ComboFix 09-04-29.01 - Cody 04/29/2009 19:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.652 [GMT -4:00]
Running from: F:\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090428-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Cody\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\ovfsthxmdthbwbw.dat
c:\windows\system32\ovfsthxqllrnswe.dll
c:\windows\system32\ovfsthxttilrlxb.dat
c:\windows\system32\setup.ini
c:\windows\system32\test.ttt
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 20:46 . 2009-04-29 20:47 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-29 20:35 . 2009-04-29 20:35 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-29 20:35 . 2009-04-29 20:35 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-04-29 19:43 . 2009-04-29 19:43 -------- d-----w c:\program files\Alwil Software
2009-04-29 16:41 . 2009-04-29 16:41 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-29 16:40 . 2009-04-29 16:40 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-29 16:40 . 2009-04-29 16:40 -------- d-----w c:\documents and settings\Cody\Application Data\SUPERAntiSpyware.com
2009-04-29 14:14 . 2009-04-29 14:14 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-29 13:21 . 2009-04-29 13:21 61440 ----a-w c:\windows\system32\drivers\ismbrn.sys
2009-04-28 17:10 . 2009-04-28 17:10 61440 ----a-w c:\windows\system32\drivers\tvpn(2).sys
2009-04-28 17:10 . 2009-04-28 17:10 61440 ----a-w c:\windows\system32\drivers\tvpn.sys
2009-04-28 05:22 . 2009-04-28 05:22 -------- d-----w c:\documents and settings\Cody\Application Data\Malwarebytes
2009-04-28 05:22 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 05:22 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 05:22 . 2009-04-28 05:22 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-28 05:22 . 2009-04-28 05:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 04:44 . 2009-04-28 04:44 -------- d-----w c:\program files\Trend Micro
2009-04-21 16:36 . 2005-05-26 19:34 2297552 ----a-w c:\windows\system32\d3dx9_26.dll
2009-04-21 16:35 . 2009-04-21 16:35 -------- d-----w c:\temp\MTGOInstall
2009-04-21 16:35 . 2009-04-21 16:35 -------- d-----w C:\Temp
2009-04-21 16:22 . 2009-04-21 16:47 -------- d-----w c:\documents and settings\Cody\Application Data\Wizards of the Coast
2009-04-21 04:14 . 2009-04-21 16:47 -------- d-----w c:\program files\Wizards of the Coast
2009-04-15 02:50 . 1998-02-07 02:37 299520 ----a-w c:\windows\uninst.exe
2009-04-15 02:50 . 2009-04-15 02:50 -------- d-----w c:\documents and settings\Cody\WINDOWS
2009-04-15 01:37 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 01:37 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 01:37 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 01:37 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 01:37 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 01:37 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 01:37 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 01:37 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 01:37 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 01:37 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 01:37 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 01:37 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 02:24 . 2009-04-14 02:24 -------- d-----w c:\documents and settings\Cody\Local Settings\Application Data\Blizzard Entertainment
2009-04-08 02:20 . 2009-04-08 02:20 86528 ----a-w c:\windows\bnetunin.exe
2009-04-08 02:20 . 2009-04-08 02:20 61440 ----a-w c:\windows\diabswun.exe
2009-04-08 02:20 . 2009-04-08 02:20 -------- d-----w C:\Diablo
2009-04-01 02:21 . 2009-04-01 02:21 -------- d-----w c:\program files\iPod
2009-04-01 02:20 . 2009-04-01 02:21 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-01 02:20 . 2009-04-01 02:21 -------- d-----w c:\program files\iTunes
2009-04-01 02:18 . 2009-04-01 02:19 -------- d-----w c:\program files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 16:40 . 2008-10-10 01:52 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-23 10:03 . 2009-02-15 06:14 -------- d-----w c:\program files\World of Warcraft Trial
2009-04-23 10:01 . 2007-11-28 23:22 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-06 04:38 . 2008-03-26 02:46 42008 ----a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-01 02:20 . 2008-06-13 04:07 -------- d-----w c:\program files\Common Files\Apple
2009-03-19 05:30 . 2009-03-19 05:22 3 ----a-w c:\windows\sbacknt.bin
2009-03-19 05:21 . 2009-03-19 05:21 152904 ----a-w c:\windows\system32\vghd.scr
2009-03-16 17:20 . 2007-12-13 15:15 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 10:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 04:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 10:18 56832 ----a-w c:\windows\system32\secur32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Cody\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\theone524\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\theone524\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\theone524\\opposing force\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\theone524\\half-life blue shift\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\World of Warcraft Trial\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Trial\\BackgroundDownloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft Trial\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2008-04-14 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a40364b-94e9-11dd-b450-00188ba535c1}]
\Shell\AutoRun\command - E:\autorun2.exe /autorun
\Shell\goodies\command - e:\goodies\ar505enu.exe
\Shell\log\command - e:\goodies\machine\machine.exe -l
\Shell\machine\command - e:\goodies\machine\machine.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
.
- - - - ORPHANS REMOVED - - - -
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.wikipedia.org/mStart Page =
hxxp://www.dell.comuInternet Settings,ProxyOverride = *.local
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-29 19:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-04-29 19:24
ComboFix-quarantined-files.txt 2009-04-29 23:24
Pre-Run: 64,835,780,608 bytes free
Post-Run: 64,862,449,664 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
194 --- E O F --- 2009-04-15 07:08