ComboFix 10-04-21.01 — Sve 04/23/2010 11:28:41.1.2 — x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.660 [GMT 3:00]
Running from: c:documents and settingsSveDesktopComboFix.exe
Command switches used :: c:documents and settingsSveDesktopWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsSveApplication DataMicrosoftInternet ExplorerqiPSearchbar.dll
c:documents and settingsSveLocal SettingsTemporary Internet Files8Y0naa.jpg
c:documents and settingsSveLocal SettingsTemporary Internet Filesanlmam6n.jpg
c:documents and settingsSveLocal SettingsTemporary Internet Filesk8bn1.jpg
c:documents and settingsSveLocal SettingsTemporary Internet Filesy4M776k.jpg.
((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))
.2010-04-21 23:04 . 2010-04-23 08:22 2352 —-a-w- c:documents and settingsLocalServiceLocal SettingsApplication DataFontCache3.0.0.0.dat
2010-04-21 21:59 . 2010-04-21 21:59
d
w- c:documents and settingsSveApplication DataSony Creative Software
2010-04-21 20:43 . 2004-03-29 14:23 90112 —-a-w- c:windowsunvise32.exe
2010-04-21 20:43 . 2010-04-21 20:43
d
w- c:program filesLooksBuilderSE
2010-04-21 20:41 . 2010-04-21 20:41 29926 —-a-r- c:documents and settingsSveApplication DataMicrosoftInstaller{6DE721A5-5E89-4D74-994C-652BB3C0672E}ARPPRODUCTICON.exe
2010-04-21 20:41 . 2005-09-23 19:18 171520 —-a-w- c:windowssystem32driversMarvinBus.sys
2010-04-21 20:41 . 2010-04-21 20:41
d
w- c:program filesCommon FilesPinnacle
2010-04-21 20:40 . 2010-04-21 20:40
d
w- c:documents and settingsSveLocal SettingsApplication DataDownloaded Installations
2010-04-21 20:40 . 2010-04-21 20:53
d
w- c:documents and settingsSveLocal SettingsApplication DataPinnacle
2010-04-21 20:40 . 2010-04-21 20:40
d
w- c:documents and settingsAll UsersApplication DataPinnacle Studio Ultimate Collection
2010-04-21 20:33 . 2010-04-21 20:33
d
w- c:program filesCommon FilesPegasus Imaging
2010-04-21 20:33 . 2010-04-21 20:33
d
w- c:program filesCommon FilesYahoo!
2010-04-21 20:33 . 2010-04-21 20:33
d
w- c:documents and settingsAll UsersApplication DataStudio 14
2010-04-21 20:33 . 2010-04-21 20:33
d
w- c:documents and settingsAll UsersApplication DataPinnacle Studio Plus
2010-04-21 20:14 . 2010-04-21 20:42
d
w- c:program filesPinnacle
2010-04-21 20:08 . 2010-04-21 20:39
d
w- c:documents and settingsAll UsersApplication DataPinnacle
2010-04-21 19:05 . 2010-04-21 19:05
d
w- c:documents and settingsAll UsersApplication DataSony
2010-04-21 17:25 . 2010-04-21 17:25
d
w- c:documents and settingsAll UsersApplication DataPhotodex
2010-04-19 17:05 . 2010-04-21 19:12
d
w- c:documents and settingsSveLocal SettingsApplication DataSony
2010-03-28 20:53 . 2010-03-28 20:53
d
w- c:program filestrend micro
2010-03-28 20:53 . 2010-03-28 20:53
d
w- C:rsit
2010-03-28 16:37 . 2010-03-28 16:37 10 —-a-w- c:windowspopcinfo.dat.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 08:17 . 2009-10-26 11:54
d
w- c:documents and settingsSveApplication DataSkype
2010-04-22 05:15 . 2009-06-03 09:28
d
w- c:documents and settingsSveApplication DataskypePM
2010-04-21 20:48 . 2009-06-04 16:15 99752 -c—a-w- c:documents and settingsSveLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-04-21 20:04 . 2009-09-20 20:48
d
w- c:documents and settingsSveApplication DatauTorrent
2010-04-21 19:17 . 2009-07-24 03:40
d
w- c:documents and settingsSveApplication DataSony
2010-04-20 19:16 . 2010-03-06 23:38 238 —-a-w- c:documents and settingsSveApplication DataCCleanupcompind.bat
2010-04-19 17:21 . 2009-07-24 03:42
d
w- c:program filesVSTplugins
2010-04-17 18:50 . 2009-09-20 20:47
d
w- c:program filesuTorrent
2010-04-15 05:58 . 2008-10-15 23:46
d
w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2010-04-04 19:50 . 2009-07-16 16:49
d
w- c:program filesICQ6.5
2010-03-26 16:50 . 2009-07-01 13:06
d
w- c:documents and settingsSveApplication DataU3
2010-03-20 21:47 . 2008-10-15 21:59 218624 —-a-w- c:windowssystem32uxtheme.dll
2010-03-16 20:42 . 2010-03-16 20:42
d
w- c:program filesMSECache
2010-03-14 15:56 . 2009-12-17 18:02
d
w- c:documents and settingsAll UsersApplication DataApple Computer
2010-03-14 15:47 . 2010-02-28 21:34
d
w- c:program filesiPod
2010-03-14 08:13 . 2010-03-14 08:13
d
w- c:documents and settingsSveApplication DataQipGuard
2010-03-14 08:12 . 2009-10-26 20:56
d
w- c:program filesQIP Infium
2010-03-12 12:20 . 2010-03-14 08:13 280440 —-a-w- c:documents and settingsSveApplication DataQipGuardsqlite3.dll
2010-03-12 12:20 . 2010-03-14 08:13 184272 —-a-w- c:documents and settingsSveApplication DataQipGuardQipGuard.exe
2010-03-12 12:20 . 2010-03-14 08:12 127440 —-a-w- c:documents and settingsSveApplication DataMozillaFirefoxProfiles3oniyzmm.defaultextensions{32a1fd71-835e-4b11-8e54-886fda0b4c89}componentsqippipe.dll
2010-03-12 12:20 . 2010-03-14 08:13 20944 —-a-w- c:documents and settingsSveApplication DataQipGuardchrome.dll
2010-03-10 06:15 . 2008-10-15 21:59 420352 —-a-w- c:windowssystem32vbscript.dll
2010-03-08 20:04 . 2010-03-08 20:04
d
w- c:program filesAvira
2010-03-08 20:04 . 2010-03-08 20:04
d
w- c:documents and settingsAll UsersApplication DataAvira
2010-03-08 19:47 . 2009-07-01 18:02
d
w- c:program filesCommon FilesYandex
2010-03-08 13:07 . 2009-07-28 01:48
d
w- c:program filesPivim Multibar
2010-03-08 12:38 . 2010-03-08 12:38
d
w- c:documents and settingsAll UsersApplication DataIObit
2010-03-08 12:38 . 2010-03-08 12:38
d
w- c:program filesIObit
2010-03-08 12:36 . 2010-02-11 19:40
d
w- c:program filesElectronic Arts
2010-03-07 17:55 . 2010-03-07 17:55
d
w- c:documents and settingsAll UsersApplication DataMalwarebytes
2010-03-07 15:58 . 2010-03-06 10:57
d
w- c:documents and settingsAll UsersApplication DataDoctor Web
2010-03-07 15:57 . 2009-06-03 09:27
d
w- c:program filesGoogle
2010-03-07 15:55 . 2010-03-07 15:55
d
w- c:program filesAlwil Software
2010-03-07 15:55 . 2010-03-07 15:55
d
w- c:documents and settingsAll UsersApplication DataAlwil Software
2010-03-07 12:25 . 2009-11-08 13:32
d
w- c:documents and settingsAll UsersApplication DataFLEXnet
2010-03-06 23:38 . 2010-03-06 23:30
d
w- c:documents and settingsSveApplication DataCCleanup
2010-03-06 23:30 . 2010-03-06 23:29
d
w- c:program filesComplete Cleanup Trial
2010-03-05 23:33 . 2009-06-03 09:03
d
w- c:program filesSymantec
2010-03-05 23:33 . 2009-06-03 09:03
d
w- c:program filesCommon FilesSymantec Shared
2010-02-28 21:34 . 2009-12-17 17:59
d
w- c:program filesCommon FilesApple
2010-02-28 11:04 . 2008-10-15 22:58
d—h—w- c:program filesInstallShield Installation Information
2010-02-25 06:24 . 2008-10-15 21:59 916480 —-a-w- c:windowssystem32wininet.dll
2010-02-24 13:11 . 2008-10-15 21:59 455680 —-a-w- c:windowssystem32driversmrxsmb.sys
2010-02-16 14:08 . 2008-04-14 00:54 2146304 —-a-w- c:windowssystem32ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 —-a-w- c:windowssystem32ntkrnlpa.exe
2010-02-15 17:12 . 2010-02-15 17:12 38784 —-a-w- c:documents and settingsSveApplication DataMacromediaFlash Playerwww.macromedia.combinairappinstallerairappinstaller.exe
2010-02-12 04:33 . 2008-10-15 21:59 100864 —-a-w- c:windowssystem326to4svc.dll
2010-02-11 19:54 . 2010-02-11 19:54 10134 —-a-r- c:documents and settingsSveApplication DataMicrosoftInstaller{E3E71D07-CD27-46CB-8448-16D4FB29AA13}ARPPRODUCTICON.exe
2010-02-11 12:02 . 2008-10-15 21:59 226880 —-a-w- c:windowssystem32driverstcpip6.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«swg»=»c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe» [2009-06-03 39408]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 7PCSuite.exe» [2009-06-25 1414144]
«Skype»=»c:program filesSkypePhoneSkype.exe» [2009-06-02 24264488]
«DAEMON Tools Lite»=»c:program filesDAEMON Tools Litedaemon.exe» [2009-04-23 691656][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IgfxTray»=»c:windowssystem32igfxtray.exe» [2007-12-19 135168]
«HotKeysCmds»=»c:windowssystem32hkcmd.exe» [2007-12-19 159744]
«Persistence»=»c:windowssystem32igfxpers.exe» [2007-12-19 131072]
«RTHDCPL»=»RTHDCPL.EXE» [2008-05-08 16862208]
«MGSysCtrl»=»c:program filesSystem Control ManagerMGSysCtrl.exe» [2008-07-29 684032]
«ITSecMng»=»c:program filesTOSHIBABluetooth Toshiba StackItSecMng.exe» [2007-09-28 75136]
«GrooveMonitor»=»c:program filesMicrosoft OfficeOffice12GrooveMonitor.exe» [2008-10-25 31072]
«AdobeCS4ServiceManager»=»c:program filesCommon FilesAdobeCS4ServiceManagerCS4ServiceManager.exe» [2008-08-14 611712]
«IObit Security 360″=»c:program filesIObitIObit Security 360IS360tray.exe» [2009-12-24 1280272]
«avgnt»=»c:program filesAviraAntiVir Desktopavgnt.exe» [2009-03-02 209153]
«USBToolTip»=»c:progra~1PinnacleSHARED~1ProgramsUSBTipUSBTip.exe» [2007-02-20 199752]c:documents and settingsAll UsersStart MenuProgramsStartup
Bluetooth Manager.lnk — c:program filesToshibaBluetooth Toshiba StackTosBtMng.exe [2008-2-22 2938184][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@=»Driver»[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
«FirewallOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
«DisableNotifications»= 1 (0x1)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\ICQ6.5\ICQ.exe»=
«c:\Program Files\uTorrent\utorrent.exe»=
«c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE»=
«c:\Program Files\Microsoft Office\Office12\GROOVE.EXE»=
«c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE»=
«c:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe»=
«c:\Program Files\Bonjour\mDNSResponder.exe»=
«c:\Program Files\Pinnacle\Studio 14\Programs\RM.exe»=
«c:\Program Files\Pinnacle\Studio 14\Programs\Studio.exe»=
«c:\Program Files\Pinnacle\Studio 14\Programs\umi.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«5353:TCP»= 5353:TCP:Adobe CSI CS4R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:program filesAviraAntiVir Desktopsched.exe [3/8/2010 11:04 PM 108289]
R2 IS360service;IS360service;c:program filesIObitIObit Security 360is360srv.exe [3/8/2010 3:38 PM 311568]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:windowssystem32driversRTS5121.sys [10/16/2008 2:00 AM 156160]
S0 sptd;sptd;c:windowssystem32driverssptd.sys [7/1/2009 8:59 PM 691696]
S2 gupdate;Google Update Service (gupdate);c:program filesGoogleUpdateGoogleUpdate.exe [3/7/2010 6:56 PM 133104]
S2 Micro Star SCM;Micro Star SCM;c:program filesSystem Control ManagerMSIService.exe [10/16/2008 2:12 AM 159744]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:windowssystem32driversnmwcdnsu.sys [7/12/2009 7:01 AM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:windowssystem32driversnmwcdnsuc.sys [7/12/2009 7:01 AM 8320]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:windowssystem32driversrt2860.sys [10/16/2008 4:40 AM 625792]
.
Contents of the ‘Scheduled Tasks’ folder2010-04-20 c:windowsTasksAppleSoftwareUpdate.job
— c:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 10:34]2010-04-23 c:windowsTasksGoogleUpdateTaskMachineCore.job
— c:program filesGoogleUpdateGoogleUpdate.exe [2010-03-07 15:56]2010-04-23 c:windowsTasksGoogleUpdateTaskMachineUA.job
— c:program filesGoogleUpdateGoogleUpdate.exe [2010-03-07 15:56]2010-04-23 c:windowsTasksUser_Feed_Synchronization-{0C0802E1-F828-45F9-9F7A-3E0597A78443}.job
— c:windowssystem32msfeedssync.exe [2009-03-08 02:31]
.
.
Supplementary Scan
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://search.qip.ru/ie
IE: Add to Google Photos Screensa&ver — c:windowssystem32GPhotos.scr/200
IE: E&xport to Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
FF — ProfilePath — c:documents and settingsSveApplication DataMozillaFirefoxProfiles3oniyzmm.default
FF — prefs.js: browser.search.selectedEngine — Google
FF — prefs.js: browser.startup.homepage — hxxp://ru.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:ru:official
FF — prefs.js: keyword.URL — hxxp://search.qip.ru/search?from=FF&query=
FF — component: c:documents and settingsSveApplication DataMozillaFirefoxProfiles3oniyzmm.defaultextensions{32a1fd71-835e-4b11-8e54-886fda0b4c89}componentsqippipe.dll
FF — component: c:documents and settingsSveApplication DataMozillaFirefoxProfiles3oniyzmm.defaultextensions{a298ed31-d405-40e2-880f-b7511948e582}componentsFFExternalAlert.dll
FF — component: c:documents and settingsSveApplication DataMozillaFirefoxProfiles3oniyzmm.defaultextensions{a298ed31-d405-40e2-880f-b7511948e582}componentsRadioWMPCore.dll
FF — plugin: c:program filesGooglePicasa3npPicasa3.dll
FF — plugin: c:program filesGoogleUpdate1.2.183.23npGoogleOneClick8.dll
FF — HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} — c:windowsMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension
.
— — — — ORPHANS REMOVED — — — —HKCU-Run-WeatherClock — c:program filesWeather ClockWeatherClock.exe
HKCU-Run-AdobeBridge — (no file)
HKCU-Run-EA Core — c:program filesElectronic ArtsEADMCore.exe
AddRemove-HijackThis — c:docume~1SveLOCALS~1TempRar$EX00.343HijackThis.exe**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 11:33
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(872)
c:program filesCommon FilesAdobeAdobe Drive CS4AdobeDriveCS4_NP.dll
c:windowssystem32igfxdev.dll
.
Completion time: 2010-04-23 11:36:17
ComboFix-quarantined-files.txt 2010-04-23 08:36Pre-Run: 4,770,406,400 bytes free
Post-Run: 4,754,415,616 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
multi(0)disk(0)rdisk(0)partition(2)WINDOWS=»Microsoft Windows XP Home Edition» /noexecute=optin /fastdetect— — End Of File — — DE2E6CB4BFD49B5B2EEBC9BF494A9E95
