ComboFix 09-06-07.05 - Owner 06/07/2009 20:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.153 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\documents and settings\QBDataServiceUser\Application Data\twain_32
c:\documents and settings\QBDataServiceUser\Application Data\twain_32\user.ds
c:\windows\system32\bszip.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.
2009-06-04 22:52 . 2009-06-04 22:52 -------- d-----w- c:\program files\Trend Micro
2009-06-04 03:33 . 2009-06-04 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-04 03:32 . 2009-06-04 04:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-04 03:32 . 2009-06-04 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-06-04 03:32 . 2009-06-04 03:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-04 03:11 . 2009-06-04 03:11 107912 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-04 03:11 . 2009-06-04 03:11 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-04 03:11 . 2009-06-04 03:11 325640 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-04 03:11 . 2009-06-04 03:11 27656 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-04 03:11 . 2009-06-04 03:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-04 03:10 . 2009-06-04 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-04 03:03 . 2009-06-04 03:03 -------- d-----w- c:\windows\ie8updates
2009-06-04 03:02 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-02 05:08 . 2009-06-02 05:08 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-06-02 05:07 . 2009-06-02 05:07 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-06-01 18:09 . 2009-06-01 18:09 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-06-01 17:58 . 2009-06-01 17:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-01 17:58 . 2009-06-01 17:58 -------- d-----w- c:\program files\MSBuild
2009-06-01 17:57 . 2009-06-01 17:57 -------- d-----w- c:\program files\Reference Assemblies
2009-06-01 17:56 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-01 17:56 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-01 17:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-01 17:56 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-01 17:56 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-01 17:56 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-01 17:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-01 17:56 . 2009-06-01 17:57 -------- d-----w- C:\96002651679834c928efdc7e59d742
2009-06-01 16:55 . 2009-06-01 16:57 -------- dc-h--w- c:\windows\ie8
2009-05-25 03:37 . 2009-05-25 03:37 -------- d-----w- c:\program files\Digital Support
2009-05-23 03:47 . 2009-05-23 03:47 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-23 03:44 . 2009-05-23 03:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-23 03:44 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 03:44 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 03:44 . 2009-06-04 03:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-23 03:44 . 2009-05-23 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-22 15:28 . 2008-04-14 00:12 82432 -c--a-w- c:\windows\system32\dllcache\ws2_32.dll
2009-05-19 23:05 . 2009-05-19 23:04 861448 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-05-19 23:05 . 2009-05-19 23:04 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-05-19 23:05 . 2009-05-19 23:04 34056 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2009-05-19 23:05 . 2009-05-19 23:04 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-05-19 23:01 . 2009-05-19 23:01 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2009-05-19 23:01 . 2009-05-19 23:01 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcp71.dll
2009-05-19 23:01 . 2009-05-19 23:01 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcr71.dll
2009-05-18 14:02 . 2009-06-03 17:15 3363 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-05-18 13:47 . 2009-05-18 13:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Intuit
2009-05-18 13:42 . 2009-05-18 13:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
2009-05-18 13:39 . 2009-05-18 13:39 -------- d-----w- c:\program files\Common Files\supportsoft
2009-05-18 13:38 . 2007-06-28 19:09 1843200 ----a-w- c:\windows\system32\acXMLParser.dll
2009-05-18 13:38 . 2009-01-20 22:33 3833856 ----a-w- c:\windows\system32\cdintf300.dll
2009-05-18 13:20 . 2009-05-18 13:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
2009-05-18 13:20 . 2009-05-18 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 18:12 . 2006-05-12 14:35 113352 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 02:19 . 2005-09-16 15:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-25 02:14 . 2005-09-16 15:11 -------- d-----w- c:\documents and settings\Owner\Application Data\Lavasoft
2009-05-25 02:14 . 2005-09-16 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-18 13:42 . 2006-05-04 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-05-18 13:31 . 2006-05-04 19:34 -------- d-----w- c:\program files\Common Files\Intuit
2009-04-19 14:36 . 2009-04-19 14:28 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-19 14:36 . 2009-04-19 14:28 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-19 14:28 . 2009-04-19 14:28 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-19 14:28 . 2009-04-19 14:28 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-12 22:55 . 2009-04-11 19:18 -------- d-----w- c:\program files\HP
2009-04-12 22:55 . 2009-04-12 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-11 20:47 . 2009-04-11 20:47 -------- d-----w- c:\documents and settings\Owner\Application Data\HP
2009-04-11 20:44 . 2009-04-11 20:44 113352 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 20:30 . 2009-04-11 19:06 118642 ----a-w- c:\windows\hpoins09.dat
2009-04-11 20:26 . 2009-04-11 20:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\HP
2009-04-11 20:20 . 2009-04-11 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-04-11 20:16 . 2009-04-11 20:04 -------- d-----w- c:\program files\Common Files\HP
2009-04-11 19:42 . 2009-04-11 19:36 -------- d-----w- c:\program files\Hewlett-Packard
2009-04-11 19:26 . 2009-04-11 19:26 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-04-04 11:15 . 2005-09-16 13:28 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
.
------- Sigcheck -------
[7] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 9F4A1642F792DE1035E9FCF698D439F3 c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 9F4A1642F792DE1035E9FCF698D439F3 c:\windows\system32\ws2_32.dll
[-] 2008-04-14 00:12 82432 9F4A1642F792DE1035E9FCF698D439F3 c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-04 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 988701]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 118784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-04 1932568]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-09-16 69632]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-06-04 04:34 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-04 03:11 10520 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/3/2009 10:11 PM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/3/2009 10:11 PM 107912]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/3/2009 10:10 PM 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 PciPPorts;PCI ECP Parallel Port;c:\windows\system32\drivers\PciPPorts.sys [4/7/2009 8:44 PM 82432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
2009-06-08 c:\windows\Tasks\User_Feed_Synchronization-{10559F02-1EAB-40B5-BE0A-3C91E4703269}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.spaceweather.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-06-07 21:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-06-08 21:02
ComboFix-quarantined-files.txt 2009-06-08 02:02
Pre-Run: 53,401,358,336 bytes free
Post-Run: 53,511,413,760 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
209 --- E O F --- 2009-06-04 23:24