ComboFix 10-09-04.05 - Owner 09/04/2010 20:47:10.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1645 [GMT -5:00]
Running from: c:\documents and settings\Owner.CHRIS\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner.CHRIS\Application Data\Defender
c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\{B144376A-1994-43B8-81BF-CFC63EC801EF}
c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\{B144376A-1994-43B8-81BF-CFC63EC801EF}\chrome.manifest
c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\{B144376A-1994-43B8-81BF-CFC63EC801EF}\chrome\content\_cfg.js
c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\{B144376A-1994-43B8-81BF-CFC63EC801EF}\chrome\content\overlay.xul
c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\{B144376A-1994-43B8-81BF-CFC63EC801EF}\install.rdf
c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\Windows Server\uses32.dat
c:\temp\0b9
c:\temp\0b9\tmpTF.log
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\iee
c:\temp\iee\tmpZTF.log
c:\windows\system32\drivers\fad.sys
E:\autorun.inf
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
.
2010-08-29 03:00 . 2010-08-29 03:00 -------- d-----w- c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\Safe mirror
2010-08-29 02:59 . 2010-08-29 15:16 -------- d-----w- c:\program files\Cobian Backup 10
2010-08-27 02:24 . 2010-08-27 02:24 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData
2010-08-15 15:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 15:25 . 2010-08-15 15:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 15:25 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-15 00:16 . 2010-08-15 00:16 -------- d-----w- c:\documents and settings\Administrator.CHRIS.000\Application Data\Malwarebytes
2010-08-15 00:11 . 2010-08-15 01:23 -------- d-----w- c:\program files\CCleaner
2010-08-14 23:38 . 2010-08-15 19:30 -------- d-----w- c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\cxteqywku
2010-08-14 23:38 . 2010-08-15 19:30 -------- d-----w- c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\tukipstdx
2010-08-10 19:35 . 2010-08-10 19:35 -------- d-----w- c:\windows\system32\wbem\Repository
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 01:54 . 2008-09-12 23:07 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000001-00000000-00000004-00001102-00000004-005C1102}.dat
2010-09-05 01:54 . 2008-09-12 23:07 24 ----a-w- c:\windows\system32\DVCState-{00000001-00000000-00000004-00001102-00000004-005C1102}.dat
2010-09-04 18:15 . 2010-02-14 20:54 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-04 03:44 . 2009-02-06 23:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2010-08-27 23:06 . 2008-09-07 06:19 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-08-15 15:26 . 2010-02-19 22:44 -------- d-----w- c:\documents and settings\Owner.CHRIS\Application Data\Malwarebytes
2010-08-15 15:25 . 2010-02-19 22:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-08-15 14:30 . 2008-09-05 09:24 23696 ----a-w- c:\documents and settings\Owner.CHRIS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-03 02:08 . 2008-09-05 20:56 -------- d-----w- c:\program files\nethack343copy
2010-07-09 02:39 . 2010-07-09 02:39 27630760 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!\YUPDATER\msgup1000_1270_us_u1.exe
2010-07-09 02:38 . 2008-09-07 15:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-06-21 21:26 . 2008-10-13 01:59 591 ------w- c:\windows\eReg.dat
2010-06-15 00:23 . 2010-07-09 02:38 607472 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!\YUPDATER\yupdater.exe
2010-06-14 14:30 . 2008-09-05 09:02 743936 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-04-27 22:16 . 2010-05-20 17:56 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
CODE
<pre>
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\Grisoft\AVG7\avgcc .exe
c:\program files\PC Tools AntiVirus\PCTAV .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-06 39408]
"Lpexadosexas"="c:\windows\cusmsp.dll" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-05-16 19968]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 191488]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
c:\documents and settings\Owner.CHRIS\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-12-21 225280]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-29 21:34 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2002-07-02 09:56 24576 ----a-w- c:\windows\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WDA-2320]
2006-11-16 04:42 1880064 ----a-w- c:\program files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-02-10 15:55 155648 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
2001-11-29 05:00 28672 ----a-w- c:\program files\Creative\SBAudigy\Program\ADGJDet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
2002-04-03 05:40 122880 ----a-w- c:\program files\Creative\SBAudigy\RemoteCenter\Rc\RcMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-29 06:40 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-06 23:08 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ------w- c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
2002-07-02 09:56 24576 ----a-w- c:\windows\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 21:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\D-Link\\RangeBooster G WDA-2320\\AirPlusCFG.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/21/2010 11:41 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2010 11:41 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2010 11:41 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2/21/2010 11:41 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2/21/2010 11:42 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2/21/2010 11:41 AM 141792]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/15/2006 10:58 PM 472832]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/21/2010 11:41 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/21/2010 11:41 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/21/2010 11:41 AM 88480]
S2 gupdate1c988b01715ab4c;Google Update Service (gupdate1c988b01715ab4c);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2009 6:10 PM 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/5/2008 3:58 AM 29744]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/21/2010 11:41 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/21/2010 11:41 AM 83496]
--- Other Services/Drivers In Memory ---
*Deregistered* - IPVNMon
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
2010-09-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-05 14:22]
2010-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 23:10]
2010-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 23:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=PuXduRHjyw8IDJ-zcvOIupezZYk
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: aol.com\free
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Owner.CHRIS\Application Data\Mozilla\Firefox\Profiles\x2yrzm81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\documents and settings\Owner.CHRIS\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-09-04 20:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2????w???w????????\???\???????????U??w???w\???\?????????`??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A?@ ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?? ????B???@?????P?????@?` ?????????w??????????@???????????????????B?????? ??????????????????????????r?B
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\Logi_MwX.Exe
c:\program files\Creative\ShareDLL\MediaDet.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-09-04 21:06:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-05 02:06
Pre-Run: 11,438,010,368 bytes free
Post-Run: 11,397,013,504 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - 4E13FEA9944D450979D6350C02A7F1C9
I did about 10 test searches with no redirects, so it seems that something good has happened.