ComboFix 09-02-15.01 - 6 million dollar ba 02/15/2009 14:43:16.1 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1400 [GMT -8:00]
Running from: c:\users\honor student\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
.
((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 22:36 --------- d-----w c:\program files\Avira
2009-02-15 22:36 --------- d-----w c:\progra~2\Avira
2009-02-15 22:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-15 22:30 --------- d-----w c:\program files\Avira GmbH
2009-02-15 22:11 174 --sha-w c:\program files\desktop.ini
2009-02-15 22:05 --------- d-----w c:\program files\Windows Sidebar
2009-02-15 22:05 --------- d-----w c:\program files\Windows Mail
2009-02-15 22:01 --------- d-----w c:\program files\COMODO
2009-02-15 06:37 712,192 ----a-w c:\windows\System32\WindowsCodecs.dll
2009-02-15 06:37 425,472 ----a-w c:\windows\System32\PhotoMetadataHandler.dll
2009-02-15 06:37 347,136 ----a-w c:\windows\System32\WindowsCodecsExt.dll
2009-02-15 06:36 --------- d-----w c:\progra~2\Microsoft Help
2009-02-15 06:35 704,000 ----a-w c:\windows\System32\PhotoScreensaver.scr
2009-02-15 06:33 441,856 ----a-w c:\windows\System32\win32spl.dll
2009-02-15 06:33 37,376 ----a-w c:\windows\System32\printcom.dll
2009-02-15 06:31 14,848 ----a-w c:\windows\System32\wshrm.dll
2009-02-15 06:31 113,664 ----a-w c:\windows\system32\drivers\rmcast.sys
2009-02-15 06:27 11,776 ----a-w c:\windows\System32\sbunattend.exe
2009-02-15 06:25 558,080 ----a-w c:\windows\System32\oleaut32.dll
2009-02-15 06:24 290,304 ----a-w c:\windows\system32\drivers\srv.sys
2009-02-15 06:23 84,480 ----a-w c:\windows\System32\dnsrslvr.dll
2009-02-15 06:23 24,576 ----a-w c:\windows\System32\dnscacheugc.exe
2009-02-15 06:17 97,800 ----a-w c:\windows\System32\infocardapi.dll
2009-02-15 06:17 781,344 ----a-w c:\windows\System32\PresentationNative_v0300.dll
2009-02-15 06:17 622,080 ----a-w c:\windows\System32\icardagt.exe
2009-02-15 06:17 43,544 ----a-w c:\windows\System32\PresentationHostProxy.dll
2009-02-15 06:17 326,160 ----a-w c:\windows\System32\PresentationHost.exe
2009-02-15 06:17 11,264 ----a-w c:\windows\System32\icardres.dll
2009-02-15 06:17 105,016 ----a-w c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-15 06:13 --------- d-----w c:\users\6MILLI~1\AppData\Roaming\PeerNetworking
2009-02-15 06:13 --------- d-----w c:\users\6 million dollar ba\AppData\Roaming\PeerNetworking
2009-02-15 05:51 --------- d-----w c:\program files\CCleaner
2009-02-15 05:48 96,760 ----a-w c:\windows\System32\dfshim.dll
2009-02-15 05:48 83,968 ----a-w c:\windows\System32\mscories.dll
2009-02-15 05:48 41,984 ----a-w c:\windows\System32\netfxperf.dll
2009-02-15 05:48 282,112 ----a-w c:\windows\System32\mscoree.dll
2009-02-15 05:48 158,720 ----a-w c:\windows\System32\mscorier.dll
2009-02-15 05:30 996,352 ----a-w c:\windows\System32\WMNetMgr.dll
2009-02-15 05:30 98,816 ----a-w c:\windows\System32\mfps.dll
2009-02-15 05:30 94,720 ----a-w c:\windows\System32\logagent.exe
2009-02-15 05:30 84,992 ----a-w c:\windows\system32\drivers\srvnet.sys
2009-02-15 05:30 58,368 ----a-w c:\windows\system32\drivers\mrxsmb20.sys
2009-02-15 05:30 52,736 ----a-w c:\windows\System32\rrinstaller.exe
2009-02-15 05:30 24,576 ----a-w c:\windows\System32\mfpmp.exe
2009-02-15 05:30 2,855,424 ----a-w c:\windows\System32\mf.dll
2009-02-15 05:30 2,048 ----a-w c:\windows\System32\mferror.dll
2009-02-15 05:30 130,048 ----a-w c:\windows\system32\drivers\srv2.sys
2009-02-15 05:30 101,888 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2009-02-15 05:29 84,480 ----a-w c:\windows\System32\INETRES.dll
2009-02-15 05:29 788,992 ----a-w c:\windows\System32\rpcrt4.dll
2009-02-15 05:29 737,792 ----a-w c:\windows\System32\inetcomm.dll
2009-02-15 05:29 1,645,568 ----a-w c:\windows\System32\connect.dll
2009-02-15 05:28 5,120 ----a-w c:\windows\System32\wmi.dll
2009-02-15 05:28 152,576 ----a-w c:\windows\System32\imagehlp.dll
2009-02-15 05:28 12,800 ----a-w c:\windows\system32\drivers\fs_rec.sys
2009-02-15 05:28 1,327,104 ----a-w c:\windows\System32\quartz.dll
2009-02-15 05:27 99,840 ----a-w c:\windows\System32\poqexec.exe
2009-02-15 05:27 --------- d-----w c:\program files\MSXML 4.0
2009-02-15 05:26 633,856 ----a-w c:\windows\System32\user32.dll
2009-02-15 05:26 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-02-15 05:26 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2009-02-15 05:26 2,048 ----a-w c:\windows\System32\msxml6r.dll
2009-02-15 05:26 2,026,496 ----a-w c:\windows\System32\win32k.sys
2009-02-15 05:26 1,341,440 ----a-w c:\windows\System32\msxml6.dll
2009-02-15 05:24 750,080 ----a-w c:\windows\System32\qmgr.dll
2009-02-15 04:51 --------- d-----w c:\program files\Microsoft Works
2009-02-15 04:50 --------- d-----w c:\program files\Microsoft.NET
2009-02-15 04:34 --------- d-----w c:\program files\a-squared Anti-Malware
2009-02-15 02:36 --------- d-----w c:\users\6MILLI~1\AppData\Roaming\SUPERAntiSpyware.com
2009-02-15 02:36 --------- d-----w c:\users\6 million dollar ba\AppData\Roaming\SUPERAntiSpyware.com
2009-02-15 02:36 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-15 02:36 --------- d-----w c:\progra~2\SUPERAntiSpyware.com
2009-02-15 02:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-15 02:30 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-15 02:20 51,224 ----a-w c:\windows\System32\wuauclt.exe
2009-02-15 02:20 43,544 ----a-w c:\windows\System32\wups2.dll
2009-02-15 02:20 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2009-02-15 02:20 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2009-02-15 02:18 31,232 ----a-w c:\windows\System32\wuapp.exe
2009-02-15 02:18 162,064 ----a-w c:\windows\System32\wuwebv.dll
2009-02-15 01:59 --------- d-----w c:\program files\PhoTags Express
2009-02-15 01:59 --------- d-----w c:\program files\Lexmark 3400 Series
2009-02-15 01:33 --------- d---a-w c:\progra~2\TEMP
2009-02-14 23:26 --------- d-----w c:\users\6MILLI~1\AppData\Roaming\Malwarebytes
2009-02-14 23:26 --------- d-----w c:\users\6 million dollar ba\AppData\Roaming\Malwarebytes
2009-02-14 23:25 --------- d-----w c:\progra~2\Malwarebytes
2009-02-14 22:04 --------- d-----w c:\users\6MILLI~1\AppData\Roaming\FaxCtr
2009-02-14 22:04 --------- d-----w c:\users\6 million dollar ba\AppData\Roaming\FaxCtr
2009-02-14 21:51 --------- d-----w c:\program files\lx_cats
2009-02-14 21:47 --------- d-----w c:\program files\Lexmark Fax Solutions
2009-02-14 21:46 --------- d-----w c:\progra~2\FaxCtr
2009-02-14 21:46 --------- d-----w c:\progra~2\Ezprint
2009-02-14 20:58 --------- d-----w c:\users\6MILLI~1\AppData\Roaming\Yahoo!
2009-02-14 20:58 --------- d-----w c:\users\6 million dollar ba\AppData\Roaming\Yahoo!
2009-02-14 20:47 --------- d-----w c:\program files\AVG
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 06:47 1,840 --sha-r c:\windows\system32\drivers\103C_HP_CPC_GC660AA-ABA SR5123WM_YC_0Pres_QCNX719_E73NAv3PrA1_49_INettle2_SECS_V1.0_B5.07_T070404_WUH0_L409_M1918_J320_7AMD_8Athlon 64 X2 Dual Core_92.1_#090209_N10DE03EF_Z14F12F20_G10DE03D0.MRK
2009-02-09 06:46 --------- d-----w c:\progra~2\Symantec
2009-02-09 06:37 --------- d-----w c:\program files\Yahoo!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [01/15/2009 04:17 PM 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [02/15/2007 02:59 AM 118784]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [06/25/2007 06:34 AM 291504]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [06/25/2007 06:34 AM 82608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [06/25/2007 06:35 AM 295600]
"LXCYCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [11/21/2006 09:27 AM 106496]
"a-squared"="c:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [01/27/2009 04:59 PM 2784912]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 01:28 PM 266497]
"RtHDVCpl"="RtHDVCpl.exe" [03/01/2007 07:38 AM 4390912 c:\windows\RtHDVCpl.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\windows\SMINST\launcher.exe" [03/07/2007 11:09 AM 44168]
c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Photags AutoDetect.lnk - c:\program files\PhoTags Express\Photags AutoDetect.exe [2009-02-14 368640]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [05/13/2008 09:13 AM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
12/22/2008 11:05 AM 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 02/16/2005 11:11 PM 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 09/28/2006 05:42 AM 65536 c:\hp\support\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 12/08/2006 08:16 AM 65536 c:\hp\KBD\KbdStub.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DC399BF8-60D8-415C-BF74-695430E0E0E0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{CF22E581-BA08-4FC0-B3FB-F0DD5F0396FB}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{916F5CAF-D35B-415D-A6BC-EB8E7E5EF2BC}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{674E56AB-8A7E-4B3A-B78F-9C741335C7A3}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4C0486D4-2A49-4597-8AD2-E6E813B28600}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5F5EC396-B89E-45F7-8CBF-1C2FF4871992}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A055C9FD-0E7D-4171-A392-9ACA1F1518C9}"= UDP:c:\windows\System32\lxcycoms.exe:Lexmark Communications System
"{579B7918-4172-4B44-984F-C5EF3D1584AD}"= TCP:c:\windows\System32\lxcycoms.exe:Lexmark Communications System
"{CDF8AED5-EEF3-4FEA-8341-FAC824AA3256}"= UDP:c:\program files\Lexmark 3400 Series\lxcymon.exe:Device Monitor
"{669F3DDC-5842-40FC-A09D-34121D0FF86B}"= TCP:c:\program files\Lexmark 3400 Series\lxcymon.exe:Device Monitor
"{0F21E16B-C9FF-4D60-8101-7632B7AE7360}"= UDP:c:\program files\Lexmark 3400 Series\lxcyaiox.exe:All In One Center
"{6375A8B3-818F-4ADD-937E-59654A8C1727}"= TCP:c:\program files\Lexmark 3400 Series\lxcyaiox.exe:All In One Center
"{02D0F23E-396E-4067-8229-82344C541A00}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4CD39D56-F49B-4786-AF4E-A03BD16A0C5D}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R3 netr73;Amigo RT73 Wireless Driver for Vista;c:\windows\System32\drivers\netr73.sys [2009-02-08 255488]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ECACHE
*Deregistered* - AvgTdiX
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunOnce-<NO NAME> - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-15 14:45:35
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 02/15/2009 14:47:07
ComboFix-quarantined-files.txt 2009-02-15 22:47:05
Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 279,124,406,272 bytes free
203
Ran Combo Fix also to try and find the problem.