ComboFix 10-11-01.05 - Mark 11/02/2010 11:38:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.261 [GMT -4:00]
Running from: c:\documents and settings\Mark\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SSHNAS
((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
.
2010-11-02 12:56 . 2010-11-02 12:56 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes
2010-11-02 12:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-02 12:55 . 2010-11-02 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-02 12:55 . 2010-11-02 12:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-02 12:55 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-02 12:34 . 2010-11-02 12:34 -------- d-----w- C:\_OTL
2010-10-31 02:48 . 2010-10-31 02:48 -------- d-----w- c:\program files\Crawler
2010-10-31 02:47 . 2010-10-31 02:47 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-10-31 02:47 . 2010-11-02 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2010-10-31 02:47 . 2010-11-02 04:01 -------- d-----w- c:\documents and settings\Mark\Application Data\Spyware Terminator
2010-10-31 02:47 . 2010-11-02 04:00 -------- d-----w- c:\program files\Spyware Terminator
2010-10-29 11:12 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-29 11:12 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-29 11:10 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-28 21:17 . 2010-05-08 19:52 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-09-18 16:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16 . 2006-03-04 03:33 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16 . 2004-08-04 10:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49 . 2004-08-04 10:00 369664 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 10:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 10:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 10:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-06-21 11:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 10:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 10:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-06-28 20:59 153184 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-27 135664]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2010-10-31 3055616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-21 198160]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"dleamon.exe"="c:\program files\Dell V310-V510 Series\dleamon.exe" [2010-01-18 770728]
"EzPrint"="c:\program files\Dell V310-V510 Series\ezprint.exe" [2010-01-18 139944]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2010-10-31 2174464]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-07-25 231888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dleacoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/28/2010 5:08 PM 312912]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/1/2009 9:31 PM 165456]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [10/30/2010 10:47 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/1/2009 9:31 PM 17744]
R2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [6/21/2009 8:43 PM 10384]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [6/3/2009 10:24 PM 88192]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dleaserv.exe [3/7/2010 11:41 AM 98984]
S3 Ptserli;PCTEL Serial Device Driver for INTEL;c:\windows\system32\drivers\ptserli.sys [6/3/2009 10:30 PM 128286]
.
Contents of the 'Scheduled Tasks' folder
2010-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-10-31 c:\windows\Tasks\File Helper.job
- c:\program files\File Helper\1.1.0.4\FileHelper.exe [2009-11-20 18:49]
2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-688789844-839522115-1003Core.job
- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-27 13:29]
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-688789844-839522115-1003UA.job
- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-27 13:29]
2010-11-02 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\lshiwz9l.default\
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - prefs.js: browser.search.selectedEngine - Mp3Rocket
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-02 11:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(880)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(2036)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dleacoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\pctspk.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-11-02 11:58:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-02 15:58
Pre-Run: 43,232,358,400 bytes free
Post-Run: 43,154,591,744 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 99B2D2A033885F263F0F578494F2A741