ComboFix 10-06-22.02 - Sally 06/22/2010 16:52:21.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1291 [GMT -4:00]
Running from: c:\documents and settings\Sally\Desktop\ComboFix.exe
AV: AVG Internet Security 3-pack *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Sally\GoToAssistDownloadHelper.exe
c:\documents and settings\Sally\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Sally\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\xpsp1hfm.log
C:\xcrashdump.dat
.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.
2010-06-14 12:39 . 2010-06-14 12:38 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-11 12:39 . 2010-06-11 12:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-06-11 00:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-11 00:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-11 00:31 . 2010-06-11 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 06:24 . 2010-06-09 23:47 -------- d-----w- c:\documents and settings\Sally\Local Settings\Application Data\hrjvway
2010-05-31 11:22 . 2010-05-31 11:22 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb2704.tmp.exe
2010-05-29 11:15 . 2010-05-29 11:15 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1C42.tmp.exe
2010-05-28 13:30 . 2010-05-28 13:30 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1410.tmp.exe
2010-05-27 14:50 . 2010-05-27 14:50 -------- d-----w- c:\documents and settings\Sally\Application Data\VirtualStore
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-22 19:07 . 2008-08-14 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-22 16:56 . 2008-04-08 23:38 -------- d-----w- c:\program files\Common Files\Java
2010-06-22 14:44 . 2004-08-04 03:59 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-06-19 14:53 . 2009-04-06 15:36 2829 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-06-18 12:20 . 2008-04-27 14:08 -------- d-----w- c:\documents and settings\Sally\Application Data\U3
2010-06-18 09:53 . 2008-04-20 19:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-17 14:33 . 2008-04-08 23:47 -------- d-----w- c:\program files\Google
2010-06-15 20:32 . 2008-04-08 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-14 12:38 . 2008-04-08 23:38 -------- d-----w- c:\program files\Java
2010-06-12 12:52 . 2008-04-10 21:31 73600 ----a-w- c:\documents and settings\Sally\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-11 00:23 . 2010-04-29 23:56 -------- d-----w- c:\program files\NCH Software
2010-06-11 00:21 . 2010-04-29 23:56 -------- d-----w- c:\documents and settings\Sally\Application Data\NCH Software
2010-05-30 15:15 . 2008-05-24 02:02 -------- d-----w- c:\program files\Coupons
2010-05-26 22:33 . 2008-04-08 23:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 22:33 . 2009-04-09 12:34 -------- d-----w- c:\documents and settings\Sally\Application Data\Cogniview
2010-05-26 22:33 . 2009-04-09 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Cogniview
2010-05-26 22:32 . 2008-04-08 23:47 -------- d-----w- c:\program files\Dell
2010-05-26 22:30 . 2010-04-29 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-05-23 07:33 . 2010-05-23 07:33 61440 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63693c37-n\decora-sse.dll
2010-05-23 07:33 . 2010-05-23 07:33 503808 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32bde041-n\msvcp71.dll
2010-05-23 07:33 . 2010-05-23 07:33 499712 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32bde041-n\jmc.dll
2010-05-23 07:33 . 2010-05-23 07:33 348160 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32bde041-n\msvcr71.dll
2010-05-23 07:33 . 2010-05-23 07:33 12800 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63693c37-n\decora-d3d.dll
2010-05-09 16:55 . 2010-05-09 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies
2010-04-06 11:16 . 2009-04-12 18:46 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-04-06 11:16 . 2009-04-12 18:46 1352968 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-08 68856]
"Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2009-07-01 81920]
"Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2009-07-01 167936]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-17 2046816]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"BellSouthReportingAgent"="c:\program files\Common Files\Motive\McciBootStrapper.exe" [2004-06-25 204800]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-8 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-2-2 984352]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-30 13:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/19/2009 8:11 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2009 8:11 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2009 8:11 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/24/2009 8:53 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2009 8:11 PM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/24/2009 8:53 AM 1370488]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/19/2009 8:10 PM 29208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/20/2009 7:55 PM 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/19/2009 8:10 PM 29208]
.
Contents of the 'Scheduled Tasks' folder
2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2008-07-13 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8207863851.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 04:52]
2010-06-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-08 11:46]
2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 23:54]
2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 23:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wsbtv.com/index.html
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_AE31856476A4FE41.dll/cmsidewiki.html
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Sally\Application Data\Mozilla\Firefox\Profiles\kdlp4qhg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wsbtv.com/index.html
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-wrqxhrehbmqpqx - c:\documents and settings\sally\local settings\application data\hrjvway\lfjhcwu.exe
HKLM-Run-wrqxhrehbmqpqx - c:\documents and settings\sally\local settings\application data\hrjvway\lfjhcwu.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-klmdb.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-06-22 17:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3308)
c:\windows\system32\WININET.dll
c:\program files\Google\Google Desktop Search\GoogleDesktopCommon.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-22 17:07:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-22 21:07
Pre-Run: 466,297,982,976 bytes free
Post-Run: 466,799,267,840 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - DFE20729B6819DC6981B66FF16E48078