Combofix scan
ComboFix 11-09-24.04 - Owner 25/09/2011 8:10.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.417 [GMT 1:00]
Running from: d:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\apps
d:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
d:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
2011-09-25 05:55 . 2011-09-25 05:55 -------- d-----w- d:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-09-25 05:45 . 2011-09-25 05:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-15 22:01 . 2011-09-15 22:01 -------- d-----w- c:\program files\ESET
2011-09-15 21:36 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-15 21:35 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-09 17:03 . 2011-09-09 17:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-09 09:12 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-04 22:17 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-04 22:17 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-04 19:59 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-04 19:59 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-04 19:59 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-04 19:59 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-04 19:59 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-04 19:59 . 2011-09-06 20:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-04 19:59 . 2011-09-06 20:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-04 19:59 . 2011-09-06 20:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-04 19:59 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
2011-09-04 19:59 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-04 19:59 . 2011-09-04 19:59 -------- d-----w- d:\documents and settings\All Users\Application Data\AVAST Software
2011-09-04 19:59 . 2011-09-04 19:59 -------- d-----w- c:\program files\AVAST Software
2011-09-04 19:32 . 2011-09-04 19:32 -------- d-----w- d:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-09-04 15:36 . 2011-09-04 15:37 -------- d-----w- d:\documents and settings\Owner\Local Settings\Application Data\Facebook
2011-09-03 15:20 . 2011-09-04 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-02 15:50 . 2009-06-15 04:11 3866528 ----a-w- c:\windows\system32\Flash10b.ocx
2011-09-02 15:50 . 2011-09-02 15:50 -------- d-----w- c:\program files\BRC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-09-10 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-09-10 13:57 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-09-10 13:57 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-02-24 385928]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-01 39408]
"Facebook Update"="d:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-09-04 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SMSERIAL"="sm56hlpr.exe" [2005-10-18 557056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7573504]
"nwiz"="nwiz.exe" [2006-04-27 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-27 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-08-10 26112]
"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o&inst=NzctNjg4NjgxMTE5LVZJUCsxLVNQMSsxLUZMMTArMS1YTzEwKzExLVRVRyszLUREVCsxNjE1MC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzE&prod=90&ver=10.0.1392" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [04/09/2011 20:59 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/09/2011 20:59 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/09/2011 20:59 20568]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [04/05/2010 13:07 503080]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [10/08/2006 13:47 825600]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [10/08/2006 13:47 7040]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/04/2011 11:29 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/04/2011 11:29 135664]
S3 KKSJF;KKSJF;d:\docume~1\Owner\LOCALS~1\Temp\KKSJF.exe --> d:\docume~1\Owner\LOCALS~1\Temp\KKSJF.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-05-02 18:10]
.
2011-09-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2768898766-1709843061-3480073571-1005Core.job
- d:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-04 15:36]
.
2011-09-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2768898766-1709843061-3480073571-1005UA.job
- d:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-09-04 15:36]
.
2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 10:28]
.
2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-01 10:28]
.
2011-09-24 c:\windows\Tasks\User_Feed_Synchronization-{7ABDF7C0-AAD1-4552-9F1F-BDAF6DC4EAF8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
2011-05-02 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-04-24 11:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://bt.yahoo.com/start?.pd=l%3Danthonygodfrey11@btinternet.com%26c%3DK1gXhD2p2e7uH.80E1C6CGax
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*
http://uk.search.yahoo.com/
TCP: DhcpNameServer = 192.168.0.1
DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} - hxxps://xchecker.reed.co.uk/Scanning/DynamicWebTwain.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-09-25 08:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(1768)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-25 08:26:00
ComboFix-quarantined-files.txt 2011-09-25 07:25
.
Pre-Run: 18,054,897,664 bytes free
Post-Run: 18,058,801,152 bytes free
.
- - End Of File - - BB91B1C95E8C95908984C7150EDF7759