ComboFix 09-11-26.02 - Default 27/11/2009 13:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1540 [GMT 11:00]
Running from: c:\documents and settings\Default\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Default\My Documents\svchost.exe
c:\windows\system32\pwdmon.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.
2009-11-26 07:46 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:46 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 23:03 . 2009-11-14 09:47 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-25 23:03 . 2009-11-14 09:47 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-25 23:02 . 2009-11-14 09:46 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-25 23:02 . 2009-11-14 09:46 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-25 09:29 . 2009-10-16 01:13 1115392 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-25 09:27 . 2009-11-25 09:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-25 09:26 . 2009-11-25 09:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 09:26 . 2009-11-25 09:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 09:26 . 2009-11-26 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-25 08:34 . 2009-11-25 08:34 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-25 07:49 . 2009-11-25 07:49 -------- d-----w- C:\$AVG8.VAULT$
2009-11-25 07:38 . 2009-11-25 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8(2)
2009-11-23 07:10 . 2009-11-23 07:10 -------- d-----w- c:\documents and settings\Default\Application Data\Malwarebytes
2009-11-23 07:10 . 2009-11-23 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 07:10 . 2009-11-26 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 22:06 . 2009-11-20 22:06 -------- d-----w- c:\program files\Trend Micro
2009-11-14 09:47 . 2009-11-14 09:49 -------- d-----w- C:\$AVG
2009-11-14 09:46 . 2009-11-25 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-14 09:46 . 2009-11-14 09:49 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-08 07:36 . 2001-08-17 11:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-08 07:36 . 2008-04-13 18:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-08 07:36 . 2008-04-13 13:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-08 07:36 . 2008-04-13 13:15 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 09:47 . 2009-08-18 21:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-14 09:46 . 2009-08-18 21:53 -------- d-----w- c:\program files\AVG
2009-10-19 03:04 . 2009-10-19 03:04 -------- d-----w- c:\documents and settings\Default\Application Data\Leadertech
2009-09-13 02:30 . 2009-09-13 02:30 13592 ----a-w- c:\documents and settings\Default\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 1980-01-01 07:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 1980-01-01 07:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 01:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2005-04-12 286821]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 217088]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-11 344064]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-07 122939]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 745472]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-13 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-13 208896]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-25 2020120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-04-05 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2004-11-12 40960]
"Run StartupMonitor"="StartupMonitor.exe" - c:\windows\StartupMonitor.exe [2000-05-20 86016]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2005-5-25 565309]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-8-9 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-04-12 23:39 110179 ----a-w- c:\program files\IBM fingerprint software\psfus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-14 09:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ----a-w- c:\windows\system32\tphklock.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"110:TCP"= 110:TCP:svchost
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [09/08/2009 04:46 14208]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/11/2009 20:26 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/11/2009 20:27 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [25/11/2009 20:25 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/11/2009 20:25 285392]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [28/04/2005 04:27 63616]
R2 SmiHlp;SMI helper driver;c:\program files\IBM fingerprint software\smihlp.sys [13/04/2005 10:31 3328]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [09/08/2009 04:46 6016]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [01/01/1980 18:00 14336]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [09/08/2009 05:12 12288]
.
Contents of the 'Scheduled Tasks' folder
2009-11-27 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-08-08 08:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.eureferendum.blogspot.com/
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
.
- - - - ORPHANS REMOVED - - - -
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 13:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A10FE07]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0fcf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef3852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Intel(R) PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9deabb0
PacketIndicateHandler -> NDIS.sys @ 0xb9dd9a0d
SendHandler -> NDIS.sys @ 0xb9dedb40
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll
- - - - - - - > 'lsass.exe'(1040)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\windows\System32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-27 13:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-27 02:26
Pre-Run: 62,368,104,448 bytes free
Post-Run: 63,112,433,664 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
- - End Of File - - 6810A77837EBF1E16B22CE6357D7622B
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1540 [GMT 11:00]
Running from: c:\documents and settings\Default\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Default\My Documents\svchost.exe
c:\windows\system32\pwdmon.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.
2009-11-26 07:46 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:46 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 23:03 . 2009-11-14 09:47 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-25 23:03 . 2009-11-14 09:47 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-25 23:02 . 2009-11-14 09:46 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-25 23:02 . 2009-11-14 09:46 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-25 09:29 . 2009-10-16 01:13 1115392 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-25 09:27 . 2009-11-25 09:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-25 09:26 . 2009-11-25 09:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 09:26 . 2009-11-25 09:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 09:26 . 2009-11-26 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-25 08:34 . 2009-11-25 08:34 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-25 07:49 . 2009-11-25 07:49 -------- d-----w- C:\$AVG8.VAULT$
2009-11-25 07:38 . 2009-11-25 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8(2)
2009-11-23 07:10 . 2009-11-23 07:10 -------- d-----w- c:\documents and settings\Default\Application Data\Malwarebytes
2009-11-23 07:10 . 2009-11-23 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 07:10 . 2009-11-26 07:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 22:06 . 2009-11-20 22:06 -------- d-----w- c:\program files\Trend Micro
2009-11-14 09:47 . 2009-11-14 09:49 -------- d-----w- C:\$AVG
2009-11-14 09:46 . 2009-11-25 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-14 09:46 . 2009-11-14 09:49 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-08 07:36 . 2001-08-17 11:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-08 07:36 . 2008-04-13 18:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-08 07:36 . 2008-04-13 13:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-08 07:36 . 2008-04-13 13:15 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 09:47 . 2009-08-18 21:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-14 09:46 . 2009-08-18 21:53 -------- d-----w- c:\program files\AVG
2009-10-19 03:04 . 2009-10-19 03:04 -------- d-----w- c:\documents and settings\Default\Application Data\Leadertech
2009-09-13 02:30 . 2009-09-13 02:30 13592 ----a-w- c:\documents and settings\Default\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 1980-01-01 07:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 1980-01-01 07:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 01:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 94208]
"ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2005-04-12 286821]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 217088]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-11 344064]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-07 122939]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 745472]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-13 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-13 208896]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-25 2020120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-04-05 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2004-11-12 40960]
"Run StartupMonitor"="StartupMonitor.exe" - c:\windows\StartupMonitor.exe [2000-05-20 86016]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2005-5-25 565309]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-8-9 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-04-12 23:39 110179 ----a-w- c:\program files\IBM fingerprint software\psfus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-14 09:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ----a-w- c:\windows\system32\tphklock.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"110:TCP"= 110:TCP:svchost
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [09/08/2009 04:46 14208]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/11/2009 20:26 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/11/2009 20:27 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [25/11/2009 20:25 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [25/11/2009 20:25 285392]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [28/04/2005 04:27 63616]
R2 SmiHlp;SMI helper driver;c:\program files\IBM fingerprint software\smihlp.sys [13/04/2005 10:31 3328]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [09/08/2009 04:46 6016]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [01/01/1980 18:00 14336]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [09/08/2009 05:12 12288]
.
Contents of the 'Scheduled Tasks' folder
2009-11-27 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-08-08 08:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.eureferendum.blogspot.com/
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
.
- - - - ORPHANS REMOVED - - - -
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 13:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A10FE07]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0fcf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef3852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Intel(R) PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9deabb0
PacketIndicateHandler -> NDIS.sys @ 0xb9dd9a0d
SendHandler -> NDIS.sys @ 0xb9dedb40
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\IBM fingerprint software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll
- - - - - - - > 'lsass.exe'(1040)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\windows\System32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-27 13:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-27 02:26
Pre-Run: 62,368,104,448 bytes free
Post-Run: 63,112,433,664 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
- - End Of File - - 6810A77837EBF1E16B22CE6357D7622B
