Combo fix
ComboFix 10-08-15.04 - cwright 08/16/2010 13:17:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.183 [GMT -4:00]
Running from: c:\documents and settings\chancock\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\drivers\fad.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MYWEBSEARCHSERVICE
((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.
2010-08-10 18:10 . 2010-08-10 18:10 -------- d-sh--w- c:\documents and settings\administrator.ENGLISHCONST\PrivacIE
2010-08-10 18:10 . 2010-08-10 18:10 -------- d-----w- c:\documents and settings\administrator.ENGLISHCONST\Local Settings\Application Data\Google
2010-08-10 15:29 . 2010-08-10 15:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-10 15:29 . 2010-08-10 15:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-08-10 15:29 . 2010-08-10 15:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-10 15:28 . 2010-08-10 15:28 31304 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-10 15:26 . 2010-08-10 15:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-10 13:45 . 2010-08-12 15:27 81984 ----a-w- c:\windows\system32\bdod.bin
2010-08-10 13:39 . 2010-08-10 13:40 -------- d-----w- c:\program files\Common Files\Softwin
2010-08-10 13:33 . 2010-08-10 13:33 -------- d-----w- c:\documents and settings\administrator.ENGLISHCONST\Application Data\Malwarebytes
2010-08-10 13:33 . 2010-08-10 13:33 -------- d-----w- c:\documents and settings\administrator.ENGLISHCONST\Application Data\Share-to-Web Upload Folder
2010-08-10 13:32 . 2010-08-10 13:32 -------- d-sh--w- c:\documents and settings\administrator.ENGLISHCONST\IETldCache
2010-08-06 16:11 . 2010-08-06 16:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-06 15:59 . 2010-08-06 15:59 -------- d-----w- c:\documents and settings\chancock\Application Data\Barracuda
2010-08-06 14:28 . 2010-08-06 14:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Barracuda
2010-08-06 14:28 . 2010-05-26 23:30 38352 ----a-w- c:\windows\system32\drivers\bmrtswissarmy.sys
2010-08-06 14:28 . 2010-08-06 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Barracuda
2010-08-06 14:28 . 2010-08-06 14:28 -------- d-----w- c:\program files\Barracuda
2010-08-06 14:26 . 2010-08-06 14:26 -------- d-----w- c:\program files\CCleaner
2010-08-06 14:24 . 2010-08-06 14:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-06 14:24 . 2010-08-06 14:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 20:02 . 2010-08-05 20:02 61440 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-47e68a3f-n\decora-sse.dll
2010-08-05 20:02 . 2010-08-05 20:02 503808 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ca9183d-n\msvcp71.dll
2010-08-05 20:02 . 2010-08-05 20:02 499712 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ca9183d-n\jmc.dll
2010-08-05 20:02 . 2010-08-05 20:02 348160 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ca9183d-n\msvcr71.dll
2010-08-05 20:02 . 2010-08-05 20:02 12800 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-47e68a3f-n\decora-d3d.dll
2010-07-08 16:26 . 2010-07-08 16:26 -------- d-----w- c:\documents and settings\chancock\Application Data\GARMIN
2010-06-30 12:31 . 2004-08-04 08:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 08:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 08:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 08:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 08:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 08:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-02 23:59 . 2008-06-20 03:12 161920 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-06-02 15:31 . 2005-04-07 13:30 31304 ----a-w- c:\documents and settings\chancock\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-02 15:09 . 2010-06-01 13:22 503808 ------w- c:\windows\Setup1.exe
2010-06-02 15:09 . 2010-06-01 13:22 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-05-27 20:02 . 2010-05-27 20:02 61440 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-69bdbc46-n\decora-sse.dll
2010-05-27 20:02 . 2010-05-27 20:02 503808 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-22b078d4-n\msvcp71.dll
2010-05-27 20:02 . 2010-05-27 20:02 499712 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-22b078d4-n\jmc.dll
2010-05-27 20:02 . 2010-05-27 20:02 348160 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-22b078d4-n\msvcr71.dll
2010-05-27 20:02 . 2010-05-27 20:02 12800 ----a-w- c:\documents and settings\chancock\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-69bdbc46-n\decora-d3d.dll
2008-11-03 14:56 . 2008-11-03 14:56 190 ----a-w- c:\program files\Common Files\psasetup.log
2007-12-11 21:27 . 2007-12-11 21:27 8 --sh--r- c:\windows\system32\D8A1ECF8E8.sys
2008-10-09 18:30 . 2007-12-11 21:27 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-19 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-03-11 114688]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2004-12-15 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SimNotify.exe"="c:\program files\Sage\SIM\Client\SimNotify.exe" [2010-04-14 38696]
"Corel Photo Downloader"="c:\program files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe" [2007-02-06 478800]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Start Pervasive PSQL Workgroup Engine.lnk - c:\windows\Installer\{0A3238D7-AB32-1030-B717-F3E3F18B4A8C}\WGE.14A03FCD_EA43_4130_A5C0_F02D38895A13.exe [2010-6-1 92854]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1950072679-626140327-4129173426-1268\Scripts\Logon\0\0]
"Script"=c:\windows\SYSVOL\sysvol\englishconst.com\scripts\logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1950072679-626140327-4129173426-500\Scripts\Logon\0\0]
"Script"=c:\windows\SYSVOL\sysvol\englishconst.com\scripts\logon.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
R2 Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0);c:\program files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exe [4/7/2010 8:04 PM 107816]
R2 SageInstMgrClient;Sage Installation Manager Client;c:\program files\Sage\SIM\Client\Sage.Sim.Client.WindowsService.exe [4/14/2010 4:01 AM 15144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 8:32 AM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
uInternet Settings,ProxyServer = 192.168.0.2:8080
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {D5547583-BD46-4A7F-B9EF-21ABCE83F7FE} = 192.168.0.2,192.168.0.4
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
AddRemove-HijackThis - E:\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-08-16 13:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1950072679-626140327-4129173426-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,d7,14,ec,8d,72,77,4b,9e,b6,54,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,d7,14,ec,8d,72,77,4b,9e,b6,54,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1012)
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'explorer.exe'(2336)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PSIService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-08-16 13:36:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-16 17:36
Pre-Run: 56,997,900,288 bytes free
Post-Run: 56,886,300,672 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 0829ED4A46559AC438D5EB79D5AA2696