ComboFix 10-01-02.05 - Tessa 01/03/2010 15:53:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.706 [GMT -5:00]
Running from: g:\georgio\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\ntuser.dll
c:\documents and settings\NetworkService\ntuser.dll
c:\documents and settings\Tessa\Desktop\Windows Police Pro.lnk
c:\documents and settings\Tessa\ntuser.dll
c:\documents and settings\Tessa\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Tessa\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Tessa\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Tessa\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Tessa\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
C:\pmyro.exe
c:\program files\Active Security
c:\program files\Active Security\asecurity.exe
c:\program files\Active Security\core.cga
c:\program files\Active Security\coreext.dll
c:\program files\Active Security\help.ico
c:\program files\Active Security\uninstall.exe
c:\program files\SafetyCenter
c:\program files\SafetyCenter\main.ico
c:\program files\SafetyCenter\new.exe
c:\program files\SafetyCenter\protector.exe
c:\program files\SafetyCenter\sound.wav
c:\program files\SafetyCenter\start.exe
c:\program files\SafetyCenter\uninstall.exe
c:\windows\f49f4daa.dat
c:\windows\fmark2.dat
c:\windows\Install.txt
c:\windows\system32\bafoline.dll
c:\windows\system32\bepepono.dll
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Desktop\Windows Police Pro.lnk
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\dahurawa.dll
c:\windows\system32\degenize.exe
c:\windows\system32\dimuboja.dll
c:\windows\system32\drivers\hjgruibqwhowfl.sys
c:\windows\system32\drivers\UACwrqxewcdjn.sys
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\feyiloto.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\fogebota.dll
c:\windows\system32\gifekuwe.dll
c:\windows\system32\gilumuju.exe
c:\windows\system32\hjgruidkrwvwxr.dll
c:\windows\system32\hjgruietqfubcg.dat
c:\windows\system32\hjgruioevbrgms.dat
c:\windows\system32\hjgruirqhbonbm.dll
c:\windows\system32\hjgruivbdmttpu.dll
c:\windows\system32\hjgruiwewilalb.dll
c:\windows\system32\hjgruixvuiqhjs.dll
c:\windows\system32\hjgruiylqjklyx.dll
c:\windows\system32\hukibopa.dll
c:\windows\system32\hzG6g5p.dll
c:\windows\system32\Iasv32.dll
c:\windows\system32\Install.txt
c:\windows\system32\isasdk.sys
c:\windows\system32\jowuhese.exe
c:\windows\system32\kuredise.dll
c:\windows\system32\kuweyohi.dll
c:\windows\system32\lajogilo.dll
c:\windows\system32\lasobemo.dll
c:\windows\system32\lolajeyo.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lubizupe.dll
c:\windows\system32\mupitera.dll
c:\windows\system32\onhelp.htm
c:\windows\system32\pufupode.dll
c:\windows\system32\ririzaki.exe
c:\windows\system32\rudajeki.dll
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\sibogaya.exe
c:\windows\system32\siremase.exe
c:\windows\system32\temp.exe
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkvpxmywpqf.dll
c:\windows\system32\UACltofxhkdqq.dat
c:\windows\system32\UACpfulbbowkn.dll
c:\windows\system32\UACqaihhrpbpj.dll
c:\windows\system32\UACuthwbdqudb.dll
c:\windows\system32\UACxhorplfmnp.log
c:\windows\system32\vewihene.dll
c:\windows\system32\wiwow64.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\wohobiye.exe
c:\windows\system32\wuwiyewe.dll
c:\windows\system32\ygsuhdf83id.dll
c:\windows\system32\yigekote.dll
c:\windows\system32\yubiwojo.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_hjgruiqlxmjamt
-------\Legacy_hjgruiqlxmjamt
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_6TO4
-------\Legacy_ACPI32
-------\Legacy_ANTIPPRO2009_12
-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Legacy_FIPS32CUP
-------\Legacy_I386SI
-------\Legacy_ISASDK
-------\Legacy_NICSK32
-------\Legacy_SECURENTM
-------\Legacy_SYSTEMNTMI
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_acpi32
-------\Service_AntipPro2009_12
-------\Service_BtwSrv
-------\Service_fastnetsrv
-------\Service_fips32cup
-------\Service_i386si
-------\Service_isasdk
-------\Service_new_drv
-------\Service_nicsk32
-------\Service_securentm
-------\Service_systemntmi
((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.
2010-01-03 15:34 . 2010-01-03 15:34 46056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 19:27 . 2010-01-01 19:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 22:04 . 2009-05-05 20:38 -------- d-----w- c:\program files\DNA
2010-01-03 22:04 . 2009-05-05 20:38 -------- d-----w- c:\documents and settings\Tessa\Application Data\DNA
2010-01-03 22:04 . 2008-06-05 22:11 -------- d-----w- c:\documents and settings\Tessa\Application Data\Skype
2010-01-03 21:03 . 2008-06-05 22:12 -------- d-----w- c:\documents and settings\Tessa\Application Data\skypePM
2010-01-03 16:14 . 2008-12-24 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-03 16:06 . 2009-07-20 19:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-03 15:16 . 2009-10-05 20:42 0 ----a-r- c:\windows\win32k.sys
2010-01-01 18:57 . 2008-12-09 23:46 -------- d-----w- c:\documents and settings\Tessa\Application Data\U3
2009-10-13 20:56 . 2009-10-13 19:53 58 ----a-w- c:\windows\wp4.dat
2009-10-13 20:56 . 2009-10-13 19:53 4 ----a-w- c:\windows\wp3.dat
2009-07-28 07:29 . 2009-04-28 07:29 190976 --sha-w- c:\windows\system32\buvoyaki.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-06-03 21718312]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-01-03 323392]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-02-13 2356088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-29 32881]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"lsdefrag"="C:\wqtneupy.exe" [2009-10-05 25126]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 01:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/24/2008 11:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/24/2008 11:09 AM 108552]
R2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/17/2009 3:11 AM 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/17/2009 3:11 AM 394632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/18/2008 6:24 PM 24652]
S2 amd64si;amd64si;\??\c:\windows\system32\drivers\amd64si.sys --> c:\windows\system32\drivers\amd64si.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 WDefend;WDefend;c:\windows\svohost.exe --> c:\windows\svohost.exe [?]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [4/17/2009 3:11 AM 54928]
S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [8/4/2004 7:00 AM 2304]
.
Contents of the 'Scheduled Tasks' folder
2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL =
hxxp://www.google.com/ieuSearchAssistant =
hxxp://www.google.com/ieuSearchURL,(Default) =
hxxp://www.google.com/search?q=%sIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tessa\Application Data\Mozilla\Firefox\Profiles\9tht6p64.default\
FF - prefs.js: browser.startup.homepage -
hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1<mpl=default<mplcache=2FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - hȋdden: XUL Cache: {7901316A-562B-4652-AD28-50E10D51765C} - c:\documents and settings\Tessa\Local Settings\Application Data\{7901316A-562B-4652-AD28-50E10D51765C}
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
BHO-{0d431961-3f1f-4098-8bdb-24eed9a9cd2e} - dimuboja.dll
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
HKLM-Run-Rqiqigaxe - c:\windows\ogejililun.dll
HKLM-Run-CPMef0dd71b - c:\windows\system32\mupapupe.dll
HKLM-Run-batuhegese - vewihene.dll
HKU-Default-Run-minix32 - c:\windows\system32\minix32.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
SharedTaskScheduler-{A249BC15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
AddRemove-Active Security - c:\program files\Active Security\Uninstall.exe
AddRemove-Win Antivirus Pro - c:\program files\Windows Antivirus Pro\AntiSpyware_Uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-01-03 16:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\P*& 5*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3252)
c:\windows\system32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-01-03 17:08:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-03 22:08
Pre-Run: 15,725,277,184 bytes free
Post-Run: 16,780,689,408 bytes free
Current=1 Default=1 Failed=4 LastKnownGood=2 Sets=1,2,3,4
- - End Of File - - 7C4BB66920DFC0D11D5514E59209483B