ComboFix 07-10-02.2 - BJ 2007-10-01 21:17:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.20 [GMT -4:00]
Running from: C:\Documents and Settings\BJ\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\admin\Application Data\FunWebProducts
C:\Documents and Settings\admin\Application Data\FunWebProducts\Data\admin\avatar.dat
C:\Documents and Settings\admin\Application Data\FunWebProducts\Data\admin\register.dat
C:\WINDOWS\winhp32.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.
2007-10-01 21:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 20:51 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-01 20:51 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-01 20:51 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-01 20:51 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-01 20:50 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-01 20:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-01 20:50 <DIR> d-------- C:\Documents and Settings\BJ\Application Data\PC Tools
2007-10-01 19:12 <DIR> d-------- C:\Deckard
2007-10-01 18:30 <DIR> d-------- C:\Program Files\Zoned Out
2007-10-01 18:28 <DIR> d-------- C:\ie-spyad_zo
2007-10-01 18:17 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-01 16:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-01 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-01 11:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-01 11:44 <DIR> d-------- C:\Documents and Settings\BJ\Application Data\SUPERAntiSpyware.com
2007-09-30 12:12 <DIR> d-------- C:\Documents and Settings\BJ\Application Data\Lavasoft
2007-09-24 03:54 <DIR> d-------- C:\Documents and Settings\BJ\Application Data\.BitZip
2007-09-23 12:07 112,640 --a------ C:\WINDOWS\lsb_un20.exe
2007-09-23 12:07 <DIR> d-------- C:\Program Files\EasyRename
2007-09-23 11:40 <DIR> d-------- C:\Program Files\PipelineRenamer
2007-09-23 11:29 <DIR> d-------- C:\Program Files\Picture Resize
2007-09-06 01:58 <DIR> d-------- C:\Program Files\WS_FTP
2007-09-04 10:13 9,728 --a------ C:\WINDOWS\system32\dotntlib.dll
2007-09-04 10:13 1,348 --a------ C:\WINDOWS\system32\hglib.dll
2007-09-04 10:04 <DIR> d-------- C:\Program Files\ArticleBot
2007-09-04 09:58 <DIR> d-------- C:\Program Files\Microsoft.Net
2007-09-04 09:38 303,616 --a------ C:\WINDOWS\IsUninst.exe
2007-09-04 09:38 <DIR> d-------- C:\mysql
2007-09-04 09:38 <DIR> d-------- C:\Documents and Settings\BJ\WINDOWS
2007-09-04 02:18 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-09-04 02:16 <DIR> d-------- C:\_abot
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 21:32 --------- d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-01 14:45 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-01 14:44 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-30 12:16 --------- d-------- C:\Documents and Settings\admin\Application Data\Lavasoft
2007-09-27 11:20 --------- d-------- C:\Documents and Settings\BJ\Application Data\X-Chat 2
2007-09-24 03:59 --------- d-------- C:\Documents and Settings\BJ\Application Data\.BitZip
2007-08-27 18:08 --------- d-------- C:\Program Files\Speeditup Free
2007-08-21 09:37 --------- d-------- C:\Program Files\GIMP-2.0
2007-08-18 23:25 --------- d-------- C:\Program Files\OpenOffice.org 2.0
2007-08-18 23:17 --------- d-------- C:\Documents and Settings\BJ\Application Data\GeoVid
2007-08-17 20:00 --------- d-------- C:\Documents and Settings\admin\Application Data\X-Chat 2
2007-08-15 12:14 --------- d-------- C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-08-15 11:26 --------- d-------- C:\Documents and Settings\BJ\Application Data\GetRightToGo
2007-08-04 12:02 --------- d-------- C:\Documents and Settings\BJ\Application Data\Uniblue
2007-08-04 11:41 --------- d-------- C:\Documents and Settings\BJ\Application Data\BitTorrent
2007-08-02 19:10 --------- d-------- C:\Documents and Settings\BJ\Application Data\Winamp
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2006-06-10 13:07 271 ---hs---- C:\Program Files\desktop.ini
2006-06-10 13:07 23357 --ah----- C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 08:13]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-09-20 15:43]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 15:15:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-02 15:11:19 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-10-01 21:31:59
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-01 21:35:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-01 21:35
.
--- E O F ---
Deckard's System Scanner v20070905.67
Run by BJ on 2007-10-01 21:42:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 128 MiB (512 MiB recommended).
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-01 21:43:10
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\BJ\Desktop\dss.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () -
http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsu...?1149976959335
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - "C:\Program Files\iPod\bin\iPodService.exe"
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld MySQL
-- Files created between 2007-09-01 and 2007-10-01 -----------------------------
2007-10-01 18:30:16 0 d-------- C:\Program Files\Zoned Out
2007-10-01 18:28:45 0 d-------- C:\ie-spyad_zo
2007-10-01 18:17:33 0 d-------- C:\Program Files\SpywareBlaster
2007-10-01 16:43:55 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-01 11:45:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-01 11:44:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-10-01 11:44:42 0 d-------- C:\Documents and Settings\BJ\Application Data\SUPERAntiSpyware.com
2007-09-30 12:12:45 0 d-------- C:\Documents and Settings\BJ\Application Data\Lavasoft
2007-09-24 03:54:27 0 d-------- C:\Documents and Settings\BJ\Application Data\.BitZip
2007-09-23 12:07:09 112640 --a------ C:\WINDOWS\lsb_un20.exe
2007-09-23 12:07:07 0 d-------- C:\Program Files\EasyRename
2007-09-23 11:40:01 0 d-------- C:\Program Files\PipelineRenamer
2007-09-23 11:29:11 0 d-------- C:\Program Files\Picture Resize
2007-09-06 01:58:50 0 d-------- C:\Program Files\WS_FTP
2007-09-04 10:13:33 9728 --a------ C:\WINDOWS\system32\dotntlib.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-09-04 10:13:32 1348 --a------ C:\WINDOWS\system32\hglib.dll
2007-09-04 10:04:42 0 d-------- C:\Program Files\ArticleBot
2007-09-04 09:58:50 0 d-------- C:\Program Files\Microsoft.Net
2007-09-04 09:38:54 0 d-------- C:\mysql
2007-09-04 09:38:33 303616 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-09-04 09:38:31 0 d-------- C:\Documents and Settings\BJ\WINDOWS
2007-09-04 08:15:50 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2007-09-04 02:18:47 0 d-------- C:\WINDOWS\system32\URTTemp
2007-09-04 02:16:40 0 d-------- C:\_abot
-- Find3M Report ---------------------------------------------------------------
2007-10-01 14:45:23 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-27 11:20:11 0 d-------- C:\Documents and Settings\BJ\Application Data\X-Chat 2
2007-08-28 08:58:17 0 d-------- C:\Documents and Settings\BJ\Application Data\Adobe
2007-08-27 18:08:13 0 d-------- C:\Program Files\Speeditup Free
2007-08-21 09:37:54 0 d-------- C:\Program Files\GIMP-2.0
2007-08-18 23:25:06 0 d-------- C:\Program Files\OpenOffice.org 2.0
2007-08-18 23:17:17 0 d-------- C:\Documents and Settings\BJ\Application Data\GeoVid
2007-08-15 11:26:04 0 d-------- C:\Documents and Settings\BJ\Application Data\GetRightToGo
2007-08-15 11:22:35 0 dr------- C:\Program Files\Common Files
2007-08-04 12:02:31 0 d-------- C:\Documents and Settings\BJ\Application Data\Uniblue
2007-08-04 11:41:10 0 d-------- C:\Documents and Settings\BJ\Application Data\BitTorrent
2007-08-02 19:10:14 0 d-------- C:\Documents and Settings\BJ\Application Data\Winamp
2007-07-23 10:01:37 6513 --a------ C:\WINDOWS\mozver.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [09/14/2007 08:13 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"