Combofix.txt content:
ComboFix 12-03-18.02 - Tar2 20/03/2012 7:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.280 [GMT 2:00]
Running from: c:\documents and settings\Tar2\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\1331036250.bdinstall.bin
c:\documents and settings\All Users\Application Data\1331036304.bdinstall.bin
c:\documents and settings\Tar2\ogkyuu6grr.exe
c:\windows\system32\drivers\c7c5c34a22269974.sys
c:\windows\system32\SET43.tmp
c:\windows\system32\SET4F.tmp
c:\windows\system32\SET58.tmp
c:\windows\system32\SET59.tmp
c:\windows\system32\SET5A.tmp
c:\windows\system32\SET5D.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_c7c5c34a22269974
-------\Service_c7c5c34a22269974
.
.
((((((((((((((((((((((((( Files Created from 2012-02-20 to 2012-03-20 )))))))))))))))))))))))))))))))
.
.
2012-03-19 08:17 . 2012-03-19 08:17 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-19 08:17 . 2012-03-19 08:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-16 06:07 . 2012-03-16 06:07 -------- d-----w- c:\documents and settings\Tar2\Application Data\Malwarebytes
2012-03-16 06:07 . 2012-03-16 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-16 06:07 . 2012-03-16 06:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-16 06:07 . 2011-12-10 13:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-15 09:46 . 2012-03-13 04:39 97208 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-03-15 09:46 . 2012-03-13 04:39 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-15 09:46 . 2012-03-13 04:39 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-14 13:43 . 2012-03-14 13:43 -------- d-----w- c:\documents and settings\Tar2\Local Settings\Application Data\Yahoo
2012-03-14 06:27 . 2012-03-14 06:27 -------- d-----w- c:\documents and settings\Tar2\Application Data\vlc
2012-03-14 06:26 . 2012-03-14 06:26 -------- d-----w- c:\program files\VideoLAN
2012-03-14 06:21 . 2012-03-14 06:21 -------- d-----w- c:\program files\Winamp Detect
2012-03-14 06:20 . 2012-03-15 09:46 -------- d-----w- c:\documents and settings\Tar2\Application Data\Winamp
2012-03-14 06:20 . 2012-03-14 06:21 -------- d-----w- c:\program files\Winamp
2012-03-13 10:11 . 2012-03-13 10:11 -------- d-----w- c:\documents and settings\Tar2\Application Data\SUPERAntiSpyware.com
2012-03-13 10:10 . 2012-03-16 06:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-12 06:02 . 2012-03-12 06:02 -------- d-----w- c:\documents and settings\Tar2\Application Data\Avira
2012-03-12 06:00 . 2012-03-12 06:08 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-12 06:00 . 2012-03-12 06:08 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-03-12 06:00 . 2009-05-11 09:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2012-03-12 06:00 . 2009-05-11 09:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2012-03-12 06:00 . 2012-03-12 06:00 -------- d-----w- c:\program files\Avira
2012-03-12 06:00 . 2012-03-12 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-03-08 05:54 . 2012-03-08 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\CPA_VA
2012-03-07 13:25 . 2012-03-07 13:25 1060864 ----a-w- c:\windows\system32\mfc71.dll
2012-03-07 13:25 . 2012-03-07 13:25 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-07 09:41 . 2012-03-07 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-07 09:28 . 2012-03-07 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-06 12:13 . 2012-03-06 12:13 -------- d-----w- c:\program files\Common Files\Bitdefender
2012-03-06 12:05 . 2012-03-07 07:36 -------- d-----w- c:\documents and settings\Tar2\Application Data\QuickScan
2012-03-06 09:51 . 2012-03-06 09:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-03-06 09:49 . 2012-03-07 09:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-03-06 09:46 . 2012-03-07 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-02-29 10:23 . 2012-03-06 12:27 -------- d-----w- c:\documents and settings\Tar2\Application Data\Okoh
2012-02-29 10:23 . 2012-03-06 10:06 -------- d-----w- c:\documents and settings\Tar2\Application Data\Cihabo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-19 08:17 . 2009-04-03 05:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-21 05:56 . 2011-05-19 04:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-13 04:39 . 2012-03-15 09:46 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-21 6276408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-03-12 281768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-12-09 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Tar2\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-19 4742184]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, IbduyrIjporc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23529:UDP"= 23529:UDP:UDP 23529
"20164:TCP"= 20164:TCP:TCP 20164
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 18:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 23:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 01:38 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/03/2012 08:00 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [16/03/2012 08:07 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [16/03/2012 08:07 20464]
S2 0160541239178217mcinstcleanup;McAfee Application Installer Cleanup (0160541239178217);c:\docume~1\Tar2\LOCALS~1\Temp\016054~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Tar2\LOCALS~1\Temp\016054~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\Tar2\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Tar2\LOCALS~1\Temp\CFcatchme.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - SSMDRV
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1691087186-1609294726-3216254438-1005Core.job
- c:\documents and settings\Tar2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-31 09:31]
.
2012-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1691087186-1609294726-3216254438-1005UA.job
- c:\documents and settings\Tar2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-31 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.ro/TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Tar2\Application Data\Mozilla\Firefox\Profiles\v8hmye8v.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.roFF - prefs.js: keyword.URL -
hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ogkyuu6grr - c:\documents and settings\Tar2\ogkyuu6grr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2012-03-20 08:07
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(460)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2012-03-20 08:12:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-20 06:12
ComboFix2.txt 2009-04-08 08:27
.
Pre-Run: 56.647.983.104 bytes free
Post-Run: 56.530.759.680 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 34A7C1D35EA41BA8852BA4B2486D3902