:05 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-05 06:59 --------- d-----w c:\documents and settings\John\Application Data\Audacity
2006-03-29 05:24 19,160 -c--a-w c:\documents and settings\John\Application Data\GDIPFONTCACHEV1.DAT
2008-09-21 02:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="e:\program files\Wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-12-21 270336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 c:\windows\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2005-07-23 434176]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SATARAID5.lnk]
backup=c:\windows\pss\SATARAID5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedUpMyPC.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpeedUpMyPC.lnk.disabled
backup=c:\windows\pss\SpeedUpMyPC.lnk.disabledCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 14:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\kfchickenliver@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\kfchickenliver@hotmail.com\\day of defeat\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\kfchickenliver@hotmail.com\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\kfchickenliver@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\kfchickenliver@hotmail.com\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\kfchickenliver@hotmail.com\\half-life\\hl.exe"=
"e:\\Program Files\\Warcraft III\\war3.exe"=
"e:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\John\\Desktop\\Listchecker\\pickup.listchecker.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\program files\rapimgr.exe"= e:\program files\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"e:\program files\wcescomm.exe"= e:\program files\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"e:\program files\WCESMgr.exe"= e:\program files\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Warcraft III hosting
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2006-08-11 8192]
S2 0309821230412757mcinstcleanup;McAfee Application Installer Cleanup (0309821230412757);c:\docume~1\John\LOCALS~1\Temp\
030982~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\John\LOCALS~1\Temp\
030982~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e558379d-fa59-11d9-b0e8-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C97751B1-BF63-4867-87FB-49B72502DBCD}]
c:\program files\Microsoft Office\Office10\OfficeXPFirstRun.vbs
.
Contents of the 'Scheduled Tasks' folder
2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-12-27 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
2008-12-27 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-ErrorRepairPro - c:\program files\Error Repair Professional\autostart.exe
HKCU-Run-Steam - (no file)
HKCU-Run-Aim6 - (no file)
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.cnn.com/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: aol.com\free
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\3uvfmm9v.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-03-27 16:01:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2009-03-27 16:03:14
ComboFix-quarantined-files.txt 2009-03-27 23:03:02
Pre-Run: 11,766,386,688 bytes free
Post-Run: 12,126,998,528 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
211 --- E O F --- 2009-03-21 02:16:12