ComboFix 09-05-20.A1 - cthibault 05/21/2009 10:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.646 [GMT -4:00]
Running from: c:\documents and settings\cthibault\My Documents\Downloads\Programs\123.exe
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {79208F2E-17BB-4A29-A108-0DBB7581C371}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {79208F2E-17BB-4A29-A108-0DBB7581C371}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\UACtaqlnkpufynkelt.sys
c:\windows\system32\UACdjesxlicrrslmnd.log
c:\windows\system32\UACeoiasvogaeowyjd.dll
c:\windows\system32\UACfreafkindwvuvni.dll
c:\windows\system32\UACgkkkraieyfrqdyq.dat
c:\windows\system32\UACikvynwijnpsppkl.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACiyejbogpxtjntsa.dll
c:\windows\system32\UACmecfivxsqrwkvgi.log
c:\windows\system32\UACmtumtqtyepspqhv.dll
c:\windows\system32\UACvuunkgrmasrioba.dll
c:\windows\system32\x64
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.
2009-05-21 13:32 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-21 13:32 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 13:32 . 2009-05-21 13:32 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 13:32 . 2009-05-21 13:32 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-21 13:11 . 2009-05-21 13:11 -------- d-----w c:\documents and settings\cthibault\Application Data\Yahoo!
2009-05-21 13:11 . 2009-05-21 13:11 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-21 13:11 . 2009-05-21 13:11 -------- d-----w c:\program files\Yahoo!
2009-05-21 13:11 . 2009-05-21 13:11 -------- d-----w c:\program files\CCleaner
2009-05-21 12:03 . 2009-05-21 12:03 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-20 18:07 . 2009-05-20 18:29 13 ----a-w c:\windows\popcinfo.dat
2009-05-20 17:47 . 2009-05-20 17:51 21 ----a-w c:\windows\raptinfo.dat
2009-05-20 17:47 . 2009-05-20 17:47 -------- d-----w c:\program files\Raptisoft
2009-04-29 11:34 . 2009-04-29 11:34 -------- d-----w c:\program files\iPod
2009-04-29 11:34 . 2009-04-29 11:34 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-29 11:34 . 2009-04-29 11:34 -------- d-----w c:\program files\iTunes
2009-04-28 12:08 . 2009-05-04 16:48 -------- d-----w c:\documents and settings\cthibault\Application Data\IDM
2009-04-28 12:08 . 2009-04-28 12:09 -------- d-----w c:\program files\Internet Download Manager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 11:52 . 2009-03-09 16:38 -------- d-----w c:\program files\Porrasturvat - Stair Dismount
2009-05-20 18:22 . 2008-10-29 16:10 -------- d-----w c:\program files\PopCap Games
2009-05-20 18:18 . 2008-10-29 16:10 33 ----a-w c:\windows\popcinfot.dat
2009-04-29 11:34 . 2008-04-17 13:19 -------- d-----w c:\program files\Common Files\Apple
2009-03-26 15:35 . 2009-03-30 08:51 210352 ----a-w c:\windows\system32\idmmbc.dll
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2004-08-11 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2008-09-10 16:36 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-04-17 13:20 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-11 23:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 23:00 78336 ----a-w c:\windows\system32\ieencode.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-04-28 2790832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2004-01-23 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2004-01-23 24626]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2004-01-23 45106]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2004-01-23 20480]
"Client Access PC5250 Sound"="c:\program files\IBM\Client Access\Emulator\pcssnd.exe" [2004-01-23 40960]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2008-05-14 394952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-06-14 16132608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-6-12 25214]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2007-10-31 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-31 49152]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-4-15 106560]
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2009-2-23 475136]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [5/14/2008 4:53 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [5/14/2008 4:53 PM 36368]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2/23/2009 1:51 PM 20608]
.
Contents of the 'Scheduled Tasks' folder
2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {1EFDA478-664E-41A6-8C2F-852344CC7F64} - hxxps://cnc.mcbcnet.com/CNCPrintAttachment.ocx
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-05-21 10:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1ff82aef-997e-48f1-8a9e-818f390d8d64}]
@Denied: (Full) (Everyone)
"Model"=dword:00000066
"Therad"=dword:00000014
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):e1,0d,88,e9,7d,f5,6a,4e,41,e0,55,c6,db,4c,49,f7,ec,70,c5,7f,1d,
33,4f,05,8b,73,c9,8b,16,18,3f,2b,3a,a3,c9,70,fd,7b,50,a6,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(780)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-05-21 10:06
ComboFix-quarantined-files.txt 2009-05-21 14:06
Pre-Run: 141,632,634,880 bytes free
Post-Run: 141,698,514,944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
176 --- E O F --- 2009-05-13 19:51