Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1370 [GMT 10:00]
Running from: c:\documents and settings\Renaissance\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\install.exe
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 12:03 . 2009-04-29 12:06 -------- d-----w C:\Rooter$
2009-04-29 05:08 . 2009-04-29 05:43 -------- d-----w c:\windows\system32\NtmsData
2009-04-25 22:40 . 2009-04-25 22:40 -------- d-----w C:\rsit
2009-04-22 21:29 . 2009-03-10 12:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-22 21:29 . 2009-03-10 12:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-22 21:29 . 2009-04-22 21:29 -------- d-----w c:\windows\system32\KB905474
2009-04-20 12:54 . 2009-04-20 12:54 -------- d-sh--w c:\documents and settings\Renaissance\PrivacIE
2009-04-20 12:52 . 2009-04-20 12:52 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-20 12:51 . 2009-04-20 12:51 -------- d-sh--w c:\documents and settings\Renaissance\IETldCache
2009-04-20 12:40 . 2009-04-20 12:40 -------- d-----w c:\windows\ie8updates
2009-04-20 12:39 . 2009-04-20 12:39 -------- dc-h--w c:\windows\ie8
2009-04-20 12:36 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-17 08:34 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 08:34 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-17 08:34 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 08:34 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 08:34 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 08:34 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 08:34 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 08:34 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 08:34 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 08:34 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 02:57 . 2009-04-16 02:57 -------- d-----w c:\program files\WinPcap
2009-04-16 02:57 . 2009-04-29 02:48 -------- d-----w c:\program files\00 EQ Item Collector
2009-04-15 00:40 . 2004-08-04 04:00 114688 -c--a-w c:\windows\system32\dllcache\calc.exe
2009-04-15 00:40 . 2004-08-04 04:00 114688 ----a-w c:\windows\system32\calc.exe
2009-04-15 00:34 . 2009-04-15 00:34 -------- d-----w c:\documents and settings\administrator2\Local Settings\Application Data\Identities
2009-04-15 00:33 . 2007-09-13 06:22 -------- d-----w c:\documents and settings\administrator2\Local Settings\Application Data\Adobe
2009-04-04 03:14 . 2009-04-04 03:14 -------- d-----w c:\program files\Trend Micro
2009-04-04 02:41 . 2009-04-04 02:41 -------- d-----w c:\documents and settings\Renaissance\Application Data\Malwarebytes
2009-04-04 02:41 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 02:41 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 02:41 . 2009-04-04 02:41 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 02:36 . 2009-04-04 02:41 -------- d-----w c:\program files\00 VIRUS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 22:12 . 2008-03-25 23:44 -------- d-----w c:\program files\00 Sony
2009-04-15 00:34 . 2009-04-15 00:34 150952 ------w c:\documents and settings\administrator2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 23:27 . 2008-08-11 07:21 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-14 23:27 . 2008-08-11 07:21 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-03 21:27 . 2007-11-30 13:19 -------- d-----w c:\program files\Yahoo!
2009-03-20 20:36 . 2009-03-20 20:36 -------- d-----w c:\program files\Windows Desktop Search
2009-03-19 00:10 . 2007-12-02 01:27 -------- d-----w c:\program files\00 Picasa2
2009-03-18 00:32 . 2008-05-30 19:01 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-17 14:16 . 2009-03-17 14:16 -------- d-----w c:\program files\Microsoft
2009-03-17 14:16 . 2009-03-17 14:16 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-17 14:15 . 2008-03-19 10:30 -------- d-----w c:\program files\Windows Live
2009-03-17 14:13 . 2009-03-17 14:13 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 18:34 . 2007-09-12 22:56 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-07 18:34 . 2007-09-12 22:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-07 18:33 . 2007-09-12 22:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-07 18:33 . 2007-09-12 22:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-07 18:32 . 2007-09-12 22:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-07 18:32 . 2007-09-12 22:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-07 18:31 . 2007-09-12 22:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-07 18:31 . 2007-09-12 22:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-07 18:31 . 2007-09-12 22:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-07 18:22 . 2007-09-12 22:56 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2007-09-12 22:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2007-09-12 22:56 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2007-09-12 22:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2007-09-12 22:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2007-09-12 22:56 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2007-09-12 22:56 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 04:15 . 2009-02-08 03:56 148006 ----a-w c:\windows\hpoins21.dat
2009-02-06 11:11 . 2007-09-12 22:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 23:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2007-09-12 22:56 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:52 . 2009-02-06 07:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-03 19:59 . 2007-09-12 22:56 56832 ----a-w c:\windows\system32\secur32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 06:03 2854912 ----a-w c:\program files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 06:03 2854912 ----a-w c:\program files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\00 Picasa2\PicasaMediaDetector" [X]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="launchapp" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-04 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-04 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-04 138008]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-04 860160]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2007-06-14 1773568]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-03-06 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-03-06 970752]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-21 413696]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"SsAAD.exe"="c:\progra~1\00SONI~1\SsAAD.exe" [2006-01-06 16:36 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-14 1932568]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-05-10 16342528]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"NDSTray.exe"="NDSTray.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-23 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]
RICOH Gate La.lnk - c:\program files\00 Caplio Software\RGateLXP.exe [2008-3-24 360448]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 05:50 90112 ----a-w c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-14 23:27 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\00 Caplio Software\\RGateLXP.exe"=
"c:\\Program Files\\00 Sony\\LaunchPad.exe"=
"c:\\Program Files\\00 Blue Tooth\\BlueSoleil.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\00 Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\00 Sony\\EverQuest\\eqgame.exe"=
"c:\\Program Files\\00 Sony\\EverQuest II\\EverQuest2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-12-17 29181272]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-14 325640]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-14 298264]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2007-03-26 105856]
S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\DRIVERS\trudf.sys [2007-02-19 134016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-27 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]
2009-04-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 06:04]
2009-04-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 12:18]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.houseofmaktub.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 22:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1516)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\gdiplus.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
- - - - - - - > 'lsass.exe'(1572)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
- - - - - - - > 'explorer.exe'(3052)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\igfxext.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\windows\system32\TPSBattM.exe
.
**************************************************************************
.
Completion time: 2009-04-29 22:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 12:31
Pre-Run: 161,335,660,544 bytes free
Post-Run: 161,659,072,512 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
276 --- E O F --- 2009-04-22 21:29