ComboFix 09-11-23.02 - Administrator 3/2009 Mon 21:10.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.959.747 [GMT -8:00]
Running from: F:\commy.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\phdmyv
c:\documents and settings\Administrator\Local Settings\Application Data\phdmyv\npmxsysguard.exe
c:\recycler\S-1-5-21-2572252725-2454939083-2014481005-500
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.
2009-11-23 23:15 . 2007-10-23 17:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2009-11-23 23:14 . 2009-11-23 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-23 23:14 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 23:14 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 23:13 . 2009-11-23 23:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-23 23:13 . 2009-11-23 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 23:11 . 2008-05-02 18:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2009-11-11 19:33 . 2009-11-11 19:33 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\MapleStory.exe1_A6CCAEF5F1414BBEA6DAEA8A8362C7A6.exe
2009-11-11 19:33 . 2009-11-11 19:33 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\MapleStory.exe_A6CCAEF5F1414BBEA6DAEA8A8362C7A6.exe
2009-11-11 19:33 . 2009-11-11 19:33 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\ARPPRODUCTICON.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 04:57 . 2009-06-03 03:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-11-23 22:39 . 2004-08-09 20:32 87340 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-11 17:13 . 2009-02-14 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-11-11 05:06 . 2009-02-14 21:18 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-11 05:05 . 2009-02-14 21:18 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\
www.macromedia.com\bin\airappinstaller\airappinstaller.exe2009-10-31 20:26 . 2009-02-14 03:48 -------- d-----w- c:\program files\OGPlanet
2009-10-31 17:59 . 2009-07-31 23:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\yoclient
2009-10-15 02:16 . 2009-10-15 02:16 -------- d-----w- c:\program files\Softnyx
2009-10-10 22:22 . 2009-02-13 20:31 49520 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 22:07 . 2009-10-10 22:07 -------- d-----w- c:\program files\Zemi Interactive
2009-10-10 21:15 . 2009-05-23 18:45 -------- d-----w- c:\program files\Neffy
2009-10-10 02:23 . 2009-10-10 02:23 4 --sh--r- c:\documents and settings\All Users\Application Data\sysqcl1129139270.dat
2009-10-10 02:19 . 2009-10-10 02:19 -------- d-----w- c:\program files\plasq
2009-10-10 02:18 . 2009-10-10 02:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-11 14:33 . 2004-08-04 07:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 00:44 . 2009-10-10 22:18 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-10-10 22:18 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-10-10 22:18 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-10-10 22:18 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-10-10 22:18 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-10-10 22:18 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-10-10 22:18 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-10-10 22:18 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 20:45 . 2004-08-04 07:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 20:35 . 2009-02-13 18:30 135396 ----a-w- c:\windows\hpoins14.dat
2009-08-29 08:08 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:16 . 2004-08-04 07:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-02-20 03:12 . 2009-02-20 03:12 650 ----a-w- c:\program files\Xfire.lnk
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{C3E3DDD5-BAD5-4717-AA77-14E141548B83}"= "c:\program files\Gaia Online Toolbar\Helper.dll" [2009-04-24 220160]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_CLASSES_ROOT\clsid\{c3e3ddd5-bad5-4717-aa77-14e141548b83}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{FA834AC5-EA67-4F99-AE0E-530CD812B0F8}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}]
2009-04-24 01:56 1276416 ----a-w- c:\program files\Gaia Online Toolbar\Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "c:\program files\Gaia Online Toolbar\Toolbar.dll" [2009-04-24 1276416]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB000000108.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{CFE0ACDC-01EE-4A58-8666-94BD82E32403}]
[HKEY_CLASSES_ROOT\FCTB000000108.IEToolbar]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "c:\program files\Gaia Online Toolbar\Toolbar.dll" [2009-04-24 1276416]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB000000108.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{CFE0ACDC-01EE-4A58-8666-94BD82E32403}]
[HKEY_CLASSES_ROOT\FCTB000000108.IEToolbar]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-05 4363504]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-11-11 2923192]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2003-06-06 167936]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"mMouse"="MouPter.exe" - c:\windows\MouPter.exe [2003-02-14 5720064]
"SetMou"="SetMou.exe" - c:\windows\SetMou.exe [2003-01-22 244736]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-6 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 17:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\OGPlanet\\LostSaga\\autoupgrade.exe"=
"c:\\Program Files\\OGPlanet\\LostSaga\\lostsaga.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57075:TCP"= 57075:TCP:Pando Media Booster
"57075:UDP"= 57075:UDP:Pando Media Booster
"56174:TCP"= 56174:TCP:Pando Media Booster
"56174:UDP"= 56174:UDP:Pando Media Booster
"56112:TCP"= 56112:TCP:Pando Media Booster
"56112:UDP"= 56112:UDP:Pando Media Booster
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57696:TCP"= 57696:TCP:Pando Media Booster
"57696:UDP"= 57696:UDP:Pando Media Booster
"58226:TCP"= 58226:TCP:Pando Media Booster
"58226:UDP"= 58226:UDP:Pando Media Booster
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/2/2009 4:20 PM 108552]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/2/2009 4:20 PM 335240]
S3 XDva269;XDva269;\??\c:\windows\system32\XDva269.sys --> c:\windows\system32\XDva269.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\XDva277.sys --> c:\windows\system32\XDva277.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-11-24 c:\windows\Tasks\User_Feed_Synchronization-{22962BC4-8CA1-4884-8D98-C68F3A89843B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://m.www.yahoo.com/mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} - hxxp://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
DPF: {87A638DE-396F-40FD-A2F8-01B56072F553} - hxxp://download.gemfighter.com/launcher/gemx2.cab
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
DPF: {B8339132-E751-452B-87F5-5F3D4365638B} - hxxp://gf.wemade.com/comsso/weGameLauncher.cab
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-*{C3E3DDD5-BAD5-4717-AA77-14E141548B83} - (no file)
BHO-{A6E9BAAF-53CD-4575-967B-2AF710A7D21F} - c:\program files\Iminent\IMBooster\Iminent.LinkToContent.dll
HKCU-Run-swrmmpaq - c:\documents and settings\Administrator\Local Settings\Application Data\phdmyv\npmxsysguard.exe
HKLM-Run-swrmmpaq - c:\documents and settings\Administrator\Local Settings\Application Data\phdmyv\npmxsysguard.exe
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 21:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-880551183-3791756921-3090966982-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,52,86,14,7a,73,b1,41,95,00,c9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,52,86,14,7a,73,b1,41,95,00,c9,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,52,86,14,7a,73,b1,41,95,00,c9,\
.
Completion time: 2009-11-23 21:39
ComboFix-quarantined-files.txt 2009-11-24 05:38
Pre-Run: 12,050,800,640 bytes free
Post-Run: 15,471,132,672 bytes free
- - End Of File - - F98897316CD543BD0971602FFE7DA115