ComboFix 10-10-05.06 - al 10/06/2010 11:42:41.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3839.3351 [GMT -5:00]
Running from: c:\documents and settings\al\Desktop\virus_et_al\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 101006-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\al\Local Settings\Application Data\{2244FBD6-6812-4F82-9B3A-E7287922071E}
c:\documents and settings\al\Local Settings\Application Data\{2244FBD6-6812-4F82-9B3A-E7287922071E}\chrome.manifest
c:\documents and settings\al\Local Settings\Application Data\{2244FBD6-6812-4F82-9B3A-E7287922071E}\chrome\content\_cfg.js
c:\documents and settings\al\Local Settings\Application Data\{2244FBD6-6812-4F82-9B3A-E7287922071E}\chrome\content\overlay.xul
c:\documents and settings\al\Local Settings\Application Data\{2244FBD6-6812-4F82-9B3A-E7287922071E}\install.rdf
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
c:\windows\system32\stu2.exe
E:\install.exe
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2010-09-06 to 2010-10-06 )))))))))))))))))))))))))))))))
.
2010-10-06 16:23 . 2010-10-06 16:23 388096 ----a-r- c:\documents and settings\al\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-06 16:23 . 2010-10-06 16:23 -------- d-----w- c:\program files\Trend Micro
2010-10-01 17:51 . 2010-10-01 17:51 -------- d-----w- c:\documents and settings\al\Application Data\Malwarebytes
2010-10-01 17:50 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-01 17:50 . 2010-10-01 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-01 17:50 . 2010-10-01 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-01 17:50 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-01 11:33 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-01 11:33 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-01 11:33 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-01 11:33 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-01 11:33 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-01 11:33 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-01 11:33 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-01 11:33 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-10-01 11:33 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-30 11:45 . 2010-09-30 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-22 15:32 . 2010-09-23 16:48 120 ----a-w- c:\windows\Ddutuyu.dat
2010-09-22 15:32 . 2010-09-23 12:16 0 ----a-w- c:\windows\Plocofaneyafi.bin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-06 11:59 . 2008-08-01 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-30 16:45 . 2008-07-30 16:57 -------- d-----w- c:\program files\Alwil Software
2010-09-29 12:01 . 2008-08-01 19:18 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-25 04:26 . 2008-08-01 19:17 -------- d-----w- c:\program files\Google
2010-09-16 15:29 . 2008-08-08 13:07 -------- d-----w- c:\documents and settings\al\Application Data\CoreFTP
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\al\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-10 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-18 148888]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2006-06-01 1106562]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImage\TimounterMonitor.exe" [2006-06-01 1827640]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-01 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-10 51984]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"69:UDP"= 69:UDP:TFTPD32
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/1/2010 6:33 AM 114768]
R1 vcdrom;Virtual CD-ROM Device Driver;e:\vs_2008_proj\sp1\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/1/2010 6:33 AM 20560]
R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [1/28/2009 8:42 AM 52512]
R3 PslIGvFilter;Prosilica GigE Filter Service;c:\windows\system32\drivers\psligvfilter.sys [7/31/2008 7:19 AM 26752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:03 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-01 02:36]
2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:03]
2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:03]
2010-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-630328440-682003330-1003Core.job
- c:\documents and settings\al\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 14:58]
2010-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-630328440-682003330-1003UA.job
- c:\documents and settings\al\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-10 14:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*
http://www.yahoo.com
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxps://intranet.argonst.com/org/OrgPubX.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKCU-Run-Csolu - c:\windows\wmfoneg.dll
HKLM-Run-Vhaxigokidonotu - c:\windows\uyocacir.dll
AddRemove-HijackThis - c:\documents and settings\al\Desktop\HijackThis.exe
AddRemove-PowerTCP 4.1 for Visual C++ - e:\vs_200~1\tcp_lib\dart\C__~1\PowerTCP\VC\UNWISE.EXE
AddRemove-RS232 Data Logger_is1 - c:\serial\unins000.exe
AddRemove-Winsock for ActiveX - e:\vs_200~1\tcp_lib\dart\winsock\PowerTCP\WINSOC~1\UNWISE.EXE
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1172)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\documents and settings\al\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-10-06 11:50:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-06 16:50
Pre-Run: 84,890,726,400 bytes free
Post-Run: 84,845,654,016 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - C8837266A35A43A7F5C7725F493B7343