ComboFix 09-10-26.01 - marija 27.10.2009 1:41.1.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.381.1033.18.1015.665 [GMT 1:00] Running from: c:\documents and settings\marija\Desktop\ComboFix.exe AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\WinPCap c:\program files\WinPCap\daemon_mgm.exe c:\program files\WinPCap\npf_mgm.exe c:\program files\WinPCap\rpcapd.exe c:\recycler\S-1-5-21-1452673195-2193652651-1684103764-1003 c:\windows\system32\drivers\npf.sys c:\windows\system32\oem1.inf c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\senekakbawvaxy.dat c:\windows\system32\senekaysawkwff.dat c:\windows\system32\WanPacket.dll c:\windows\system32\wpcap.dll Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected Restored copy from - Kitty ate it :p . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 ))))))))))))))))))))))))))))))) . 2009-10-27 00:37 . 2008-04-14 00:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2009-10-26 15:19 . 2009-10-26 16:47 -------- d-----w- c:\program files\Registry Easy 2009-10-26 00:12 . 2009-10-26 00:12 -------- d-----w- c:\program files\Trend Micro 2009-10-25 22:54 . 2009-10-25 22:54 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-25 22:35 . 2008-03-03 17:21 568 ---ha-w- c:\windows\nod32fixtemdono.reg 2009-10-25 22:35 . 2008-03-03 13:25 5702 ---ha-w- c:\windows\nod32restoretemdono.reg 2009-10-25 22:33 . 2009-10-25 22:33 -------- d-----w- c:\program files\ESET 2009-10-25 22:13 . 2009-10-25 22:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-10-25 21:46 . 2009-10-25 21:46 -------- d-----w- c:\documents and settings\marija\Application Data\Malwarebytes 2009-10-25 21:46 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-25 21:46 . 2009-10-25 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-25 21:46 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-25 21:46 . 2009-10-25 21:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-25 21:27 . 2009-10-25 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-10-25 20:16 . 2009-10-27 00:58 -------- d-----w- c:\documents and settings\HelpAssistant.MARIJA.002 2009-10-25 18:53 . 2009-10-25 18:44 30208 ----a-w- c:\documents and settings\HelpAssistant.MARIJA.001\sttray.exe 2009-10-25 18:44 . 2009-10-25 18:44 30208 ----a-w- c:\documents and settings\marija\sttray.exe 2009-10-25 18:33 . 2009-10-25 18:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-10-25 18:16 . 2009-10-25 18:16 -------- d-----w- c:\documents and settings\marija\Local Settings\Application Data\ESET . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-27 00:37 . 2009-10-09 09:09 -------- d-----w- c:\documents and settings\marija\Application Data\Affinegy 2009-10-26 21:46 . 2009-09-09 19:49 -------- d-----w- c:\documents and settings\marija\Application Data\Skype 2009-10-26 17:57 . 2009-09-09 19:52 -------- d-----w- c:\documents and settings\marija\Application Data\skypePM 2009-10-25 22:54 . 2009-08-26 04:21 -------- d-----w- c:\program files\Java 2009-10-25 20:57 . 2009-08-26 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-10-25 18:44 . 2009-10-25 20:21 30208 ----a-w- c:\documents and settings\HelpAssistant.MARIJA.002\sttray.exe 2009-10-25 01:11 . 2009-10-24 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET 2009-10-25 00:39 . 2009-10-25 00:39 -------- d-----w- c:\documents and settings\marija\Application Data\ESET 2009-10-24 18:04 . 2009-09-29 11:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-10-24 15:02 . 2009-10-15 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B} 2009-10-23 23:22 . 2009-08-26 04:21 -------- d-----w- c:\program files\Common Files\Adobe 2009-10-23 14:11 . 2009-08-26 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-10-21 07:32 . 2009-10-01 11:08 -------- d-----w- c:\documents and settings\marija\Application Data\Paltalk 2009-10-19 16:20 . 2009-08-26 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic 2009-10-18 06:13 . 2009-08-25 21:06 -------- d-----w- c:\program files\Microsoft 2009-10-18 06:11 . 2009-08-26 04:21 -------- d-----w- c:\program files\Microsoft Works 2009-10-16 23:12 . 2009-10-01 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-10-16 23:12 . 2009-10-06 09:27 -------- d-----w- c:\program files\Microsoft Visual Studio 8 2009-10-15 12:45 . 2009-10-15 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings 2009-10-09 09:07 . 2009-10-09 09:06 -------- d-----w- c:\program files\Virgin Broadband Wireless 2009-10-09 09:06 . 2009-10-09 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Affinegy 2009-10-06 10:04 . 2009-08-25 21:43 70448 ----a-w- c:\documents and settings\marija\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-06 09:39 . 2009-08-29 22:28 -------- d-----w- c:\program files\MSBuild 2009-10-06 09:33 . 2009-10-06 09:33 -------- d-----w- c:\program files\Microsoft.NET 2009-10-05 20:17 . 2009-10-05 20:17 -------- d-----w- c:\documents and settings\marija\Application Data\Template 2009-10-05 20:17 . 2009-10-05 20:17 0 ----a-w- c:\documents and settings\marija\Application Data\wklnhst.dat 2009-10-03 19:38 . 2009-09-27 19:04 -------- d-----w- c:\documents and settings\marija\Application Data\Windows Live Writer 2009-10-03 12:33 . 2009-09-09 14:12 -------- d-----w- c:\documents and settings\marija\Application Data\BSplayer 2009-09-30 22:11 . 2009-09-30 22:09 31 ----a-w- c:\windows\system32\drivers\adidsl.cfg 2009-09-30 22:09 . 2009-08-26 04:21 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-30 22:09 . 2009-09-30 22:09 -------- d-----w- c:\program files\SAGEM 2009-09-30 22:09 . 2009-08-26 04:21 -------- d-----w- c:\program files\Common Files\InstallShield 2009-09-30 09:27 . 2009-09-30 09:24 -------- d-----w- c:\documents and settings\marija\Application Data\Winamp 2009-09-30 09:26 . 2009-09-07 17:51 -------- d-----w- c:\program files\Winamp 2009-09-09 21:00 . 2009-09-09 20:59 -------- d-----w- c:\program files\Google 2009-09-09 20:58 . 2009-09-09 19:49 -------- d-----r- c:\program files\Skype 2009-09-09 20:58 . 2009-09-09 20:58 -------- d-----w- c:\program files\Common Files\Skype 2009-09-09 20:58 . 2009-09-09 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-09-09 19:52 . 2009-09-09 19:52 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-09-09 14:14 . 2009-09-09 14:14 -------- d-----w- c:\program files\Codec Pack - All In 1 2009-09-09 14:13 . 2009-09-09 14:14 737280 ----a-w- c:\windows\iun6002.exe 2009-09-09 14:13 . 2009-09-09 14:13 -------- d-----w- c:\program files\BS_Player 2009-09-09 14:13 . 2009-09-09 14:13 -------- d-----w- c:\program files\Conduit 2009-09-09 14:12 . 2009-09-09 14:12 -------- d-----w- c:\documents and settings\marija\Application Data\BSplayer Pro 2009-09-09 14:12 . 2009-09-09 14:12 -------- d-----w- c:\program files\Webteh 2009-09-05 22:05 . 2009-09-05 22:04 -------- d-----w- c:\program files\CCleaner 2009-08-29 22:27 . 2009-08-29 22:27 -------- d-----w- c:\program files\Reference Assemblies 2009-08-25 21:42 . 2009-08-25 21:42 259584 --sha-r- C:\BCDEDIT.EXE 2009-08-25 21:42 . 2009-08-25 21:42 259584 ----a-w- c:\windows\system32\bcdedit.exe 2009-08-25 21:42 . 2009-08-25 21:42 102400 --sha-r- C:\bootsect.exe 2009-08-05 21:48 . 2009-08-25 21:12 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys 2009-08-05 09:01 . 2009-08-05 09:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-29 04:37 . 2009-07-29 04:37 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-07-29 04:37 . 2009-07-29 04:37 119808 ----a-w- c:\windows\system32\t2embed.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}"= "c:\program files\BS_Player\tbBS_P.dll" [2009-07-02 2215960] [HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}] 2009-07-02 09:18 2215960 ----a-w- c:\program files\BS_Player\tbBS_P.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}"= "c:\program files\BS_Player\tbBS_P.dll" [2009-07-02 2215960] [HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{FED66DC5-1B74-4A04-8F5C-15C5ACE2B9A5}"= "c:\program files\BS_Player\tbBS_P.dll" [2009-07-02 2215960] [HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-09 39408] "Google Update"="c:\documents and settings\marija\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-28 133104] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072] "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-11 446556] "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-03 729088] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-25 149280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "IDTSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2008-09-11 446556] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776] DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2009-9-30 839680] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:Remote Desktop R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [8.2.2009 3:36 21488] R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [8.2.2009 3:36 15856] R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [24.9.2008 23:09 103792] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [20.2.2008 11:11 33800] R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [8.2.2009 3:36 25584] R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [11.12.2008 23:46 125424] R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [25.12.2008 19:28 203248] R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [20.2.2008 11:08 472320] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [25.8.2009 22:12 54752] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8.2.2009 3:20 112128] S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [15.4.2008 5:00 3584] S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [5.8.2009 22:48 704864] --- Other Services/Drivers In Memory --- *Deregistered* - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-27 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job - c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2008-12-25 18:28] 2009-10-26 c:\windows\Tasks\GOOGLEUPDATETASKUSERS-1-5-21-1540596067-818211378-770439794-1006CORE.JOB - c:\documents and settings\marija\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-28 15:18] 2009-10-27 c:\windows\Tasks\GOOGLEUPDATETASKUSERS-1-5-21-1540596067-818211378-770439794-1006UA.JOB - c:\documents and settings\marija\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-28 15:18] 2009-10-27 c:\windows\Tasks\USER_FEED_SYNCHRONIZATION-{B1F49AD2-9F9C-4279-A3B5-B260CFC4E382}.JOB - c:\windows\system32\msfeedssync.exe [2009-03-08 03:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.rs/ uInternet Connection Wizard,ShellNext = hxxp://renewalcenter.symantec.com/storefront/user/home.jsp?NOS=1wyb0bxAeCkXgA9JWACAhDxag0iDLTiujAFD3hluZoCDgYQGSgKCZEEIKDXVkR%2FC2NovGgJOugdC3CX68J2F7K8WV&SASSERVER=lcsitemain.symantec.com&TRANSID=%2F10097711%2FADWBkUD953994757D159B&GUID=DB42C63691BE11DE849500242BCBF864&SSLT=4096&oslang=iso:ENG&oslocale=iso:GBR&vendid=0&vendtag=&epid={db42c636-91be-11de-8495-00242bcbf864} IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-GB\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-27 01:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\PerfStringBackup.TMP 527578 bytes scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2212) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\btmmhook.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\idt\wdm\stacsv.exe c:\program files\Virgin Broadband Wireless\AffinegyService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\system32\wscntfy.exe c:\combofix\CF3533.exe c:\windows\system32\igfxsrvc.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE c:\program files\Hewlett-Packard\Shared\HpqToaster.exe c:\combofix\PEV.cfxxe . ************************************************************************** . Completion time: 2009-10-27 2:06 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-27 01:05 Pre-Run: 60.586.319.872 bytes free Post-Run: 60.584.075.264 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - BEF412A4044935635D7191524A9DC539