ComboFix 11-09-17.03 - Doug 09/17/2011 22:18:40.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.509.159 [GMT -5:00]
Running from: c:\documents and settings\Doug\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\egsc.exe
c:\documents and settings\All Users\Application Data\hmal.exe
c:\documents and settings\All Users\Application Data\qkao.exe
c:\documents and settings\All Users\Application Data\sebl.exe
c:\documents and settings\Doug\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Doug\Local Settings\Application Data\ApplicationHistory\ehshell.exe.a87fcbb.ini
c:\documents and settings\Doug\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.4f02aeeb.ini
c:\documents and settings\Doug\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.84b1751b.ini
c:\documents and settings\Doug\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Doug\Local Settings\Application Data\ApplicationHistory\SL1.tmp.e2c7eea.ini
c:\documents and settings\Doug\Local Settings\Application Data\cbuw.exe
c:\documents and settings\Doug\Local Settings\Application Data\cdpt.exe
c:\documents and settings\Doug\Local Settings\Application Data\lpbf.exe
c:\documents and settings\Doug\Local Settings\Application Data\tsds.exe
c:\documents and settings\Doug\Templates\mfwd.exe
c:\documents and settings\Doug\Templates\mlvx.exe
c:\documents and settings\Doug\Templates\npfj.exe
c:\documents and settings\Doug\Templates\vfnv.exe
c:\documents and settings\Doug\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-08-18 to 2011-09-18 )))))))))))))))))))))))))))))))
.
.
2011-09-16 21:29 . 2011-09-16 21:29 388096 ----a-r- c:\documents and settings\Doug\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-16 21:29 . 2011-09-16 21:29 -------- d-----w- c:\program files\Trend Micro
2011-09-15 19:33 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-15 19:33 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-15 14:39 . 2011-09-15 14:39 -------- d-----w- c:\program files\ESET
2011-09-15 07:56 . 2011-09-15 07:56 -------- d--h--w- c:\windows\PIF
2011-09-15 07:09 . 2011-09-15 07:09 -------- d-----w- c:\program files\Common Files\Java
2011-09-15 01:07 . 2011-09-15 08:01 -------- d-----w- C:\VritualRoot
2011-09-14 23:43 . 2011-09-14 23:43 -------- d-----w- c:\program files\COMODO
2011-09-14 23:39 . 2011-09-15 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-09-14 23:19 . 2011-09-14 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2011-09-14 04:07 . 2011-09-14 04:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 09:17 . 2011-09-13 09:18 -------- d-----w- c:\documents and settings\Administrator.CLINTSCOMPUTER
2011-09-11 20:00 . 2011-09-11 20:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-09 09:12 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-26 19:39 . 2011-08-26 19:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2006-03-15 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 22:00 . 2010-08-28 04:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-19 10:05 . 2010-09-06 21:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-19 07:40 . 2010-09-06 21:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-15 13:29 . 2006-03-15 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-03-15 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 21:32 . 2011-02-16 00:51 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-06 21:32 . 2011-02-16 00:51 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-07-06 21:32 . 2011-02-16 00:51 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-07-06 21:32 . 2011-02-16 00:51 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-06-30 14:38 . 2011-06-30 14:38 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-06-30 14:38 . 2011-06-30 14:38 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-06-30 14:38 . 2011-06-30 14:38 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-06-30 14:38 . 2011-06-30 14:38 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-06-30 14:37 . 2011-06-30 14:37 285256 ----a-w- c:\windows\system32\guard32.dll
2011-06-24 14:10 . 2010-08-27 05:51 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2006-03-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2006-03-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2006-03-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2006-03-15 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2006-03-15 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 1591808]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"nwiz"="nwiz.exe" [2003-04-02 323584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-04-02 4616192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-06-30 2554696]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start
http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAMwBaAEMAOQAtAEUASwBBAFIAUwAtADYAUgBXAEcAQQAtAEEAQQBUAEMAVQAtAFYAUAA5AEYATgA&inst=NwA3AC0AMwA5ADcANQAxADkAMwAxA
DUALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABP
ADMANgArADEALQBGADkATQA3AEMAK
wA1AC0ARgA5AE0AMQAwAEIAKwAxAA&prod=90&ver=9.0.872" [?]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\Anti-Virus & Spyware\SUPERAntispyware\SASSEH.DLL" [2011-09-13 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\Anti-Virus & Spyware\SUPERAntispyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 21:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/30/2011 9:38 AM 242600]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/30/2011 9:38 AM 29400]
R1 SASDIFSV;SASDIFSV;c:\program files\Anti-Virus & Spyware\SUPERAntispyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\Anti-Virus & Spyware\SUPERAntispyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\Anti-Virus & Spyware\SUPERAntispyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 4:23 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 4:23 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 4:23 PM 27216]
S?2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [8/18/2011 1:33 AM 7390560]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/27/2010 11:40 PM 22216]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2/3/2011 4:46 PM 166720]
S4 MBAMService;MBAMService;c:\program files\Anti-Virus & Spyware\Malwarebytes' Anti-Malware\mbamservice.exe [8/27/2010 11:40 PM 366152]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2011-09-17 22:40
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(832)
c:\program files\Anti-Virus & Spyware\SUPERAntispyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(608)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AVG\AVG10\avgui.exe
.
**************************************************************************
.
Completion time: 2011-09-17 22:54:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-18 03:54
.
Pre-Run: 53,877,645,312 bytes free
Post-Run: 54,454,915,072 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1B9999AA23A6246969E2C73A94763F5A