ComboFix 10-01-04.01 - 06/01/2010 9:21.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.509.280 [GMT 0:00]
Running from: c:\documents and settings\L
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Lucia & Stefan\Application Data\020000008d5a2e7c724C.manifest
c:\documents and settings\Lucia & Stefan\Application Data\020000008d5a2e7c724O.manifest
c:\documents and settings\Lucia & Stefan\Application Data\020000008d5a2e7c724P.manifest
c:\documents and settings\Lucia & Stefan\Application Data\020000008d5a2e7c724S.manifest
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}\chrome.manifest
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}\chrome\xulcache.jar
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}\defaults\preferences\xulcache.js
c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\extensions\{7a720d48-2029-4e0a-84d1-3123e3a12f50}\install.rdf
c:\documents and settings\Lucia & Stefan\Application Data\SystemProc
C:\setup.exe
c:\windows\system32\375098526
c:\windows\system32\CRqBd.vbs
c:\windows\system32\d3d10core.dll
c:\windows\system32\ids2IZ0.vbs
c:\windows\system32\kernel32new.dll
c:\windows\system32\msvcrtnew.dll
c:\windows\system32\unrar.exe
----- BITS: Possible infected sites -----
hxxp://sync.broadband.o2.co.uk:8080
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\winlogon.bak
.
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.
2010-01-01 17:06 . 2010-01-01 17:06 -------- d-----w- c:\program files\Trend Micro
2010-01-01 17:04 . 2010-01-01 17:04 -------- d-----w- c:\documents and settings\Lucia & Stefan\Local Settings\Application Data\AVG Security Toolbar
2010-01-01 14:31 . 2010-01-01 14:31 -------- d-----w- c:\documents and settings\Lucia & Stefan\Application Data\Malwarebytes
2010-01-01 14:31 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 14:31 . 2010-01-01 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 14:31 . 2010-01-01 14:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 14:31 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 10:03 . 2010-01-01 10:03 52224 ----a-w- c:\documents and settings\Lucia & Stefan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-01 10:03 . 2010-01-01 10:03 117760 ----a-w- c:\documents and settings\Lucia & Stefan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-01 10:02 . 2010-01-01 10:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-01 10:00 . 2010-01-01 10:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 10:00 . 2010-01-01 10:00 -------- d-----w- c:\documents and settings\Lucia & Stefan\Application Data\SUPERAntiSpyware.com
2010-01-01 09:57 . 2010-01-01 09:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-31 12:25 . 2009-12-31 12:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-31 09:54 . 2010-01-01 14:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-12-31 09:51 . 2010-01-01 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-31 09:50 . 2009-12-30 05:36 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-12-30 05:56 . 2009-12-30 05:36 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-30 05:37 . 2009-12-30 05:37 -------- d-----w- C:\$AVG
2009-12-30 05:37 . 2009-12-30 05:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-30 05:37 . 2009-12-30 05:37 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-30 05:37 . 2009-12-30 05:37 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-30 05:37 . 2009-12-30 05:37 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-30 05:36 . 2010-01-05 18:08 -------- d-----w- c:\windows\system32\drivers\Avg
2009-12-30 05:36 . 2009-12-30 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-27 15:44 . 2010-01-01 09:36 -------- d-----w- c:\program files\Gabest
2009-12-27 14:29 . 2009-12-27 14:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-27 14:22 . 2009-12-28 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-27 14:22 . 2009-12-27 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-27 14:22 . 2009-12-27 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-25 13:56 . 2009-12-28 15:40 -------- d-----w- c:\program files\QuickTime
2009-12-24 19:24 . 2009-12-24 19:24 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-22 19:21 . 2009-12-30 05:53 4043544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 19:21 . 2009-12-30 05:36 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-22 19:21 . 2009-12-19 13:59 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-22 19:21 . 2009-12-30 05:51 3966744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-19 15:11 . 2009-12-19 15:11 -------- d-----w- c:\documents and settings\Lucia & Stefan\Application Data\Nero
2009-12-19 15:08 . 2009-12-19 15:09 -------- d-----w- c:\program files\Nero
2009-12-19 15:07 . 2009-12-19 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-19 15:07 . 2009-12-19 15:10 -------- d-----w- c:\program files\Common Files\Nero
2009-12-19 14:00 . 2009-12-30 05:36 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 09:29 . 2009-06-09 07:48 -------- d-----w- c:\program files\DNA
2010-01-06 09:29 . 2009-06-09 07:48 -------- d-----w- c:\documents and settings\Lucia & Stefan\Application Data\DNA
2010-01-06 08:11 . 2009-11-14 09:30 0 ----a-w- c:\documents and settings\Lucia & Stefan\Local Settings\Application Data\prvlcl.dat
2010-01-02 10:07 . 2008-08-20 19:27 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-01 16:53 . 2009-01-17 08:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-01 09:37 . 2009-01-01 10:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-01 09:37 . 2009-01-01 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-30 05:44 . 2002-03-28 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-28 15:45 . 2009-01-17 08:30 -------- d-----w- c:\documents and settings\Lucia & Stefan\Application Data\LimeWire
2009-12-28 15:45 . 2009-01-17 08:24 -------- d-----w- c:\program files\LimeWire
2009-12-27 17:17 . 2009-11-22 07:30 -------- d-----w- c:\documents and settings\Lucia & Stefan\Application Data\Skype
2009-12-27 16:03 . 2009-11-24 08:02 -------- d-----w- c:\documents and settings\Lucia & Stefan\Application Data\skypePM
2009-12-25 13:56 . 2008-09-27 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-24 19:24 . 2008-09-27 14:23 -------- d-----w- c:\program files\DivX
2009-12-09 16:18 . 2009-11-12 06:40 79488 ----a-w- c:\documents and settings\Lucia & Stefan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 08:02 . 2009-11-24 08:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-22 06:45 . 2009-11-22 06:43 -------- d-----r- c:\program files\Skype
2009-11-22 06:44 . 2009-11-22 06:44 -------- d-----w- c:\program files\Common Files\Skype
2009-11-22 06:43 . 2009-11-22 06:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-15 18:34 . 2009-11-15 18:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2009-11-14 11:01 . 2009-11-14 11:01 -------- d-----w- c:\documents and settings\Lucia & Stefan\Application Data\Trusteer
2009-11-14 11:00 . 2009-11-14 11:00 -------- d-----w- c:\program files\Trusteer
2009-11-14 10:59 . 2009-11-14 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2009-11-14 10:58 . 2009-11-14 10:58 144616 ----a-w- C:\RapportSetup.exe
2008-03-09 06:25 . 2009-08-15 06:42 236 ----a-w- c:\program files\Common Files\dx.reg
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2002-03-27 323392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-23 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-01 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-30 05:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Wave1"=AntexWAV.DLL
"Midi"=AntexWAV.DLL
"Mixer"=AntexWAV.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30/12/2009 05:37 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [30/12/2009 05:37 360584]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [12/11/2009 09:23 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [12/11/2009 09:23 334440]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [30/12/2009 05:36 285392]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [12/11/2009 09:23 972008]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [04/03/2009 15:52 202016]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
.
Contents of the 'Scheduled Tasks' folder
2009-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
Trusted Zone: o2.co.uk\*.broadband
FF - ProfilePath - c:\documents and settings\Lucia & Stefan\Application Data\Mozilla\Firefox\Profiles\ms9jzg7w.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -
BHO-{129D5B77-4E2B-4FE2-810F-77B9DD60D2Ad} - c:\windows\System32\d3dx9_2532.dll
HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
Notify-a469ebf9724 - c:\windows\System32\eappcfg32.dll
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-2kv4.8.442 - c:\windows\Radeon Omega Drivers v4.8.442
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-01-06 09:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\Trusteer\Rapport\bin\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
.
**************************************************************************
.
Completion time: 2010-01-06 09:34:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 09:34
Pre-Run: 25,165,131,776 bytes free
Post-Run: 25,189,146,624 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 749202DE503D4BC0F23A67F6FA547A8B