Hi Dan,
ComboFix Log:ComboFix 09-03-01.01 - Dukkipati 2009-03-01 20:16:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.702.240 [GMT -5:00]
Running from: c:\documents and settings\Dukkipati\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dukkipati\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Symantec Client Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\rsit
c:\rsit\info.txt
c:\rsit\log.txt
.
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.
2009-02-28 08:21 . 2009-03-01 10:36 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-24 12:47 . 2009-02-24 12:47 250 --a------ c:\windows\gmer.ini
2009-02-21 10:50 . 2009-02-21 10:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-21 10:50 . 2009-02-21 10:50 <DIR> d-------- c:\documents and settings\Dukkipati\Application Data\SUPERAntiSpyware.com
2009-02-21 10:50 . 2009-02-21 10:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-21 10:49 . 2009-02-21 10:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-21 00:53 . 2009-02-21 00:42 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-21 00:42 . 2009-02-21 00:42 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-21 00:42 . 2009-02-21 00:41 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-21 00:36 . 2009-02-21 00:36 <DIR> d-------- c:\program files\Lavasoft
2009-02-21 00:36 . 2009-02-21 00:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-21 00:36 . 2009-02-21 00:36 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-20 23:53 . 2009-02-20 23:53 <DIR> d-------- c:\program files\Trend Micro
2009-02-15 15:49 . 2009-02-15 15:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-15 15:34 . 2005-08-09 17:00 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-02-15 15:34 . 2005-08-09 17:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-02-15 15:34 . 2005-08-09 17:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\toshiba
2009-02-15 15:34 . 2005-08-09 17:38 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit
2009-02-15 15:34 . 2005-08-09 17:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust
2009-02-15 15:34 . 2006-09-03 11:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL
2009-02-15 15:34 . 2009-02-15 15:34 <DIR> d-------- c:\documents and settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 01:08 --------- d-----w c:\program files\Java
2009-02-21 01:02 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-05 04:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-01 03:40 --------- d-----w c:\documents and settings\Dukkipati\Application Data\Move Networks
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-10 01:38 --------- d-----w c:\documents and settings\Dukkipati\Application Data\Malwarebytes
2009-01-10 01:38 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 16:28 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-09 14:26 --------- d-----w c:\documents and settings\All Users\Application Data\1633183763
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2009-01-03 16:28 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-03 16:28 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-03 16:28 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-03 16:28 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-03 16:28 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} ----
2009-02-21 00:37 496 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.dat
2009-02-21 00:36 9027 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.par
2009-02-21 00:36 90 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\instance.dat
2009-02-21 00:36 9 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.lan
2009-01-18 16:43 578782 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\mia.lib
2009-01-18 16:43 569856 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.msi
2009-01-18 16:43 5113482 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.res
2009-01-18 16:43 2892112 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe
((((((((((((((((((((((((((((( SnapShot@2009-02-28_ 8.24.39.73 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"CgaHelper"="c:\progra~1\CYBERG~1\cgahelp.exe" [2003-05-20 73790]
"CgaViewer"="c:\progra~1\CYBERG~1\cgav.exe" [2003-05-20 65592]
"TOA_Runs"="c:\windows\RVpnc.exe" [2003-08-15 124069]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-09 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2007-06-06 125632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2005-10-18 1261568]
"Notebook Maximizer"="c:\program files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 28672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-21 509784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"NDSTray.exe"="NDSTray.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-08-09 155648]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
"aux"= c:\windows\system32\..\feve.fvq
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-09-07 16:03 1077301 c:\program files\Toshiba\Touch and Launch\PadExe.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-04-26 18:13 122880 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 0 (0x0)
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-21 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 CGAgent;CyberGatekeeper Agent;c:\progra~1\CYBERG~1\cgasvc.exe [2006-08-23 73788]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-08-23 11113]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-25 99376]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-03-31 211200]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-08-23 216459]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2007-06-06 116928]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - RSVP
.
Contents of the 'Scheduled Tasks' folder
2009-02-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-21 00:41]
2009-02-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL =
hxxp://www.google.com/iemStart Page =
hxxp://www.yahoo.com/IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Dukkipati\Application Data\Mozilla\Firefox\Profiles\p19jtx1y.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
hxxp://en-us.start.mozilla.com/firefox? ... S:officialFF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-03-01 20:18:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1128)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-01 20:20:42
ComboFix-quarantined-files.txt 2009-03-02 01:20:15
ComboFix2.txt 2009-02-28 13:26:44
Pre-Run: 33,545,707,520 bytes free
Post-Run: 33,594,191,872 bytes free
211 --- E O F --- 2009-02-27 07:33:44
Malwarebytes Scan:Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2
3/1/2009 9:07:02 PM
mbam-log-2009-03-01 (21-07-02).txt
Scan type: Full Scan (C:\|)
Objects scanned: 134956
Time elapsed: 23 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
********************************************************
Kaspersky Scan:--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 1, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 02, 2009 00:25:54
Records in database: 1860751
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 66162
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:43:18
File name / Threat name / Threats count
C:\Documents and Settings\Dukkipati\Application Data\Sun\Java\Deployment\cache\6.0\25\650d0659-2f1cb252 Infected: Exploit.Java.Gimsh.a 1
The selected area was scanned.