ontheright
TROPIC LIGHTNING GO 25th
I ran combofix due to the fact that the internet was slowing down and the fan was running (especially when using a flash program). I have run this before with no problems. This time it came up with
"You are infected with a rootkit...rootkit.0access. This is a particularly hard rootkit to remove"
Proceeded to reboot as instructed and let combo fix finish. Rebooted again and all seems fine. Attached is log file. Would someone mind checking to see if there is anything I need to remove manually or do further?
TIA
RIck
ComboFix 12-07-27.03 - Family 07/27/2012 8:09.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1151.767 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
.
.
((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))
.
.
2012-07-13 02:40 . 2012-07-13 02:40 -------- d-----w- c:\windows\system32\DB4E~1
2012-07-06 15:19 . 2012-07-06 15:19 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Sun
2012-07-04 21:33 . 2012-07-04 21:33 -------- d-----w- c:\program files\Common Files\Java
2012-07-04 21:32 . 2012-07-04 21:32 -------- d-----w- c:\program files\Oracle
2012-07-04 21:31 . 2012-07-04 21:31 -------- d-----w- c:\documents and settings\Family\Application Data\Oracle
2012-07-04 21:31 . 2012-05-04 23:29 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-04 17:49 . 2012-07-04 17:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-26 23:26 . 2012-03-28 23:56 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-26 23:26 . 2011-06-15 10:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2011-05-05 11:03 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-18 15:06 . 2012-06-18 15:06 12984 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2012-06-13 13:19 . 2011-05-02 06:50 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2011-05-02 22:22 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2011-05-02 06:49 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2011-05-02 06:50 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2011-05-02 06:50 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2011-05-02 06:50 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2011-05-02 06:50 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2011-05-02 06:50 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2011-05-02 06:50 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2011-05-02 06:47 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2011-05-02 06:50 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2011-05-02 06:50 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2011-05-03 20:57 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2011-05-03 20:57 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 19:18 . 2009-08-06 23:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2011-05-02 06:47 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-24 22:10 . 2011-06-05 12:44 230808 ----a-r- c:\windows\system32\cpnprt2.cid
2012-05-16 15:08 . 2011-05-02 06:50 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 10:18 . 2012-03-13 15:46 883008 ----a-w- c:\windows\system32\nvgenco32.dll
2012-05-15 10:18 . 2012-03-13 15:46 1000768 ----a-w- c:\windows\system32\nvdispco32.dll
2012-05-15 10:18 . 2011-05-04 23:25 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-15 10:18 . 2011-05-04 23:24 6012928 ----a-w- c:\windows\system32\nvcuda.dll
2012-05-15 10:18 . 2011-05-04 23:24 2530624 ----a-w- c:\windows\system32\nvcuvid.dll
2012-05-15 10:18 . 2011-05-04 23:24 2445120 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-05-15 10:18 . 2011-05-04 23:24 18771968 ----a-w- c:\windows\system32\nvoglnt.dll
2012-05-15 10:18 . 2011-05-04 23:24 2359808 ----a-w- c:\windows\system32\nvapi.dll
2012-05-15 10:18 . 2011-05-04 23:24 17543168 ----a-w- c:\windows\system32\nvcompiler.dll
2012-05-15 10:18 . 2011-05-02 06:52 4373248 ----a-w- c:\windows\system32\nv4_disp.dll
2012-05-15 10:18 . 2011-05-02 06:52 14014656 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-05-15 09:40 . 2011-04-08 02:15 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-05-15 09:40 . 2011-04-08 02:15 15504192 ----a-w- c:\windows\system32\nvcpl.dll
2012-05-15 09:40 . 2011-04-08 02:15 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-05-15 09:40 . 2011-04-08 02:15 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-05-15 09:40 . 2011-04-08 02:15 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-05-11 14:42 . 2011-05-02 06:49 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2011-05-02 06:48 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2011-05-02 06:48 385024 ----a-w- c:\windows\system32\html.iec
2012-05-06 22:28 . 2012-04-07 19:46 14664 ----a-w- c:\windows\stinger.sys
2012-05-04 23:29 . 2012-04-07 13:42 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 23:29 . 2011-05-05 01:08 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 13:12 . 2011-05-02 06:49 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2011-05-02 06:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2011-05-02 06:50 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-18 13:08 . 2012-05-12 17:01 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2011-05-04 11:14 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1318816]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-15 15504192]
"NvMediaCenter"="NvMCTray.dll" [2012-05-15 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-05-15 1634112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-5-2 813584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^Epson all-in-one Registration.lnk]
path=c:\documents and settings\Family\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk
backup=c:\windows\pss\Epson all-in-one Registration.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\Family\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Nikon\\Wireless Camera Setup Utility\\NkWirelessSetup.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_DUPA30.EXE"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool10\\ENEasyApp.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27177:TCP"= 27177:TCP:stb
"27178:TCP"= 27178:TCP:audio
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/2/2011 5:07 PM 89792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/2/2011 5:07 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/2/2011 5:07 PM 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/2/2011 5:07 PM 83856]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 11:11 AM 17664]
S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [5/29/2011 11:34 AM 1723840]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [12/25/2011 11:11 AM 33792]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/2/2011 5:07 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/2/2011 5:07 PM 87656]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [6/18/2012 11:06 AM 12984]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 23:26]
.
2011-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1 192.168.1.254
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\x7c92z51.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/p/1.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-27 08:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(964)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2012-07-27 08:22:40
ComboFix-quarantined-files.txt 2012-07-27 12:22
.
Pre-Run: 134,316,539,904 bytes free
Post-Run: 134,455,676,928 bytes free
.
- - End Of File - - 552EA0778321CB60EAC1829F3B1F0625
"You are infected with a rootkit...rootkit.0access. This is a particularly hard rootkit to remove"
Proceeded to reboot as instructed and let combo fix finish. Rebooted again and all seems fine. Attached is log file. Would someone mind checking to see if there is anything I need to remove manually or do further?
TIA
RIck
ComboFix 12-07-27.03 - Family 07/27/2012 8:09.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1151.767 [GMT -4:00]
Running from: c:\documents and settings\Family\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
.
.
((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))
.
.
2012-07-13 02:40 . 2012-07-13 02:40 -------- d-----w- c:\windows\system32\DB4E~1
2012-07-06 15:19 . 2012-07-06 15:19 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Sun
2012-07-04 21:33 . 2012-07-04 21:33 -------- d-----w- c:\program files\Common Files\Java
2012-07-04 21:32 . 2012-07-04 21:32 -------- d-----w- c:\program files\Oracle
2012-07-04 21:31 . 2012-07-04 21:31 -------- d-----w- c:\documents and settings\Family\Application Data\Oracle
2012-07-04 21:31 . 2012-05-04 23:29 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-04 17:49 . 2012-07-04 17:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-26 23:26 . 2012-03-28 23:56 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-26 23:26 . 2011-06-15 10:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2011-05-05 11:03 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-18 15:06 . 2012-06-18 15:06 12984 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2012-06-13 13:19 . 2011-05-02 06:50 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2011-05-02 22:22 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2011-05-02 06:49 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2011-05-02 06:50 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2009-08-06 23:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2011-05-02 06:50 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2011-05-02 06:50 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2011-05-02 06:50 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2011-05-02 06:50 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2011-05-02 06:50 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2011-05-02 06:47 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-06 23:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2009-08-06 23:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2011-05-02 06:50 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2011-05-02 06:50 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2011-05-03 20:57 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2011-05-03 20:57 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 19:18 . 2009-08-06 23:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2011-05-02 06:47 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-24 22:10 . 2011-06-05 12:44 230808 ----a-r- c:\windows\system32\cpnprt2.cid
2012-05-16 15:08 . 2011-05-02 06:50 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 10:18 . 2012-03-13 15:46 883008 ----a-w- c:\windows\system32\nvgenco32.dll
2012-05-15 10:18 . 2012-03-13 15:46 1000768 ----a-w- c:\windows\system32\nvdispco32.dll
2012-05-15 10:18 . 2011-05-04 23:25 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-15 10:18 . 2011-05-04 23:24 6012928 ----a-w- c:\windows\system32\nvcuda.dll
2012-05-15 10:18 . 2011-05-04 23:24 2530624 ----a-w- c:\windows\system32\nvcuvid.dll
2012-05-15 10:18 . 2011-05-04 23:24 2445120 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-05-15 10:18 . 2011-05-04 23:24 18771968 ----a-w- c:\windows\system32\nvoglnt.dll
2012-05-15 10:18 . 2011-05-04 23:24 2359808 ----a-w- c:\windows\system32\nvapi.dll
2012-05-15 10:18 . 2011-05-04 23:24 17543168 ----a-w- c:\windows\system32\nvcompiler.dll
2012-05-15 10:18 . 2011-05-02 06:52 4373248 ----a-w- c:\windows\system32\nv4_disp.dll
2012-05-15 10:18 . 2011-05-02 06:52 14014656 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-05-15 09:40 . 2011-04-08 02:15 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-05-15 09:40 . 2011-04-08 02:15 15504192 ----a-w- c:\windows\system32\nvcpl.dll
2012-05-15 09:40 . 2011-04-08 02:15 143680 ----a-w- c:\windows\system32\nvcolor.exe
2012-05-15 09:40 . 2011-04-08 02:15 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-05-15 09:40 . 2011-04-08 02:15 164160 ----a-w- c:\windows\system32\nvsvc32.exe
2012-05-11 14:42 . 2011-05-02 06:49 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2011-05-02 06:48 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2011-05-02 06:48 385024 ----a-w- c:\windows\system32\html.iec
2012-05-06 22:28 . 2012-04-07 19:46 14664 ----a-w- c:\windows\stinger.sys
2012-05-04 23:29 . 2012-04-07 13:42 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 23:29 . 2011-05-05 01:08 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 13:12 . 2011-05-02 06:49 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2011-05-02 06:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2011-05-02 06:50 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-18 13:08 . 2012-05-12 17:01 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2011-05-04 11:14 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1318816]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-15 15504192]
"NvMediaCenter"="NvMCTray.dll" [2012-05-15 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-05-15 1634112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-5-2 813584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^Epson all-in-one Registration.lnk]
path=c:\documents and settings\Family\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk
backup=c:\windows\pss\Epson all-in-one Registration.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\Family\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Nikon\\Wireless Camera Setup Utility\\NkWirelessSetup.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_DUPA30.EXE"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool10\\ENEasyApp.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27177:TCP"= 27177:TCP:stb
"27178:TCP"= 27178:TCP:audio
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/2/2011 5:07 PM 89792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/2/2011 5:07 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/2/2011 5:07 PM 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/2/2011 5:07 PM 83856]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 11:11 AM 17664]
S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [5/29/2011 11:34 AM 1723840]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [12/25/2011 11:11 AM 33792]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/2/2011 5:07 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/2/2011 5:07 PM 87656]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [6/18/2012 11:06 AM 12984]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 23:26]
.
2011-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1 192.168.1.254
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\x7c92z51.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/p/1.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-27 08:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(964)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2012-07-27 08:22:40
ComboFix-quarantined-files.txt 2012-07-27 12:22
.
Pre-Run: 134,316,539,904 bytes free
Post-Run: 134,455,676,928 bytes free
.
- - End Of File - - 552EA0778321CB60EAC1829F3B1F0625