ComboFix 10-07-24.06 - Owner 07/26/2010 7:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.524 [GMT -7:00]
Running from: c:\documents and settings\Owner.Pooch\desktop\commy.exe
Command switches used :: /stepdel
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\tmp.reg
D:\Autorun.inf
c:\windows\system32\eventtriggers.exe . . . is infected!!
Infected copy of c:\windows\system32\netdde.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netdde.exe
Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sessmgr.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.
2010-07-24 06:12 . 2010-07-24 06:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-07-24 06:09 . 2010-07-24 06:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-22 21:25 . 2010-07-24 18:23 -------- d-----w- c:\documents and settings\Owner.Pooch\Application Data\Bitrix Security
2010-07-22 21:25 . 2010-07-22 21:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bitrix Security
2010-07-22 07:03 . 2010-07-24 07:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-22 03:28 . 2010-07-22 03:28 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-21 19:34 . 2010-07-21 19:34 -------- d-----w- c:\program files\CCleaner
2010-07-21 19:17 . 2009-04-06 18:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2010-07-21 19:17 . 2009-02-10 23:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2010-07-21 19:15 . 2009-02-19 00:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2010-07-21 19:14 . 2010-07-21 19:14 -------- d-----w- c:\program files\Agnitum
2010-07-21 19:13 . 2010-07-21 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2010-07-21 15:39 . 2010-07-21 15:39 -------- d-----w- c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com
2010-07-21 15:39 . 2010-07-21 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-21 15:38 . 2010-07-24 18:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-21 06:20 . 2010-07-21 06:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-07-21 04:48 . 2010-07-21 04:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-20 20:22 . 2010-07-20 20:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-20 17:46 . 2010-07-20 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-20 17:46 . 2010-07-20 17:46 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-19 18:24 . 2010-07-19 18:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-19 15:32 . 2010-07-19 15:34 -------- dc-h--w- c:\windows\ie8
2010-07-14 04:11 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 23:11 . 2009-07-25 03:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 21:25 . 2010-07-22 21:25 51712 ----a-w- c:\documents and settings\NetworkService\Application Data\Bitrix Security\depto.dll
2010-07-22 03:47 . 2008-12-10 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-22 03:40 . 2010-07-22 03:40 388096 ----a-r- c:\documents and settings\Owner.Pooch\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-22 03:33 . 2007-11-25 21:05 -------- d-----w- c:\program files\Java
2010-07-22 03:30 . 2007-11-25 21:05 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 03:30 . 2010-07-22 03:30 503808 ----a-w- c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-413f9ec8-n\msvcp71.dll
2010-07-22 03:30 . 2010-07-22 03:30 499712 ----a-w- c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-413f9ec8-n\jmc.dll
2010-07-22 03:30 . 2010-07-22 03:30 348160 ----a-w- c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-413f9ec8-n\msvcr71.dll
2010-07-22 03:30 . 2010-07-22 03:30 12800 ----a-w- c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-40924d4f-n\decora-d3d.dll
2010-07-22 03:30 . 2010-07-22 03:30 61440 ----a-w- c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-40924d4f-n\decora-sse.dll
2010-07-22 00:22 . 2010-07-21 15:40 63488 ----a-w- c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-22 00:22 . 2010-07-21 15:40 117760 ----a-w- c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-21 19:22 . 2007-11-25 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-21 15:40 . 2010-07-21 15:40 52224 ----a-w- c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-13 01:00 . 2010-07-21 04:48 177886 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-24 17:27 . 2010-06-24 17:27 -------- d-----w- c:\program files\Trend Micro
2010-06-14 14:31 . 2007-11-25 19:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 10:18 . 2010-02-15 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 20:59 . 2008-12-17 08:51 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2008-12-17 08:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2008-12-17 08:52 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2008-12-17 08:52 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2008-12-17 08:52 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2008-12-17 08:52 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2008-12-17 08:52 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2008-12-17 08:52 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-06 10:41 . 2007-11-25 19:17 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2007-11-25 19:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-07-25 03:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-07-25 03:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 15:33 . 2010-04-29 15:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-24 2403568]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-25 169984]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-15 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-15 428032]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]
c:\documents and settings\Owner.Pooch\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/17/2008 1:52 AM 164048]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [7/21/2010 12:17 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [7/21/2010 12:14 PM 1195008]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/17/2008 1:52 AM 19024]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [7/21/2010 12:15 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [7/21/2010 12:17 PM 257432]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [11/25/2007 12:41 PM 200576]
S3 AMBAWEBCAM;Sony Webcam;c:\windows\system32\drivers\AmbaWebcam.sys [8/7/2009 10:46 AM 33024]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/25/2007 12:37 PM 69692]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{760B8973-48F7-40B2-B360-F7ABD8785E50}]
2010-07-22 21:25 51712 ----a-w- c:\documents and settings\NetworkService\Application Data\Bitrix Security\depto.dll
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
2010-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
2007-11-25 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2007-11-25 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-07-26 08:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1288)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(2424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WLTRAY.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\fxssvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-26 08:13:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-26 15:13
Pre-Run: 64,559,091,712 bytes free
Post-Run: 64,853,934,080 bytes free
- - End Of File - - D6DEC917EA9EAD62E89BB780F792898A