ComboFix 09-11-18.06 - Administrator 19/11/2009 12:45.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.145 [GMT 11:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.
2009-11-19 01:38 . 2009-11-19 01:40 -------- d-----w- C:\32788R22FWJFW
2009-11-17 10:41 . 2009-11-17 10:41 -------- d-----w- c:\program files\Trend Micro
2009-11-15 06:48 . 2009-11-19 01:44 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2009-11-13 17:13 . 2009-11-09 22:38 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-13 17:13 . 2009-11-09 22:37 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-13 17:13 . 2009-11-09 22:37 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-13 17:13 . 2009-11-09 22:34 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-13 17:13 . 2009-11-03 06:29 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-13 17:13 . 2009-11-03 06:29 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-12 01:41 . 2009-11-12 01:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-12 01:32 . 2009-11-12 01:32 -------- d-----w- c:\program files\iPod
2009-11-12 01:31 . 2009-11-12 01:34 -------- d-----w- c:\program files\iTunes
2009-11-12 01:06 . 2009-11-12 01:06 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-09 22:40 . 2009-11-03 06:30 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 22:33 . 2009-11-03 06:28 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 22:33 . 2009-11-03 06:28 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 13:14 . 2009-11-09 13:14 -------- d-----w- c:\documents and settings\Administrator\SmitfraudFix
2009-11-08 21:53 . 2009-11-08 21:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-11-07 11:58 . 2009-11-19 00:39 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2009-11-03 09:29 . 2009-11-03 09:29 -------- d-----w- C:\ST2TEMP
2009-11-03 06:31 . 2009-11-03 06:35 -------- d-----w- C:\$AVG
2009-11-03 06:28 . 2009-11-03 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-29 13:28 . 2009-10-29 13:29 -------- d-----w- c:\windows\LMI5F.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 10:28 . 2008-04-18 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-14 00:28 . 2009-06-20 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-13 04:03 . 2008-08-06 00:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-12 01:48 . 2009-03-23 22:46 -------- d-----w- c:\program files\Safari
2009-11-12 01:32 . 2009-01-19 15:36 -------- d-----w- c:\program files\Common Files\Apple
2009-11-09 22:37 . 2009-09-20 21:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 21:53 . 2008-04-13 12:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 21:50 . 2008-10-11 05:23 -------- d-----w- c:\program files\IncrediGames
2009-11-08 00:15 . 2008-04-18 16:21 -------- d-----w- c:\program files\Picasa2
2009-11-07 16:00 . 2009-08-26 12:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdwareAlert
2009-11-04 05:21 . 2008-04-13 06:13 80144 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 09:55 . 2009-06-20 06:55 -------- d-----w- c:\program files\Microsoft Works
2009-11-03 06:30 . 2009-09-20 21:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 06:30 . 2009-09-20 21:16 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-03 06:29 . 2009-09-20 21:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 06:28 . 2008-05-01 00:29 -------- d-----w- c:\program files\AVG
2009-10-21 04:58 . 2008-12-29 10:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-10-19 11:16 . 2008-04-15 22:46 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-18 22:37 . 2008-04-14 04:35 -------- d-----w- c:\program files\IncrediMail
2009-10-18 10:10 . 2008-08-06 01:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-18 08:51 . 2009-08-26 11:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\RegistrySmart
2009-10-18 08:51 . 2009-08-26 10:59 -------- d-----w- c:\program files\RegistrySmart
2009-10-18 08:36 . 2009-10-16 23:01 -------- d-----w- c:\program files\AVS4YOU
2009-10-18 08:35 . 2009-10-18 08:35 -------- d-----w- c:\program files\NOS
2009-10-17 02:19 . 2008-07-24 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-16 23:03 . 2009-10-16 23:01 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-14 23:32 . 2008-10-11 05:23 -------- d-----w- c:\program files\Oberon Media
2009-10-14 03:42 . 2009-10-14 03:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\CLOUDY Demo
2009-10-14 03:24 . 2009-10-14 03:24 -------- d-----w- c:\program files\Ubisoft
2009-10-14 00:18 . 2009-10-14 00:18 64924 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 23:13 . 2009-10-13 23:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\HpUpdate
2009-10-13 23:13 . 2009-10-13 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-10-13 23:10 . 2009-02-23 02:19 -------- d-----w- c:\program files\HP
2009-10-13 04:39 . 2009-01-19 15:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-10-11 10:29 . 2009-10-11 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-11 10:21 . 2009-10-11 10:19 -------- d-----w- c:\program files\QuickTime
2009-10-05 10:44 . 2009-10-05 10:44 80144 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-05 10:43 . 2009-10-05 10:26 117353 ----a-w- c:\windows\hpoins11.dat
2009-10-05 10:40 . 2009-10-05 10:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\HP
2009-10-05 10:36 . 2009-10-05 10:36 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-10-05 10:35 . 2009-10-05 10:33 -------- d-----w- c:\program files\Common Files\HP
2009-10-05 10:30 . 2009-03-31 01:54 -------- d-----w- c:\program files\Hewlett-Packard
2009-10-05 03:41 . 2009-09-20 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-20 21:29 . 2008-04-15 05:24 -------- d-----w- c:\program files\Common Files\Real
2009-09-20 21:29 . 2009-09-20 21:29 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-20 21:28 . 2008-04-15 02:07 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-20 21:28 . 2008-04-15 02:07 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-20 21:28 . 2009-09-20 21:28 -------- d-----w- c:\program files\real
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 08:42 . 2009-06-02 03:05 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 08:42 . 2009-06-02 03:05 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-11-13_04.23.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-18 23:56 . 2009-11-18 23:56 16384 c:\windows\temp\Perflib_Perfdata_1a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-03 06:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hiro-Media Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hiro-Media Client.lnk
backup=c:\windows\pss\Hiro-Media Client.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Picasa2\\Picasa2.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21/09/2009 8:16 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [21/09/2009 8:16 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/11/2009 5:28 PM 285392]
S2 gupdate1c9f40b597695f2;Google Update Service (gupdate1c9f40b597695f2);c:\program files\Google\Update\GoogleUpdate.exe [24/06/2009 1:02 AM 133104]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [4/08/2004 11:00 PM 14336]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/08/2008 11:48 AM 29744]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
*Deregistered* - PROCEXP113
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]
2009-11-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-15 07:54]
2009-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 13:59]
2009-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 13:59]
2009-11-19 c:\windows\Tasks\User_Feed_Synchronization-{6A46A9DC-B188-4BF2-912A-5A886A6CB15A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wngrx74m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://mystart.incredimail.com/
FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-11-19 13:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1454471165-343818398-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,7e,8c,23,f6,49,41,4d,89,95,e2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,01,34,9e,42,12,05,81,43,a5,50,6a,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,7e,8c,23,f6,49,41,4d,89,95,e2,\
[HKEY_USERS\S-1-5-21-1454471165-343818398-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:33,bc,70,6c,7d,d6,42,83,79,38,b4,00,a7,e0,28,c3,3c,2e,5c,b5,83,
70,12,b0,7e,1c,a3,fe,03,78,80,e8,67,96,db,5a,1d,c3,73,5e,6a,f3,4b,35,9f,17,\
"rkeysecu"=hex:24,bb,10,37,03,c7,2e,54,83,03,89,53,90,f8,97,a5
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,7e,8c,23,f6,49,41,4d,89,95,e2,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,7e,8c,23,f6,49,41,4d,89,95,e2,\
.
Completion time: 2009-11-19 13:08
ComboFix-quarantined-files.txt 2009-11-19 02:06
ComboFix2.txt 2009-11-15 07:13
ComboFix3.txt 2009-11-13 04:30
ComboFix4.txt 2009-10-18 09:47
ComboFix5.txt 2009-11-19 01:40
Pre-Run: 20,329,648,128 bytes free
Post-Run: 20,333,834,240 bytes free
- - End Of File - - CAEF9DF3E5B10C00F69E03037E1AD4BB