ComboFix 09-07-05.04 - Penny 07/06/2009 11:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.658 [GMT -4:00]
Running from: c:\documents and settings\Penny\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465749.dat
c:\windows\freddy49.exe
c:\windows\Installer\5085904.msp
c:\windows\ld12.exe
c:\windows\strt_1246751829.exe
c:\windows\strt_1246806780.exe
c:\windows\sysguard.exe
c:\windows\syssvc.exe
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\UACnonfkudufqnhpmonu.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\lsp.dll
c:\windows\system32\UACbbynvqyprsqaaoirr.dll
c:\windows\system32\UACdtteykfwcccwetiuo.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACsedrmaudybrsayrhv.dll
c:\windows\system32\UACwdyprlnmrarstqmoe.dll
c:\windows\system32\UACyvxayvohmxbhotlpb.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.
2009-07-06 16:00 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-06 16:00 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-06 14:34 . 2009-07-06 14:34 -------- d-----w- c:\program files\Trend Micro
2009-07-06 01:15 . 2009-07-06 15:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-06 01:15 . 2009-07-06 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-06 00:24 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 00:23 . 2009-07-06 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-06 00:23 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 22:16 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Penny\Application Data\Macromedia\Flash Player\
www.macromedia.com\bin\airappinstaller\airappinstaller.exe2009-07-05 22:16 . 2009-07-05 22:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-05 22:15 . 2009-07-05 22:15 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-05 22:15 . 2009-07-05 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-05 22:15 . 2009-07-05 22:21 -------- d-----w- c:\program files\NOS
2009-07-05 22:05 . 2009-07-05 22:05 1 ---h--w- c:\windows\bf23567.dat
2009-07-05 17:53 . 2009-07-06 13:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 23:48 . 2009-07-04 22:12 18186048 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\msgup900_2162_us_v2.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 14:58 . 2007-01-01 22:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-06 14:52 . 2006-09-25 20:21 -------- d-----w- c:\program files\Java
2009-07-05 18:15 . 2007-09-18 00:11 -------- d-----w- c:\program files\Thinkwell
2009-07-05 16:38 . 2008-10-19 16:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-04 22:45 . 2009-03-19 03:49 117760 ----a-w- c:\documents and settings\Penny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-04 22:36 . 2005-04-28 00:34 -------- d-----w- c:\documents and settings\Penny\Application Data\AdobeUM
2009-07-01 19:51 . 2008-10-19 16:19 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 19:51 . 2008-10-19 16:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-01 19:51 . 2008-10-19 16:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-30 23:56 . 2008-03-18 00:40 -------- d-----w- c:\documents and settings\Penny\Application Data\Move Networks
2009-06-09 23:07 . 2009-05-30 14:21 18184984 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\msgup900_2162_us.exe
2009-05-11 14:18 . 2008-10-19 16:19 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2008-04-14 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2008-04-14 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2008-04-14 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-14 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2006-04-24 03:52 . 2006-03-30 13:53 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-01 1948440]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-01 19:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\StubInstaller.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/19/2008 12:19 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/19/2008 12:19 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/19/2008 12:19 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/19/2008 12:19 PM 298776]
S0 cerc6;cerc6; [x]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [2/14/2006 5:00 PM 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2/14/2006 4:57 PM 69680]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmlmWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) =
hxxp://www.google.com/search?q=%sTrusted Zone: fccj.edu
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-07-06 12:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1028)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(4088)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-06 12:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-06 16:06
Pre-Run: 59,870,277,632 bytes free
Post-Run: 60,076,064,768 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
166 --- E O F --- 2009-06-12 07:05