ComboFix 09-10-15.03 - Owner 10/15/2009 21:40.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2592 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Installer\2b9648.msi
c:\windows\Installer\48fd2.msp
c:\windows\system32\tmp.reg
E:\Autorun.inf
E:\install.exe
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.
2009-10-13 00:51 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-13 00:51 . 2009-10-13 00:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 00:51 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 23:29 . 2009-10-12 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-12 23:29 . 2009-10-15 03:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-12 23:29 . 2009-10-12 23:29 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-10-12 23:28 . 2009-10-12 23:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-12 23:25 . 2009-10-12 23:25 -------- d-----w- c:\program files\Trend Micro
2009-10-12 22:36 . 2009-10-12 22:36 -------- d-----w- C:\$AVG
2009-10-12 22:35 . 2009-10-12 22:35 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-10-12 22:35 . 2009-10-12 22:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 22:35 . 2009-10-12 22:35 356616 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-12 22:35 . 2009-10-12 22:35 161672 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-12 22:35 . 2009-10-12 22:35 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-12 22:35 . 2009-10-12 22:35 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 22:35 . 2009-10-15 21:16 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-12 22:35 . 2009-10-12 22:35 -------- d-----w- c:\program files\AVG
2009-10-12 22:35 . 2009-10-12 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-11 22:21 . 2009-10-11 22:21 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-11 21:38 . 2009-10-11 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8(2)
2009-10-11 19:51 . 2009-10-11 22:18 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-11 19:51 . 2009-10-11 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-09 22:52 . 2009-10-09 22:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-09 22:52 . 2009-10-09 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-03 00:11 . 2009-10-03 00:11 3293184 ----a-w- c:\windows\system32\config\systemprofile\NTUSER(2).DAT
2009-09-19 22:07 . 2009-09-19 22:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\gctmp
2009-09-19 22:07 . 2009-09-19 22:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Xenocode
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 03:04 . 2008-11-27 22:10 -------- d-----w- c:\program files\Java
2009-10-11 22:20 . 2008-11-26 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-19 20:27 . 2008-11-28 21:28 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-07 23:51 . 2009-08-07 23:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-07 23:51 . 2009-08-07 23:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-06 23:24 . 2008-11-26 18:19 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2008-11-26 18:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-11-26 18:19 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-11-26 18:19 35552 ----a-w- c:\windows\system32\wups(2)(2).dll
2009-08-06 23:24 . 2008-10-16 19:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-10-16 19:09 44768 ----a-w- c:\windows\system32\wups2(2)(2).dll
2009-08-06 23:24 . 2008-11-26 18:19 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-11-26 18:19 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-11-26 18:19 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:52 . 2009-07-10 16:00 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-07-31 19:23 . 2008-11-28 19:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-19 21:26 . 2008-11-26 20:21 22656 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-06-30 18:44 . 2008-12-04 21:09 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\SUPERAntiSpyware ----
2009-10-15 03:10 . 2009-10-15 01:44 2000112 ----a-w- c:\program files\SUPERAntiSpyware\e0fc707a-1079-4851-b23d-75b94b5e9cec.exe
2009-10-15 01:44 . 2009-10-15 01:44 29863 ----a-w- c:\program files\SUPERAntiSpyware\Language\ARABIC.LNG
2009-10-15 01:44 . 2009-10-15 01:44 35576 ----a-w- c:\program files\SUPERAntiSpyware\Language\BULGARIAN (BG).LNG
2009-10-15 01:44 . 2009-09-15 15:42 1998576 ----a-w- c:\program files\SUPERAntiSpyware\caa73f0e-a377-4e7b-8a12-7099d1f02c89.exe
2009-09-15 15:42 . 2009-09-15 15:42 7408 ----a-r- c:\program files\SUPERAntiSpyware\SASENUM.SYS
2009-09-15 15:42 . 2009-09-15 15:42 9968 ----a-w- c:\program files\SUPERAntiSpyware\sasdifsv.sys
2009-09-15 15:42 . 2009-09-15 15:42 74480 ----a-w- c:\program files\SUPERAntiSpyware\SASKUTIL.SYS
2009-09-15 15:42 . 2009-10-15 01:44 2000112 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
2009-09-15 15:42 . 2009-09-15 15:42 158960 ----a-w- c:\program files\SUPERAntiSpyware\SSUpdate.exe
2009-09-15 14:47 . 2009-09-15 14:47 20608955 ----a-w- c:\program files\SUPERAntiSpyware\PROCESSLIST.DB
2009-09-15 14:46 . 2009-09-15 14:46 1226937 ----a-w- c:\program files\SUPERAntiSpyware\PROCESSLISTRELATED.DB
2009-09-03 19:21 . 2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
2009-09-02 02:56 . 2009-10-15 01:44 37812 ----a-w- c:\program files\SUPERAntiSpyware\Language\DUTCH (NL).LNG
2009-08-05 17:03 . 2009-08-05 17:03 35985 ----a-w- c:\program files\SUPERAntiSpyware\Language\Swedish (SE).lng
2009-08-05 16:26 . 2009-08-05 16:26 32627 ----a-w- c:\program files\SUPERAntiSpyware\Language\Hungarian (HU).lng
2009-08-05 16:24 . 2009-08-05 16:24 34855 ----a-w- c:\program files\SUPERAntiSpyware\Language\Estonian (EST).lng
2009-01-15 15:44 . 2009-01-15 15:44 34251 ----a-w- c:\program files\SUPERAntiSpyware\Language\DANISH (DK).LNG
2009-01-15 15:43 . 2009-01-15 15:43 36425 ----a-w- c:\program files\SUPERAntiSpyware\Language\Norwegian (NO).lng
2009-01-15 15:31 . 2009-01-15 15:31 36581 ----a-w- c:\program files\SUPERAntiSpyware\Language\Polish (PL).lng
2009-01-15 15:28 . 2009-01-15 15:28 40572 ----a-w- c:\program files\SUPERAntiSpyware\Language\Macedonian (MK).lng
2008-11-04 22:37 . 2008-11-04 22:37 39269 ----a-w- c:\program files\SUPERAntiSpyware\Language\Portuguese (BR).lng
2008-11-03 17:49 . 2008-11-03 17:49 47912 ----a-w- c:\program files\SUPERAntiSpyware\RUNSAS.EXE
2008-11-03 17:30 . 2008-11-03 17:30 40888 ----a-w- c:\program files\SUPERAntiSpyware\Language\German (DE).lng
2008-11-03 17:28 . 2008-11-03 17:28 41152 ----a-w- c:\program files\SUPERAntiSpyware\Language\Italian (IT).lng
2008-11-03 15:37 . 2008-11-03 15:37 40562 ----a-w- c:\program files\SUPERAntiSpyware\Language\Spanish (ES).lng
2008-11-03 15:36 . 2008-11-03 15:36 42687 ----a-w- c:\program files\SUPERAntiSpyware\Language\French (FR).lng
2008-10-06 18:20 . 2008-10-06 18:20 35739 ----a-w- c:\program files\SUPERAntiSpyware\Language\English (US).lng
2008-07-28 15:10 . 2008-07-28 15:10 411136 ----a-w- c:\program files\SUPERAntiSpyware\SASREPAIRS.STG
2008-05-13 14:13 . 2008-05-13 14:13 77824 ----a-w- c:\program files\SUPERAntiSpyware\SASSEH.DLL
2008-03-12 15:29 . 2008-03-12 15:29 24576 ----a-r- c:\program files\SUPERAntiSpyware\SASINST.EXE
2007-11-27 17:12 . 2007-11-27 17:12 1088725 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.chm
2007-10-02 18:08 . 2007-10-02 18:08 122168 ----a-r- c:\program files\SUPERAntiSpyware\BootSafe.exe
2007-02-27 16:39 . 2007-02-27 16:39 61440 ----a-w- c:\program files\SUPERAntiSpyware\SASCTXMN.DLL
2006-09-19 19:55 . 2006-09-19 19:55 360448 ----a-r- c:\program files\SUPERAntiSpyware\deupx.dll
2004-06-03 13:24 . 2004-06-03 13:24 69632 ----a-w- c:\program files\SUPERAntiSpyware\Plugins\sab_incr.dll
2004-05-20 17:28 . 2004-05-20 17:28 2048 ----a-w- c:\program files\SUPERAntiSpyware\detect.wav
2004-05-07 19:31 . 2004-05-07 19:31 348160 ----a-w- c:\program files\SUPERAntiSpyware\msvcr71.dll
2004-05-07 19:31 . 2004-05-07 19:31 40960 ----a-w- c:\program files\SUPERAntiSpyware\Plugins\sab_mapi.dll
2004-05-07 19:31 . 2004-05-07 19:31 61440 ----a-w- c:\program files\SUPERAntiSpyware\Plugins\sab_wab.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="e:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-25 1630208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-09-21 2807808]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 22:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [10/12/2009 6:35 pm 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/12/2009 6:35 pm 161672]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 6:35 pm 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 6:35 pm 356616]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 am 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 am 74480]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/12/2009 6:35 pm 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/12/2009 6:35 pm 285392]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [10/12/2009 6:35 pm 5830152]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [10/12/2009 6:35 pm 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [10/12/2009 6:35 pm 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [10/12/2009 6:35 pm 25736]
S3 pfsvgae;pfsvgae;\??\c:\docume~1\Owner\LOCALS~1\Temp\pfsvgae.sys --> c:\docume~1\Owner\LOCALS~1\Temp\pfsvgae.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 am 7408]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ohark9ju.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-10-15 21:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-117609710-1592454029-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{84EF2146-A462-2D01-9B75-8E8D6E60D380}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"janggkjbgabndcfdaeli"=hex:6a,61,6d,6c,66,6a,63,66,6f,69,62,70,68,61,66,6b,67,
61,65,66,00,f2
"iadgmocoiacmmhbmgp"=hex:6a,61,6d,6c,66,6a,63,66,6f,69,62,70,68,61,66,6b,67,61,
65,66,00,02
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
e:\program files\RocketDock\RocketDock.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-10-16 21:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-16 01:52
Pre-Run: 69,737,598,976 bytes free
Post-Run: 69,972,209,664 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /numproc=2
246