ComboFix 11-02-19.01 - Administrator 02/19/2011 15:30:31.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1728 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\cGlAlIb13400
c:\documents and settings\All Users\Application Data\cGlAlIb13400\cGlAlIb13400
c:\documents and settings\All Users\Application Data\cGlAlIb13400\cGlAlIb13400.exe
c:\windows\system32\winlogon.bak
.
((((((((((((((((((((((((( Files Created from 2011-01-19 to 2011-02-19 )))))))))))))))))))))))))))))))
.
2011-02-19 23:23 . 2011-02-19 23:23 -------- d-----w- c:\documents and settings\Satellite\Application Data\Malwarebytes
2011-02-19 23:10 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-19 23:10 . 2011-02-19 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-19 23:10 . 2011-02-19 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-19 23:10 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-19 21:14 . 2011-02-19 21:14 -------- d-----w- C:\_OTL
2011-02-19 21:03 . 2011-02-19 21:04 -------- d-----w- c:\documents and settings\Administrator
2011-02-19 08:01 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C5D74726-44C2-44F2-8C23-A872F212AE1B}\mpengine.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 09:41 . 2010-12-02 04:43 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
------- Sigcheck -------
[-] 2010-10-08 . 679A7259741F6A09994F02CE261B5F2E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 88363]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
Contents of the 'Scheduled Tasks' folder
2011-02-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40]
2011-02-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-12-23 06:18]
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-19 15:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-861567501-1425521274-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,d7,ab,d9,16,08,e0,40,b1,1d,d2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,d7,ab,d9,16,08,e0,40,b1,1d,d2,\
.
Completion time: 2011-02-19 15:35:39
ComboFix-quarantined-files.txt 2011-02-19 23:35
Pre-Run: 69,112,373,248 bytes free
Post-Run: 70,388,232,192 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 098470CD780F8970C3F8FDC1D1468F35