ComboFix 09-10-14.09 - Owner 10/15/2009 7:07.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.1089 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\CA Yahoo Antispy.lnk
c:\windows\system32\bgrcqgrx.ini
c:\windows\system32\bphlbvxb.ini
c:\windows\system32\breqmfyx.ini
c:\windows\system32\buwhihdr.ini
c:\windows\system32\ctfmon .exe
c:\windows\system32\dkpentil.ini
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\jayrwump.ini
c:\windows\system32\kcwphlip.ini
c:\windows\system32\mqewyhsq.ini
c:\windows\system32\nnepxayq.ini
c:\windows\system32\okfomtvd.ini
c:\windows\system32\pcixqvul.ini
c:\windows\system32\ps2.bat
c:\windows\system32\vvvlulqx.ini
c:\windows\system32\wcpvegkj.ini
c:\windows\system32\yapvlrom.ini
.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.
2009-10-05 18:23 . 2009-10-15 04:34 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-05 18:22 . 2009-10-05 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-05 18:22 . 2009-10-05 18:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-05 18:22 . 2009-10-05 18:22 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-10-05 18:20 . 2009-10-05 18:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-04 22:07 . 2009-10-04 22:07 -------- d-----w- c:\program files\Trend Micro
2009-10-04 22:04 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-04 22:04 . 2009-10-04 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-04 22:04 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-04 20:03 . 2009-10-13 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-10-04 19:45 . 2009-10-04 19:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-26 07:46 . 2009-09-30 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-15 16:48 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 16:48 . 2008-11-01 22:19 -------- d-----w- c:\program files\Cake Poker
2009-09-24 20:55 . 2009-09-12 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-09-16 19:43 . 2009-09-14 22:25 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-14 22:31 . 2009-09-12 13:37 -------- d-----w- c:\program files\PCPitstop
2009-09-14 22:26 . 2005-11-03 14:47 45920 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 22:24 . 2009-09-14 22:21 -------- d-----w- c:\program files\Windows Live
2009-09-14 22:24 . 2009-09-14 22:24 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-09-14 22:23 . 2009-09-14 22:23 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-09-14 22:21 . 2009-09-14 22:21 -------- d-----w- c:\program files\Microsoft
2009-09-14 22:21 . 2009-09-14 22:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-14 22:15 . 2009-09-14 22:15 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-13 13:10 . 2009-09-12 15:03 -------- d-----w- c:\documents and settings\Owner\Application Data\FreshDiagnose
2009-09-12 15:31 . 2009-09-12 14:15 -------- d-----w- c:\program files\FreshDevices
2009-09-12 14:32 . 2008-02-06 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-11 14:18 . 2005-04-14 21:54 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-04-14 20:59 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 14:33 . 2009-08-29 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-08-29 13:35 . 2009-08-18 01:43 -------- d-----w- c:\documents and settings\Owner\Application Data\TweakNow RegCleaner
2009-08-29 13:34 . 2009-08-17 23:59 -------- d-----w- c:\program files\HP
2009-08-29 08:08 . 2005-04-27 14:54 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2005-04-14 21:55 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 23:37 . 2009-06-20 21:30 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2009-08-23 23:06 . 2003-04-10 06:26 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-23 13:44 . 2003-04-10 07:06 -------- d-----w- c:\program files\HP Instant Support
2009-08-23 13:35 . 2009-08-08 15:58 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-08-18 00:24 . 2009-08-18 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-08-18 00:23 . 2009-08-17 23:54 166356 ----a-w- c:\windows\hpoins29.dat
2009-08-18 00:22 . 2009-08-18 00:22 -------- d-----w- c:\documents and settings\Owner\Application Data\HP
2009-08-18 00:10 . 2009-08-18 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-18 00:10 . 2009-08-18 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-08-18 00:09 . 2009-08-18 00:09 -------- d-----w- c:\program files\Common Files\HP
2009-08-18 00:09 . 2009-08-18 00:09 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-17 23:59 . 2009-08-17 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-08-07 21:58 . 2009-06-20 21:00 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-06 02:48 . 2009-09-14 22:24 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-08-05 09:01 . 2002-12-12 14:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2002-08-29 08:04 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 08:04 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2005-04-14 20:58 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:22 . 2005-04-14 21:55 1435648 ----a-w- c:\windows\system32\query.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"omniserv"=2 (0x2)
"MpfService"=2 (0x2)
"McShield"=2 (0x2)
"aolavupd"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"NISUM"=2 (0x2)
"ccPxySvc"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"helpsvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\windows\system32\wlynhkoj.exe"= c:\windows\system32\wly
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/20/2009 5:00 PM 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [9/14/2009 6:24 PM 54752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [8/22/2009 11:01 AM 309008]
S3 FileObjInfo;STFileDriver;\??\c:\documents and settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys --> c:\documents and settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-10-04 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-07-05 15:15]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/mSearch Bar =
hxxp://srch-us8.hpwis.com/uInternet Settings,ProxyOverride = localhost
IE: {{08C0CB8B-D5A3-48A7-805E-DDE1D4F00490}
DPF: DirectAnimation Java Classes -
file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} -
hxxp://utilities.pcpitstop.com/Nirvana/ ... D3Ctrl.dllDPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} -
hxxp://utilities.pcpitstop.com/Nirvana/ ... iVirus.dll.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
Notify-opnkkji - opnkkji.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-10-15 07:11
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,65,03,da,70,d6,89,89,4f,83,fc,f1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,65,03,da,70,d6,89,89,4f,83,fc,f1,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(492)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2272)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-15 7:13
ComboFix-quarantined-files.txt 2009-10-15 11:13
Pre-Run: 66,160,664,576 bytes free
Post-Run: 66,123,825,152 bytes free
212 --- E O F --- 2009-10-13 23:14