ComboFix 10-09-06.04 - Agatha 07-09-2010 21:18:24.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.719 [GMT 2:00] Running from: c:\documents and settings\Agatha\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Agatha\.COMMgr c:\documents and settings\Agatha\Application Data\AA3675013B78BD18C0D27F3BA43C5372 c:\documents and settings\Agatha\Application Data\AA3675013B78BD18C0D27F3BA43C5372\enemies-names.txt c:\documents and settings\Agatha\Application Data\AA3675013B78BD18C0D27F3BA43C5372\local.ini c:\documents and settings\Agatha\Application Data\AA3675013B78BD18C0D27F3BA43C5372\lsrslt.ini c:\documents and settings\Agatha\Application Data\AA3675013B78BD18C0D27F3BA43C5372\mediafix70700en02.exe c:\documents and settings\Agatha\Application Data\dwweaokij c:\documents and settings\Agatha\Application Data\dwweaokij\cuxfhrlshdw.exe c:\documents and settings\Agatha\Application Data\ohydy.exe c:\documents and settings\Agatha\Local Settings\Application Data\dwweaokij c:\documents and settings\Agatha\Local Settings\Application Data\dwweaokij\cuxfhrlshdw.exe c:\documents and settings\Agatha\Local Settings\Application Data\Windows Server c:\documents and settings\Agatha\Local Settings\Application Data\Windows Server\admin.txt c:\documents and settings\Agatha\Local Settings\Application Data\Windows Server\server.dat c:\documents and settings\Agatha\qiuibu.exe C:\lsass.exe c:\windows\cfdrive32.exe c:\windows\Kgotoa.exe c:\windows\system32\AutoRun.inf c:\windows\system32\driVERs\mypdnuy.sys c:\windows\system32\regedit.exe c:\windows\system32\drivers\mypdnuy.sys . . . is infected!! . . . Failed to find a valid replacement. Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe Infected copy of c:\windows\explorer.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SSHNAS -------\Legacy_mypdnuy -------\Service_mypdnuy ((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 ))))))))))))))))))))))))))))))) . 2010-12-04 11:33 . 2010-12-04 11:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2010-09-07 17:16 . 2010-09-07 17:16 -------- d-----w- c:\documents and settings\Agatha\Local Settings\Application Data\yqubdnlsw 2010-09-07 17:15 . 2010-09-07 14:51 18432 ----a-w- c:\documents and settings\Agatha\eumon.exe 2010-09-07 09:59 . 2010-09-07 19:32 779264 ----a-w- c:\windows\system32\drivers\ygkqkuvl.sys 2010-09-07 09:58 . 2010-09-07 09:58 -------- d-----w- c:\documents and settings\Agatha\Local Settings\Application Data\ojipufirb 2010-09-07 08:26 . 2010-09-07 08:26 -------- d-----w- c:\documents and settings\Agatha\Application Data\Malwarebytes 2010-09-07 08:26 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-09-07 08:25 . 2010-09-07 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-09-07 08:25 . 2010-09-07 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-07 08:25 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-09-06 13:42 . 2010-09-06 13:42 -------- d-----w- c:\program files\Trend Micro 2010-09-04 16:11 . 2010-09-07 09:58 210816 -c--a-w- c:\windows\system32\dllcache\ndis.sys 2010-08-22 16:26 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2010-08-16 17:48 . 2010-08-16 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2010-08-16 11:54 . 2010-08-16 11:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-04 16:12 . 2009-04-25 10:44 -------- d-----w- c:\documents and settings\Agatha\Application Data\BitTorrent 2010-09-04 16:12 . 2009-04-25 10:44 -------- d-----w- c:\documents and settings\Agatha\Application Data\DNA 2010-09-04 16:12 . 2005-12-13 11:09 -------- d-----w- c:\documents and settings\Agatha\Application Data\Skype 2010-09-04 13:09 . 2009-04-25 10:44 -------- d-----w- c:\program files\DNA 2010-09-03 11:04 . 2009-10-13 14:25 -------- d-----w- c:\documents and settings\Agatha\Application Data\skypePM 2010-08-16 11:55 . 2005-12-14 13:43 -------- d-----w- c:\program files\Google 2010-07-12 12:32 . 2010-07-12 12:32 -------- d-----w- c:\program files\NCH Software 2010-07-12 12:30 . 2010-07-12 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound 2010-07-12 12:30 . 2010-07-12 12:30 -------- d-----w- c:\program files\NCH Swift Sound 2010-07-12 12:30 . 2010-07-12 12:30 -------- d-----w- c:\documents and settings\Agatha\Application Data\NCH Swift Sound 2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-24 12:15 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-06-24 12:15 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-06-24 12:15 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll 2010-06-14 14:31 . 2005-11-25 16:20 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll 2010-06-11 09:23 . 2010-06-11 09:23 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll 2010-06-11 09:23 . 2010-06-11 09:23 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll 2010-06-11 09:23 . 2010-06-11 09:23 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll 2010-06-11 09:23 . 2010-06-11 09:23 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll 2010-06-11 09:23 . 2010-06-11 09:23 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll 2010-06-11 09:23 . 2010-06-11 09:23 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll 2010-06-11 09:23 . 2010-06-11 09:23 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll 2010-06-11 09:23 . 2010-06-11 09:23 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll 2010-06-11 09:23 . 2010-06-11 09:23 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360] NewShortcut2.lnk - c:\program files\USB_video_device\Utility\MS_Tool\IRControl.exe [2008-8-7 1277952] TMMonitor.lnk - c:\program files\ArcSoft\TotalMedia 3.5\TMMonitor.exe [2002-1-1 258048] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 dpFixupService;dp Fixup Service;c:\windows\system32\dpFixupSvc.exe [24-9-2006 11:16 453632] R3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [1-1-2002 0:56 1302304] R3 filter;filter;c:\windows\system32\drivers\filter.sys [5-7-2004 8:20 8832] S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16-8-2010 13:53 136176] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 19:19 13592] --- Other Services/Drivers In Memory --- *Deregistered* - mchInjDrv *Deregistered* - ygkqkuvl [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 04:26] 2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-16 04:26] 2010-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1708537768-682003330-1003Core.job - c:\documents and settings\Agatha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2001-12-31 23:11] 2010-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1708537768-682003330-1003UA.job - c:\documents and settings\Agatha\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2001-12-31 23:11] 2010-09-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1708537768-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09] 2010-09-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1708537768-682003330-1003.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09] 2010-07-12 c:\windows\Tasks\switchShakeIcon.job - c:\program files\NCH Swift Sound\Switch\switch.exe [2010-07-12 12:30] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.google.nl/ uInternet Settings,ProxyOverride = uInternet Settings,ProxyServer = http=127.0.0.1:6092 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game03.zylom.com/activex/zylomgamesplayer.cab DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp07.photoprintit.de/microsite/2663/defaults/activex/IPSUploader.cab FF - ProfilePath - c:\documents and settings\Agatha\Application Data\Mozilla\Firefox\Profiles\saqlh00r.default\ FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\documents and settings\Agatha\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc22.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ygkqkuvl] . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(724) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(784) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3892) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_dut.nlr c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\wscntfy.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe . ************************************************************************** . Completion time: 2010-09-07 21:38:03 - machine was rebooted ComboFix-quarantined-files.txt 2010-09-07 19:37 Pre-Run: 3.048.390.656 bytes free Post-Run: 2.938.376.192 bytes free - - End Of File - - AAD78FE5E556EE44674A57D347075DA9