ComboFix 10-07-24.03 - Stephan and Melesia 07/25/2010 13:08:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.233 [GMT -4:00]
Running from: c:\documents and settings\Stephan and Melesia\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stephan and Melesia\Desktop\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.
2010-07-25 14:46 . 2010-07-25 14:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-25 14:41 . 2010-07-25 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-25 14:18 . 2010-07-25 14:18 -------- d-----w- c:\program files\Sun
2010-07-25 14:18 . 2010-07-25 14:18 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-25 00:01 . 2010-07-25 00:01 -------- d-----w- c:\documents and settings\Stephan and Melesia\Application Data\Malwarebytes
2010-07-24 23:35 . 2010-07-24 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-07-24 23:03 . 2010-07-24 23:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-24 23:03 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 23:03 . 2010-07-24 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-24 23:03 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-24 23:03 . 2010-07-24 23:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 22:53 . 2010-07-24 22:53 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-24 22:53 . 2010-07-24 22:53 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-24 10:35 . 2010-07-25 15:19 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-24 01:26 . 2010-07-24 23:59 -------- d-----w- c:\documents and settings\Stephan and Melesia\Local Settings\Application Data\yubsgksid
2010-07-15 22:58 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-30 09:55 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 15:26 . 2005-08-16 08:18 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-07-25 14:58 . 2006-05-20 13:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-25 14:41 . 2010-07-25 14:41 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-25 14:30 . 2006-05-11 02:17 -------- d-----w- c:\program files\Java
2010-07-25 14:19 . 2006-05-11 02:17 -------- d-----w- c:\program files\Common Files\Java
2010-07-11 00:50 . 2006-05-15 20:39 32104 -c--a-w- c:\documents and settings\Stephan and Melesia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-05 21:30 . 2006-05-22 22:59 -------- d-----w- c:\program files\Microsoft Money
2010-06-28 20:57 . 2009-03-28 15:34 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2009-03-28 15:34 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2009-03-28 15:34 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2009-03-28 15:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2009-03-28 15:34 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2009-03-28 15:34 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2009-03-28 15:34 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2009-03-28 15:34 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-20 16:29 . 2010-06-20 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
2010-06-20 16:28 . 2010-06-20 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-06-20 16:27 . 2010-06-20 16:27 -------- d-----w- c:\program files\Yahoo! Games
2010-06-19 00:57 . 2009-04-12 01:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-06 23:00 . 2006-06-25 03:19 12496 -c--a-w- c:\windows\MSPuzzle.dat
2010-06-06 14:57 . 2009-11-01 23:36 -------- d-----w- c:\program files\Common Files\Intuit
2010-06-06 13:29 . 2010-06-06 13:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-06 13:27 . 2009-04-10 17:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-06 13:24 . 2009-04-10 17:09 -------- d-----w- c:\program files\Lavasoft
2010-06-06 13:23 . 2010-06-06 13:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-06 13:11 . 2006-09-26 03:01 1327 -c--a-w- c:\windows\EntPack.dat
2010-06-05 02:25 . 2008-08-23 13:38 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-06 10:41 . 2005-08-16 08:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 08:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-03-14 17:02 . 2009-03-14 17:02 251 -c--a-w- c:\program files\wt3d.ini
2004-10-01 19:00 . 2007-04-21 08:46 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-08-25 18:49 . 2009-08-25 18:44 88 -csh--r- c:\windows\system32\A3DE2715B2.sys
2009-01-25 00:36 . 2006-05-19 22:38 56 -csh--r- c:\windows\system32\B21527DEA3.sys
2009-08-25 18:49 . 2006-05-19 22:37 5018 -csha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-02-17 5244216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-11 98304]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-19 864112]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\urvpndrv.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-06 64288]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-01 1352832]
.
Contents of the 'Scheduled Tasks' folder
2010-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:56]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {E63543CB-2073-4AA5-874C-BC7A28248DE1} -
hxxp://www.amphire.com/assets/datacontrol/Data_Manager.CAB.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-07-25 13:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(440)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\dllhost.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-07-25 13:45:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 17:44
ComboFix2.txt 2010-07-25 16:14
Pre-Run: 53,375,098,880 bytes free
Post-Run: 53,254,119,424 bytes free
- - End Of File - - 7F4591DE1E9A35353DA2691EE331CC9F
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.orgDatabase version: 4345
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
7/25/2010 9:21:35 PM
mbam-log-2010-07-25 (21-21-35).txt
Scan type: Full scan (C:\|)
Objects scanned: 212867
Time elapsed: 59 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)