Combofix log
ComboFix 09-05-18.02 - default 05/18/2009 21:25.2 -
FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.243 [GMT -4:00]
Running from: c:\documents and settings\default\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\messenger\msmsgs.exe
.
((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.
2009-05-17 15:37 . 2009-05-17 15:37 -------- d-----w c:\windows\Sun
2009-05-17 03:28 . 2009-05-17 03:28 -------- d-----w c:\documents and settings\Guest\Local Settings\Application Data\Google
2009-05-17 02:55 . 2009-05-17 02:54 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-16 18:00 . 2009-05-16 18:00 -------- d-----w c:\program files\EsetOnlineScanner
2009-05-14 21:10 . 2009-05-14 21:10 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-14 21:08 . 2009-05-14 21:08 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-14 02:18 . 2009-05-14 02:18 74352 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 03:59 . 2009-05-12 03:59 -------- d-----w c:\program files\Trend Micro
2009-05-12 03:19 . 2009-05-12 03:19 -------- d-----w c:\documents and settings\default\Application Data\Malwarebytes
2009-05-12 03:19 . 2009-05-12 03:19 -------- d-----w c:\documents and settings\default\Application Data\Malwarebytes
2009-05-12 03:19 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-12 03:19 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-12 03:19 . 2009-05-12 03:19 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-12 03:19 . 2009-05-12 03:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-12 01:22 . 2009-05-12 01:22 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-12 01:22 . 2009-05-12 01:22 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-12 01:22 . 2009-05-12 01:22 -------- d-----w c:\documents and settings\default\Application Data\SUPERAntiSpyware.com
2009-05-12 01:22 . 2009-05-12 01:22 -------- d-----w c:\documents and settings\default\Application Data\SUPERAntiSpyware.com
2009-05-11 18:24 . 2009-05-11 18:24 -------- d-----w c:\program files\CCleaner
2009-05-09 20:46 . 2009-05-09 20:46 -------- d-----w c:\documents and settings\default\Apps
2009-05-09 19:35 . 2009-05-09 19:35 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-05-09 18:51 . 2009-05-09 18:51 -------- d-----w c:\documents and settings\default\Application Data\HP
2009-05-09 18:51 . 2009-05-09 18:51 -------- d-----w c:\documents and settings\default\Application Data\HP
2009-05-09 18:49 . 2008-01-24 21:29 16496 ----a-r c:\windows\system32\drivers\HPZipr12.sys
2009-05-09 18:49 . 2008-01-24 21:29 49920 ----a-r c:\windows\system32\drivers\HPZid412.sys
2009-05-09 18:49 . 2009-05-09 18:49 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-05-09 18:49 . 2008-01-24 21:31 271704 ----a-r c:\windows\system32\hpzids01.dll
2009-05-09 18:49 . 2007-10-20 22:25 118272 ----a-w c:\windows\system32\hpz3l5mu.dll
2009-05-09 18:48 . 2008-01-24 21:30 309760 ----a-r c:\windows\system32\difxapi.dll
2009-05-09 18:48 . 2008-01-24 21:30 372736 ----a-r c:\windows\system32\hppldcoi.dll
2009-05-09 18:48 . 2008-01-24 21:30 21568 ----a-r c:\windows\system32\drivers\HPZius12.sys
2009-05-09 18:41 . 2009-05-09 18:41 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-05-09 18:39 . 2009-05-09 18:39 -------- d-----w c:\windows\system32\DRVSTORE
2009-05-09 18:38 . 2009-05-09 18:38 -------- d-----w c:\program files\HP
2009-05-09 18:38 . 2004-08-04 05:01 25856 ----a-w c:\windows\system32\dllcache\usbprint.sys
2009-05-09 18:38 . 2004-08-04 05:01 25856 ----a-w c:\windows\system32\drivers\usbprint.sys
2009-05-09 18:38 . 2004-08-04 05:08 31616 ----a-w c:\windows\system32\dllcache\usbccgp.sys
2009-05-09 18:38 . 2004-08-04 05:08 31616 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-05-09 01:29 . 2009-05-09 01:29 -------- d-----w c:\program files\Common Files\AOLSHARE
2009-05-07 15:07 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-07 15:07 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-05-07 15:07 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-07 15:07 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-07 15:07 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-07 15:07 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-07 15:07 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-07 15:07 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-07 15:07 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-07 15:05 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-07 00:44 . 2009-05-07 00:44 -------- d-----w c:\program files\RegistryRepair
2009-05-04 14:28 . 2009-05-04 14:28 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-04 14:28 . 2009-05-04 14:28 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-04 14:28 . 2009-05-04 14:28 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-04 14:28 . 2009-05-04 14:28 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-04 14:21 . 2009-05-04 14:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 14:21 . 2009-05-04 14:21 -------- d-----w c:\program files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 01:23 . 2006-12-03 15:33 74352 ----a-w c:\documents and settings\default\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 01:23 . 2006-12-03 15:33 74352 ----a-w c:\documents and settings\default\Application Data\GDIPFONTCACHEV1.DAT
2009-05-17 14:25 . 2008-05-15 15:17 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-17 14:25 . 2008-05-15 15:17 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-17 14:25 . 2008-05-15 15:17 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-17 03:32 . 2006-12-02 17:58 17015 ----a-w c:\windows\system32\nvModes.dat
2009-05-15 04:29 . 2006-12-01 14:49 90112 ----a-w c:\windows\DUMP88cc.tmp
2009-03-23 21:48 . 2009-03-23 21:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-06 14:44 . 2006-12-02 19:01 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:14 . 2006-06-23 15:33 668160 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:14 . 2004-08-04 06:56 81920 ------w c:\windows\system32\ieencode.dll
2000-10-13 20:56 . 2000-10-13 20:56 271 --sh--w c:\program files\desktop.ini
2000-10-13 20:56 . 2000-10-13 20:56 23357 ---h--w c:\program files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2001-10-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2001-10-08 401408]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"AS00_Gear511"="c:\program files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2006-01-20 1122412]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-17 1947928]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-07 68592]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-06-24 323584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-17 14:25 11952 ----a-w c:\windows\SYSTEM32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\MESSENGER\MSMSGS.EXE" /background
"Mirabilis ICQ"=c:\program files\ICQ\NDetect.exe
"Weather"=c:\program files\AWS\WEATHERBUG\WEATHER.EXE 1
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"Yahoo! Pager"=c:\program files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MMTray"=c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"LapLink Scheduler"="c:\program files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
"SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"seticlient"=c:\program files\SETI@home\
[email protected] -min
"TkBellExe"=c:\program files\Common Files\Real\Update_OB\realsched.exe -osboot
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"DadApp"=c:\program files\DELL\AccessDirect\dadapp.exe
"BayMgr"=DockApp.exe
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
"HostManager"=c:\program files\Common Files\AOL\1106251464\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Promon.exe"=Promon.exe
"CPortPatch"=c:\windows\Quick Install\CPPatch.exe
"PRPCMonitor"=PRPCUI.exe
"LoadQM"=loadqm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"AolAcsDaemon1"="c:\program files\COMMON FILES\AOL\ACS\AOLACSD.EXE"
"AOL TopSpeedMonitor"=c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
"NVSvc"=c:\windows\SYSTEM32\NVSVC.EXE -runservice
"KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE
"MSNIA"=c:\progra~1\MSN\MSNIA\MSNIASVC.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/15/2008 11:17 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/15/2008 11:17 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/19/2009 1:43 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2009 1:43 PM 298776]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [12/1/2006 12:30 PM 28672]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\SYSTEM32\AWINDIS5.SYS [12/3/2006 1:40 PM 16194]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\windows\SYSTEM32\DRIVERS\es198xdl.sys [6/20/2002 5:53 PM 414400]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [12/1/2006 12:30 PM 6942]
R3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\SYSTEM32\DRIVERS\wg511nd5.sys [12/3/2006 1:39 PM 449888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mLocal Page = c:\windows\SYSTEM\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://cf.icq.com/cf/2000/lost_password.html
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: aol.com\free
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-05-18 21:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(456)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Netropa\OSD.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-19 21:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-19 01:36
Pre-Run: 10,996,350,976 bytes free
Post-Run: 11,031,134,208 bytes free
244 --- E O F --- 2009-05-15 06:00