ComboFix 10-03-01.04 - dad 03/02/2010 13:33:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.205 [GMT -6:00]
Running from: c:\documents and settings\dad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\SIntf16.dll
c:\windows\system32\spdwnwxp.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.
2010-03-01 18:24 . 2010-03-01 18:24 77312 ----a-w- C:\mbr.exe
2010-03-01 18:18 . 2010-03-01 18:18 -------- d-----w- c:\documents and settings\dad\Application Data\Malwarebytes
2010-03-01 18:18 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 18:18 . 2010-03-01 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 18:18 . 2010-03-01 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 18:18 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 00:27 . 2010-02-28 00:29 -------- d-----w- C:\rsit
2010-02-28 00:15 . 2010-02-27 23:53 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-28 00:15 . 2010-02-27 23:53 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-27 23:54 . 2010-02-27 23:56 -------- d-----w- C:\$AVG
2010-02-27 23:53 . 2010-02-27 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-22 01:59 . 2010-02-22 01:59 -------- d-----w- c:\program files\JRE
2010-02-20 21:37 . 2008-04-14 00:11 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-20 21:19 . 2010-02-20 21:19 -------- d-sh--w- c:\documents and settings\dad\IECompatCache
2010-02-20 20:56 . 2010-03-02 17:05 -------- d-----w- c:\windows\system32\NtmsData
2010-02-20 20:15 . 2010-02-20 20:18 -------- dc-h--w- c:\windows\ie8
2010-02-20 19:53 . 2010-02-20 19:53 -------- d-----w- c:\windows\system32\msmq
2010-02-10 04:33 . 2009-12-14 07:08 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2010-02-10 04:33 . 2009-12-08 09:23 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2010-02-10 04:33 . 2009-11-27 16:07 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-02-10 04:32 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2010-02-04 16:25 . 2009-03-08 10:33 18944 -c--a-w- c:\windows\system32\dllcache\corpol.dll
2010-02-04 03:14 . 2010-02-04 03:14 503808 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52271643-n\msvcp71.dll
2010-02-04 03:14 . 2010-02-04 03:14 499712 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52271643-n\jmc.dll
2010-02-04 03:14 . 2010-02-04 03:14 348160 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52271643-n\msvcr71.dll
2010-02-04 03:14 . 2010-02-04 03:14 61440 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-448217c7-n\decora-sse.dll
2010-02-04 03:14 . 2010-02-04 03:14 12800 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-448217c7-n\decora-d3d.dll
2010-02-03 02:23 . 2010-02-03 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-03 01:32 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-03 01:32 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-02-03 01:32 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-02-03 01:32 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-02-02 21:32 . 2010-02-02 21:32 -------- d-----w- c:\program files\Trend Micro
2010-02-02 19:25 . 2010-02-02 19:25 -------- d-----w- c:\program files\QuickTime
2010-02-02 19:25 . 2010-02-02 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\program files\Common Files\Apple
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\documents and settings\dad\Local Settings\Application Data\Apple
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\program files\Apple Software Update
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\documents and settings\dad\Local Settings\Application Data\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 19:38 . 2009-09-21 15:56 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-02 19:38 . 2009-08-27 19:00 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-01 18:04 . 2009-04-16 16:18 1 ----a-w- c:\documents and settings\dad\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-27 23:53 . 2009-04-13 01:55 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-27 23:53 . 2009-04-13 01:55 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-27 23:53 . 2009-04-13 01:55 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-27 23:53 . 2009-04-13 01:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-27 23:53 . 2009-04-13 00:46 -------- d-----w- c:\program files\AVG
2010-02-22 01:59 . 2009-04-16 05:31 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-21 00:36 . 2009-04-16 05:30 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 00:36 . 2009-04-16 05:08 -------- d-----w- c:\program files\Java
2010-02-20 22:27 . 2009-04-16 05:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-20 21:59 . 2009-04-11 05:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-02 23:28 . 2009-07-23 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-02 22:31 . 2009-12-07 22:48 -------- d-----w- c:\program files\ordrumbox
2010-02-01 17:01 . 2009-09-17 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-12 21:25 . 2010-01-13 02:53 52224 ----a-w- c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\qvrol8yx.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-01-12 21:25 . 2010-01-13 02:53 101376 ----a-w- c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\qvrol8yx.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-01-07 02:49 . 2009-04-13 00:24 22352 ----a-w- c:\documents and settings\dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 00:16 . 2009-08-27 22:38 -------- d-----w- c:\documents and settings\dad\Application Data\Skype
2010-01-06 23:50 . 2009-08-27 22:41 -------- d-----w- c:\documents and settings\dad\Application Data\skypePM
2010-01-05 16:09 . 2010-01-05 16:09 -------- d-----w- c:\program files\NCH Software
2010-01-05 16:05 . 2010-01-05 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-01-05 16:04 . 2010-01-05 16:04 -------- d-----w- c:\program files\NCH Swift Sound
2010-01-05 16:04 . 2010-01-05 16:04 -------- d-----w- c:\documents and settings\dad\Application Data\NCH Swift Sound
2010-01-04 22:37 . 2010-01-04 22:21 -------- d-----w- c:\documents and settings\dad\Application Data\MP3Rocket
2009-12-31 16:50 . 2007-06-24 07:40 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2007-06-24 07:40 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-04-11 05:26 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-03 23:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2007-06-24 07:39 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2007-02-28 07:15 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2007-06-24 07:39 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime"="c:\documents and settings\All Users\common\dll\netdr\msdtc.exe" [2007-12-27 466944]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-27 23:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^dad^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\dad\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 10:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-09 15:58 133104 ----atw- c:\documents and settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2009-06-02 13:59 5451536 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-05-08 15:35 2780432 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime]
2007-12-27 23:17 466944 ----a-w- c:\documents and settings\All Users\common\dll\netdr\msdtc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-07-16 18:20 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Diablo II\\Game.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3383:TCP"= 3383:TCP:Services
"7477:TCP"= 7477:TCP:Services
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2009 7:55 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2009 7:55 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/27/2010 5:53 PM 285392]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/23/2007 4:15 AM 547744]
.
Contents of the 'Scheduled Tasks' folder
2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1060284298-682003330-1003Core.job
- c:\documents and settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-09 15:58]
2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1060284298-682003330-1003UA.job
- c:\documents and settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-09 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/FF - ProfilePath - c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\qvrol8yx.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.com/FF - prefs.js: keyword.URL -
hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\dad\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-03-02 13:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3068)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\LTMSG.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG9\avgnsx.exe
.
**************************************************************************
.
Completion time: 2010-03-02 13:43:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 19:42
Pre-Run: 41,178,247,168 bytes free
Post-Run: 41,140,432,896 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - FFCE073D23176E003C7AEECC3954F068