ComboFix 13-02-26.01 - Administrator 03/01/2013   8:47.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.766.319 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\_default.pif
c:\windows\system32\Cache
c:\windows\system32\win.ini
c:\windows\system32\winhelp.exe
.
c:\windows\system32\drivers\intelppm.sys . . . is missing!!
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-01 to 2013-03-01  )))))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-31 02:04 . 2010-04-05 11:49	123904	----a-w-	c:\program files\Common Files\DUAgent.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-06-19 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2009-02-08 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
.
[-] 2009-02-05 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
.
[-] 2008-07-07 04:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
.
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
.
[-] 2009-10-28 . 8B48737260C273C9B0DACA84EA1CCDBD . 3602432 . . [7.00.6000.21148] . . c:\windows\system32\mshtml.dll
.
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
.
[-] 2009-10-28 . CA5CB4F174592090FBECFEAD9B51BB90 . 841216 . . [7.00.6000.21148] . . c:\windows\system32\wininet.dll
.
[-] 2009-02-08 . B0913005EE3FC15D7F72472D0B8A30EB . 715264 . . [5.1.2600.5755] . . c:\windows\system32\ntdll.dll
.
[-] 2009-08-03 . 3DAA3F0C27EAD19BD302E791796A3D9A . 2145280 . . [5.1.2600.5857] . . c:\windows\system32\ntoskrnl.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-22 98304]
"RDC"="c:\program files\RemoteDisplayControl\RunRDC.exe" [2011-11-28 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launch MagicInfo-i Client.lnk - c:\program files\MagicInfo-i Premium\Client\MpWatcher.exe [2011-12-6 212992]
Launch UltraVNC.lnk - c:\program files\MagicInfo-i Premium\Client\UltraVNC\winvnc.exe [2011-12-6 1757184]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ   	msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter Undelete"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\MagicInfo-i Premium\\Client\\MpTicker.exe"=
"c:\\Program Files\\MagicInfo-i Premium\\Client\\MpUpdater.exe"=
"c:\\Program Files\\MagicInfo-i Premium\\Client\\LFD_FlashUpdate.exe"=
"c:\\Program Files\\MagicInfo-i Premium\\Client\\MpVirtualKeybd.exe"=
"c:\\Program Files\\MagicInfo-i Premium\\Client\\MpWatcher.exe"=
"c:\\Program Files\\MagicInfo-i Premium\\Client\\MpFileTransfer.exe"=
"c:\\Program Files\\MagicInfo-i Premium\\Client\\MpAgent.exe"=
"c:\\Program Files\\MagicInfo-i Premium\\Client\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\MagicInfo-i Premium\\Client\\MpPlayer.exe"=
"c:\\Program Files\\RemoteDisplayControl\\RemoteDisplayControl.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"5902:TCP"= 5902:TCP:WinSEVnc_Port
"5900:TCP"= 5900:TCP:WinVNC_Port
"5800:TCP"= 5800:TCP:WinVNC_Port
"5500:TCP"= 5500:TCP:WinVNC_Port
"6100:TCP"= 6100:TCP:Synchronize Port
"6101:TCP"= 6101:TCP:Synchronize Port
"6200:TCP"= 6200:TCP:Synchronize Port
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimeStampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)
.
R0 eltorito;Windows XP Embedded Eltorito CDROM Boot Driver;c:\windows\system32\drivers\eltorito.sys [4/5/2010 11:48 AM 17152]
R0 EWF;EWF;c:\windows\system32\drivers\ewf.sys [4/5/2010 11:48 AM 47616]
R0 FBWF;File-Based Write Filter;c:\windows\system32\drivers\fbwf.sys [4/5/2010 11:48 AM 75496]
R1 RegFilter;Registry Filter Driver;c:\windows\system32\drivers\regflt.sys [4/5/2010 11:48 AM 23168]
R3 Ramdisk;Windows RAM Disk Driver;c:\windows\system32\drivers\ramdisk.sys [4/5/2010 11:48 AM 20736]
S3 AtmElan;ATM Emulated LAN;c:\windows\system32\drivers\atmlane.sys [4/5/2010 11:48 AM 55808]
S3 ATMEPVCM;Microsoft Ethernet PVC;c:\windows\system32\drivers\atmepvc.sys [4/5/2010 11:48 AM 31360]
S3 ATMEPVCP;Microsoft Ethernet PVC - RFC2684;c:\windows\system32\drivers\atmepvc.sys [4/5/2010 11:48 AM 31360]
S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [4/5/2010 11:48 AM 55808]
S3 BTHprint;Microsoft Bluetooth Printer Class;c:\windows\system32\drivers\BTHPRINT.SYS [4/5/2010 11:48 AM 36480]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\eyeonedp.sys [4/6/2010 3:58 AM 44344]
S3 MSFSIO;Microsoft Streaming File System I/O;c:\windows\system32\drivers\MSFSIO.sys [4/5/2010 11:48 AM 6016]
S3 MSRIFFWV;Microsoft Streaming RIFF Wave File Parser;c:\windows\system32\drivers\MSRIFFWV.sys [4/5/2010 11:48 AM 12416]
S3 scsiprnt;Microsoft SCSI/1394 Generic Printer Class;c:\windows\system32\drivers\scsiprnt.sys [4/5/2010 11:48 AM 11648]
S3 TDASYNC;TDASYNC;c:\windows\system32\drivers\tdasync.sys [4/5/2010 11:48 AM 13192]
S3 TDIPX;TDIPX;c:\windows\system32\drivers\tdipx.sys [4/5/2010 11:48 AM 21896]
S3 TDSPX;TDSPX;c:\windows\system32\drivers\tdspx.sys [4/5/2010 11:48 AM 19464]
S3 Tssdis;Terminal Services Session Directory;c:\windows\System32\tssdis.exe --> c:\windows\System32\tssdis.exe [?]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe [10/22/2009 2:49 AM 136544]
S4 DUAgent;Device Update Agent;c:\program files\Common Files\DUAgent.exe [4/5/2010 11:49 AM 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
PCHealth	REG_MULTI_SZ   	HelpSvc UploadMgr
p2psvc	REG_MULTI_SZ   	p2psvc p2pimsvc p2pgasvc PNRPSvc
termsvcs	REG_SZ         	TermService
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.samsung.com
TCP: DhcpNameServer = 172.17.4.36 172.17.10.36 172.17.4.30
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SSOExec - c:\windows\temp\sso\ssoexec.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-01 08:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\flash.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\CMILoadedHive-{270A7486-0743-4B09-8AE0-401E7DE7984F}\Microsoft\Windows NT\CurrentVersion\Windows]
@Denied: (Full) (Everyone)
@Denied: (Full) (Everyone)
@="mnmsrvc"
"swapdisk"=""
"Spooler"="yes"
"USERProcessHandleQuota"=dword:00002710
"TransmissionRetryTimeout"="90"
"GDIProcessHandleQuota"=dword:00002710
"DeviceNotSelectedTimeout"="15"
"RequireSignedAppInit_DLLs"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\EmbdTrst.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2013-03-01  08:49:17
ComboFix-quarantined-files.txt  2013-03-01 08:49
.
Pre-Run: 6,368,288,768 bytes free
Post-Run: 6,735,237,120 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Embedded Standard" /fastdetect /noexecute=AlwaysOff /usepmtimer
.
- - End Of File - - 91FC3512CC3FCA5C6D18A172395C3A8B