the first time i tried to run Combofix it wouldn't run
two errors
1 windows can't find NIRKMD
2 Error opening C:\32788R22fwjfw\per.3xe
second try on Combofix
ComboFix 12-02-11.02 - Mike 02/11/2012 16:12:31.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2074 [GMT -6:00]
Running from: c:\documents and settings\Mike\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 111201-0] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: COMODO Antivirus *Enabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-789336058-879983540-839522115-1004(2)\INFO2
.
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-11 21:34 . 2006-02-28 12:00 146432 ------w- c:\windows\regedit.exe
2012-02-04 17:07 . 2011-08-23 04:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-17 21:00 . 2011-12-20 00:59 494968 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-24 17:37 . 2010-05-18 00:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-24 17:37 . 2010-05-10 21:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-20 00:59 . 2011-12-20 00:59 97760 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-20 00:59 . 2011-12-20 00:59 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-20 00:59 . 2011-12-20 00:59 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-20 00:58 . 2011-12-20 00:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-20 00:58 . 2011-12-20 00:58 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-10 21:24 . 2011-04-05 20:45 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-28 17:53 . 2011-12-09 16:44 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-25 21:57 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-02-28 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-12-27 14:02 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{52FA2CCC-8BB3-4FAA-9392-50696E01FD34}\mpengine.dll
2011-11-21 10:47 . 2011-04-06 18:17 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-11-19 17:52 . 2011-12-06 01:34 17280 ----a-w- c:\windows\system32\roboot.exe
2011-11-18 12:35 . 2006-02-28 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-02-28 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-02-28 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
2012-02-11 00:32 . 2012-02-10 18:35 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-11_19.38.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-11 21:34 . 2012-02-11 21:34 16384 c:\windows\Temp\Perflib_Perfdata_1f0.dat
+ 2011-12-30 00:15 . 2012-02-11 22:13 1132880 c:\windows\system32\drivers\sfi.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2011-02-25 1770400]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 6676808]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 17:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 13:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 18:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 18:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-10-13 15:27 17351304 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [12/19/2011 6:59 PM 494968]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [10/4/2011 6:51 PM 247760]
S1 aswSP;avast! Self Protection; [x]
S1 efbDisk;efbDisk; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2011 1:06 PM 136176]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2011 1:06 PM 136176]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507; [x]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [2/28/2006 6:00 AM 14336]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4; [x]
S3 SetupNTGLM7X;SetupNTGLM7X; [x]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-12-06 17:21]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 19:06]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-24 19:06]
.
2008-07-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]
.
2012-02-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-879983540-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-02-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-879983540-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-02-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-879983540-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-02-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-879983540-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 22:14]
.
2012-02-11 c:\windows\Tasks\User_Feed_Synchronization-{68D9A955-D50C-4AFB-84CF-8323DA46781E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 208.139.139.5 208.139.139.4
TCP: Interfaces\{A1BBAC8E-EAA0-4277-BBDB-9355D50BFA06}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E8DC04C1-ACAA-459D-8D2A-1BF4057B28BA}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{F139F404-3852-493D-89A9-D8062FC4DEE2}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\4ntswr22.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 0
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - us.mc305.mail.yahoo.com hillbillyreport.org mail.google.com hardblogger.msnbc.msn.com support.mozilla.com us.mg1.mail.yahoo.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2012-02-11 16:22
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.amdk7]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'csrss.exe'(668)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2012-02-11 16:25:10
ComboFix-quarantined-files.txt 2012-02-11 22:25
ComboFix2.txt 2012-02-11 19:42
ComboFix3.txt 2011-12-16 18:29
ComboFix4.txt 2011-04-06 01:52
.
Pre-Run: 33,665,822,720 bytes free
Post-Run: 33,629,163,520 bytes free
.
- - End Of File - - 15376359FED3607C89A3B9C483101F1B