ComboFix 10-06-06.01 - Andrew Bullard 06/06/2010 23:19:40.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.497 [GMT -4:00]
Running from: D:\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew Bullard\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\system32\labelw.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\labelw.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NORMANDY
-------\Service_Normandy
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.
2010-06-06 01:20 . 2010-06-06 01:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-03 22:09 . 2010-06-03 22:09 -------- d-----w- c:\documents and settings\Andrew Bullard\Application Data\Malwarebytes
2010-06-03 22:09 . 2010-06-03 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-03 22:09 . 2010-06-06 01:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 17:58 . 2010-06-03 17:58 -------- d-----w- c:\documents and settings\Andrew Bullard\Application Data\SUPERAntiSpyware.com
2010-06-03 17:58 . 2010-06-03 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-01 23:29 . 2010-06-01 23:29 -------- d-----w- c:\documents and settings\Guest\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2010-05-29 17:38 . 2010-05-29 17:38 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2010-05-29 17:38 . 2010-05-29 17:38 -------- d-----w- c:\documents and settings\Guest\Application Data\Yahoo!
2010-05-29 17:36 . 2010-05-29 17:36 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Google
2010-05-27 22:43 . 2010-05-27 22:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-27 03:09 . 2010-05-27 03:09 -------- d-sh--w- c:\documents and settings\3A3B\PrivacIE
2010-05-27 03:09 . 2010-05-27 03:09 -------- d-----w- c:\documents and settings\3A3B\Application Data\Yahoo!
2010-05-27 03:04 . 2010-05-27 03:04 -------- d-----w- c:\documents and settings\3A3B\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2010-05-27 02:57 . 2010-05-27 02:57 -------- d-----w- c:\documents and settings\3A3B\Local Settings\Application Data\Google
2010-05-27 02:23 . 2010-05-27 02:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-27 02:17 . 2010-05-27 02:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-09 01:48 . 2010-05-09 01:48 -------- d-----w- C:\$AVG
2010-05-09 01:40 . 2010-05-09 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-09 01:39 . 2010-05-09 01:59 -------- d-----w- c:\windows\SxsCaPendDel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 03:11 . 2010-05-07 19:36 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-04 14:24 . 2010-05-07 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-02 14:01 . 2010-06-02 14:01 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-02 14:01 . 2010-06-02 14:01 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-06-02 14:01 . 2009-01-30 21:14 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-02 14:01 . 2009-01-30 21:14 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-02 06:16 . 2009-07-01 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-05-09 01:47 . 2009-01-30 21:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-09 01:47 . 2009-01-30 21:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-09 01:41 . 2009-01-30 21:14 -------- d-----w- c:\program files\AVG
2010-05-08 22:18 . 2008-08-15 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-08 22:17 . 2008-08-15 18:09 -------- d-----w- c:\program files\McAfee
2010-05-07 19:36 . 2010-05-07 19:36 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-22 20:22 . 2009-10-12 23:24 1 ----a-w- c:\documents and settings\Andrew Bullard\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-21 17:51 . 2010-04-21 17:51 -------- d-----w- c:\program files\7-Zip
2010-04-09 04:30 . 2009-08-03 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-18 23:05 . 2009-01-30 00:44 64840 ----a-w- c:\documents and settings\Andrew Bullard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2010-06-06_18.32.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-07 03:29 . 2010-06-07 03:29 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat
+ 2010-06-07 03:31 . 2010-06-07 03:31 16384 c:\windows\Temp\Perflib_Perfdata_c8c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-10 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-10 24064]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
c:\documents and settings\Andrew Bullard\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-09 01:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bradford Networks\\Persistent Agent\\bndaemon.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/30/2009 5:14 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/30/2009 5:14 PM 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/8/2010 9:43 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/8/2010 9:43 PM 308064]
R2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [11/1/2009 2:23 PM 3026656]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [5/7/2010 3:36 PM 15944]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ANDREW~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ANDREW~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ANDREW~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\ANDREW~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 5:08 PM 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [5/8/2010 9:46 PM 430152]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/9/2009 8:53 PM 24064]
S3 SASENUM;SASENUM;\??\c:\docume~1\ANDREW~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\ANDREW~1\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - HITMANPRO35
.
Contents of the 'Scheduled Tasks' folder
2010-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 21:07]
2010-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 21:07]
2010-06-07 c:\windows\Tasks\User_Feed_Synchronization-{479C7E99-7F92-404A-A968-D4AB250DDB21}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-06-06 23:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3536)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Hitman Pro 3.5\HitmanPro35[1].exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\windows\system32\igfxext.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\docume~1\ANDREW~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-06-06 23:39:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-07 03:39
ComboFix2.txt 2010-06-06 18:49
ComboFix3.txt 2010-06-06 18:34
Pre-Run: 137,089,372,160 bytes free
Post-Run: 136,971,653,120 bytes free
- - End Of File - - 5DEC81EF98D48ECF36876C36EDA740E0
and internet works now