ComboFix 10-03-04.02 - Michelle Dunaway 03/04/2010 19:46:59.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1373 [GMT -5:00]
Running from: c:\documents and settings\Michelle Dunaway\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle Dunaway\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\AVG
c:\program files\AVG\AVG8\avg.snu
c:\program files\AVG\AVG8\avgatend.stp
c:\program files\AVG\AVG8\avgatupd.stp
c:\program files\AVG\AVG8\avgchk.exe
c:\program files\AVG\AVG8\avgchk.exe0
c:\program files\AVG\AVG8\avginet.dll
c:\program files\AVG\AVG8\avgiproxy.exe
c:\program files\AVG\AVG8\avgmwdef_us.mht
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgupd.dll
c:\program files\AVG\AVG8\avgupd.exe
c:\program files\AVG\AVG8\cf.dat
c:\program files\AVG\AVG8\commonpriv.log
c:\program files\AVG\AVG8\commonpriv.log.lock
c:\program files\AVG\AVG8\dbghelp.dll
c:\program files\AVG\AVG8\fixfp.exe
c:\program files\AVG\AVG8\Icons\background_middle_gray.gif
c:\program files\AVG\AVG8\Icons\background_middle_green.gif
c:\program files\AVG\AVG8\Icons\background_middle_orange.gif
c:\program files\AVG\AVG8\Icons\background_middle_red.gif
c:\program files\AVG\AVG8\Icons\background_middle_yellow.gif
c:\program files\AVG\AVG8\Icons\background_top_gray.gif
c:\program files\AVG\AVG8\Icons\background_top_green.gif
c:\program files\AVG\AVG8\Icons\background_top_orange.gif
c:\program files\AVG\AVG8\Icons\background_top_red.gif
c:\program files\AVG\AVG8\Icons\background_top_yellow.gif
c:\program files\AVG\AVG8\Icons\block-doc.gif
c:\program files\AVG\AVG8\Icons\blocked.gif
c:\program files\AVG\AVG8\Icons\border_bottom_gray.gif
c:\program files\AVG\AVG8\Icons\border_bottom_green.gif
c:\program files\AVG\AVG8\Icons\border_bottom_orange.gif
c:\program files\AVG\AVG8\Icons\border_bottom_red.gif
c:\program files\AVG\AVG8\Icons\border_bottom_yellow.gif
c:\program files\AVG\AVG8\Icons\border_top_gray.gif
c:\program files\AVG\AVG8\Icons\border_top_green.gif
c:\program files\AVG\AVG8\Icons\border_top_orange.gif
c:\program files\AVG\AVG8\Icons\border_top_red.gif
c:\program files\AVG\AVG8\Icons\border_top_yellow.gif
c:\program files\AVG\AVG8\Icons\box_bottom_red.gif
c:\program files\AVG\AVG8\Icons\box_top_red.gif
c:\program files\AVG\AVG8\Icons\caution.gif
c:\program files\AVG\AVG8\Icons\click_here_gray.gif
c:\program files\AVG\AVG8\Icons\click_here_green.gif
c:\program files\AVG\AVG8\Icons\click_here_orange.gif
c:\program files\AVG\AVG8\Icons\click_here_red.gif
c:\program files\AVG\AVG8\Icons\click_here_yellow.gif
c:\program files\AVG\AVG8\Icons\clock.gif
c:\program files\AVG\AVG8\Icons\close.gif
c:\program files\AVG\AVG8\Icons\icons_blocked.gif
c:\program files\AVG\AVG8\Icons\icons_caution.gif
c:\program files\AVG\AVG8\Icons\icons_close.gif
c:\program files\AVG\AVG8\Icons\icons_safe.gif
c:\program files\AVG\AVG8\Icons\icons_unknown.gif
c:\program files\AVG\AVG8\Icons\icons_warning.gif
c:\program files\AVG\AVG8\Icons\LS_Logo_Results.gif
c:\program files\AVG\AVG8\Icons\safe.gif
c:\program files\AVG\AVG8\Icons\unknown.gif
c:\program files\AVG\AVG8\Icons\warning.gif
c:\program files\AVG\AVG8\license_us.txt
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_fr.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_it.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_nl.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_pt.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_sp.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Free_8_us.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_fr.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_it.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_nl.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_pt.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_sp.html
c:\program files\AVG\AVG8\Notification\cmp2008_App_Paid_8_us.html
c:\program files\AVG\AVG8\Notification\icon_bulb.gif
c:\program files\AVG\AVG8\Notification\logo_avg8.gif
c:\program files\AVG\AVG8\Notification\style.css
c:\program files\AVG\AVG8\ph.dat
c:\program files\AVG\AVG8\sb.dat
c:\program files\AVG\AVG8\sb.dat.xcd
c:\program files\AVG\AVG8\sb2.dat
c:\program files\AVG\AVG8\sc.dat
c:\program files\AVG\AVG8\sc.dat.xcd
c:\program files\AVG\AVG8\updatecomps.cfg
.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.
2010-03-02 02:37 . 2010-03-02 02:37 -------- d-----w- c:\documents and settings\Michelle Dunaway\Application Data\Malwarebytes
2010-03-02 02:37 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 02:37 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 00:26 . 2010-03-02 00:26 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-28 20:29 . 2010-02-28 20:29 -------- d-----w- c:\documents and settings\Michelle Dunaway\Local Settings\Application Data\Threat Expert
2010-02-28 20:24 . 2010-03-01 00:28 -------- d-----w- c:\program files\Spyware Doctor
2010-02-28 16:23 . 2010-02-28 16:23 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-28 15:44 . 2008-04-13 19:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-28 15:44 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-28 15:44 . 2008-04-13 19:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-02-28 15:44 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-28 15:44 . 2008-04-13 19:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-02-28 15:44 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-28 02:36 . 2010-02-28 02:46 2110728 ----a-w- c:\documents and settings\Michelle Dunaway\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
2010-02-26 06:41 . 2010-02-26 06:41 5582848 ----a-w- c:\documents and settings\Michelle Dunaway\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-20 20:52 . 2010-02-20 20:52 -------- d-----w- c:\program files\LyricsSeeker
2010-02-08 00:28 . 2010-02-08 00:28 50354 ----a-w- c:\documents and settings\Michelle Dunaway\Application Data\Facebook\uninstall.exe
2010-02-08 00:28 . 2010-02-28 02:46 -------- d-----w- c:\documents and settings\Michelle Dunaway\Application Data\Facebook
2010-02-05 00:44 . 2010-02-05 00:44 -------- d-----w- c:\program files\iPod
2010-02-05 00:44 . 2010-03-04 22:15 -------- d-----w- c:\program files\iTunes
2010-02-05 00:37 . 2010-02-05 00:37 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 00:53 . 2009-12-21 20:10 -------- d-----w- c:\program files\Common Files\Akamai
2010-03-04 23:06 . 2008-09-19 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-04 22:15 . 2009-11-26 18:12 -------- d-----w- c:\program files\QuickTime
2010-03-04 22:15 . 2010-01-28 23:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 03:13 . 2009-11-10 12:00 79488 ----a-w- c:\documents and settings\Michelle Dunaway\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-02 00:57 . 2009-03-16 22:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-28 21:01 . 2009-03-16 22:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 16:29 . 2008-09-20 21:17 -------- d-----w- c:\program files\Safari
2010-02-26 00:04 . 2008-09-28 21:47 -------- d-----w- c:\documents and settings\Michelle Dunaway\Application Data\gtk-2.0
2010-02-24 11:37 . 2007-02-12 19:36 312344 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-24 02:44 . 2008-09-19 11:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-05 00:44 . 2008-09-19 21:29 -------- d-----w- c:\program files\Common Files\Apple
2010-02-04 18:08 . 2008-09-19 11:24 -------- d-----w- c:\program files\Google
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Michelle Dunaway\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Michelle Dunaway\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-29 01:52 . 2010-01-29 01:52 -------- d-----w- c:\documents and settings\Michelle Dunaway\Application Data\Office Genuine Advantage
2010-01-28 23:07 . 2010-01-28 23:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 23:07 . 2010-01-28 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-22 21:01 . 2009-03-16 23:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-12 22:57 . 2008-06-20 04:12 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-01-07 00:12 . 2009-12-25 19:29 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2010-01-02 20:19 . 2009-12-25 19:27 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 22:39 . 2008-09-20 21:41 86760 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-25 19:31 . 2009-12-25 19:31 49152 ----a-r- c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-12-25 19:31 . 2009-12-25 19:31 335872 ----a-r- c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2009-12-25 19:30 . 2009-12-25 19:30 57344 ----a-r- c:\documents and settings\Michelle Dunaway\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-12-24 22:35 . 2008-09-19 22:47 189992 ----a-w- c:\documents and settings\Michelle Dunaway\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-09-17 03:42 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-03-30 01:21 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2008-09-17 12:41 . 2008-09-17 12:41 76 --sh--r- c:\windows\CT4CET.bin
.
<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
</pre>
((((((((((((((((((((((((((((( SnapShot@2010-03-04_03.36.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 00:53 . 2010-03-05 00:53 16384 c:\windows\Temp\Perflib_Perfdata_3e4.dat
+ 2010-03-05 00:53 . 2010-03-05 00:53 16384 c:\windows\Temp\Perflib_Perfdata_36c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
c:\documents and settings\Michelle Dunaway\Start Menu\Programs\Startup\
Talking Owl Gadget.lnk - c:\program files\Talking Owl Gadget\Talking Owl Gadget.exe [2010-1-2 95232]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\PrintMaster Silver 17\Remind.exe [2006-2-22 344064]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-28 18:10 55808 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1033:TCP"= 1033:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 8:54 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [9/17/2008 7:47 AM 105984]
S2 gupdate1c9d65c8e7f4cd4;Google Update Service (gupdate1c9d65c8e7f4cd4);c:\program files\Google\Update\GoogleUpdate.exe [5/16/2009 2:28 PM 133104]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\a5agu.sys [9/16/2008 11:03 PM 347648]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [1/12/2008 5:32 PM 23888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-03-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-19 23:44]
2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 19:28]
2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 19:28]
2010-03-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie8-nickelback.com/start/
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspxIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-03-04 19:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1344)
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2010-03-04 19:59:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 00:59
ComboFix2.txt 2010-03-04 22:27
ComboFix3.txt 2010-03-04 03:42
Pre-Run: 106,909,802,496 bytes free
Post-Run: 107,017,216,000 bytes free
- - End Of File - - 5DBAAE0650E9E1A509CB87FB2904ED78