Thread: Family laptop hit by virus
View Single Post
Old 07-12-2009, 10:30 AM   #3 (permalink)
Everest63
Registered User
 
Everest63's Avatar
 
Join Date: Feb 2005
Posts: 82
OS: XP Pro


Re: Family laptop hit by virus
ComboFix 09-07-11.02 - Andrew 07/12/2009 11:44.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.756 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090711-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\6d6b7d.msi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-10 14:38 . 2009-07-10 14:39 152576 ----a-w- c:\documents and settings\Andrew\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-10 00:51 . 2009-07-10 00:51 -------- d-----w- c:\documents and settings\Andrew\Application Data\Malwarebytes
2009-07-10 00:50 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 00:50 . 2009-07-10 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 00:50 . 2009-07-10 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 00:50 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 01:44 . 2009-07-08 12:30 -------- d-----w- c:\windows\system32\Adobe
2009-07-01 20:30 . 2009-07-01 20:30 -------- d-----w- c:\program files\LWW
2009-06-30 12:17 . 2009-06-30 12:17 42552 ----a-w- c:\documents and settings\Jane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 00:51 . 2009-07-10 01:08 -------- d-----w- c:\program files\Google
2009-06-26 22:57 . 2009-06-26 22:57 -------- d-----w- c:\documents and settings\Ginny\Application Data\acccore
2009-06-26 22:26 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-26 22:23 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-06-26 22:23 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-26 22:23 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-06-26 22:23 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-06-26 19:06 . 2009-06-26 19:06 -------- d-----w- c:\documents and settings\Ginny\Local Settings\Application Data\AOL OCP
2009-06-26 19:06 . 2009-06-26 19:06 -------- d-----w- c:\documents and settings\Ginny\Local Settings\Application Data\AOL
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\AOL OCP
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\AOL
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\program files\Viewpoint
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-06-26 18:58 . 2009-06-26 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-26 18:58 . 2009-06-26 18:58 -------- d-----w- c:\program files\Common Files\AOL
2009-06-26 18:57 . 2009-06-26 18:58 -------- d-----w- c:\program files\AIM6
2009-06-26 18:32 . 2009-06-26 18:32 -------- d-----w- c:\documents and settings\Sophie\Local Settings\Application Data\Mozilla
2009-06-26 18:31 . 2009-06-26 18:31 -------- d-----w- c:\documents and settings\Jane\Local Settings\Application Data\Mozilla
2009-06-26 18:29 . 2009-06-26 18:29 -------- d-----w- c:\documents and settings\Ginny\Local Settings\Application Data\Mozilla
2009-06-26 18:28 . 2009-06-26 18:28 0 ----a-w- c:\windows\nsreg.dat
2009-06-26 18:28 . 2009-06-26 18:28 -------- d-----w- c:\documents and settings\Andrew\Local Settings\Application Data\Mozilla
2009-06-26 18:24 . 2009-06-26 18:24 -------- d-sh--w- c:\documents and settings\Sophie\IECompatCache
2009-06-26 18:21 . 2009-06-26 18:21 -------- d-----w- c:\documents and settings\Jane\Local Settings\Application Data\Microsoft
2009-06-26 18:18 . 2009-06-26 18:18 -------- d-sh--w- c:\documents and settings\Ginny\IECompatCache
2009-06-26 18:17 . 2009-06-26 18:17 -------- d-sh--w- c:\documents and settings\Ginny\PrivacIE
2009-06-26 18:10 . 2009-06-26 18:10 -------- d-----w- c:\windows\ie8updates
2009-06-26 18:08 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-26 18:08 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-26 18:08 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-26 18:08 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-26 17:52 . 2007-04-09 17:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2009-06-26 17:51 . 2009-06-26 17:51 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-26 17:51 . 2009-06-26 17:51 -------- d-----w- c:\windows\SHELLNEW
2009-06-26 17:46 . 2009-06-26 17:46 -------- d--h--r- C:\MSOCache
2009-06-26 17:44 . 2009-06-26 17:44 -------- d-sh--w- c:\documents and settings\Andrew\IECompatCache
2009-06-26 17:44 . 2009-06-26 17:44 -------- d-sh--w- c:\documents and settings\Andrew\PrivacIE
2009-06-26 17:42 . 2009-06-26 17:42 -------- d-sh--w- c:\documents and settings\Andrew\IETldCache
2009-06-26 17:31 . 2009-06-26 17:32 -------- dc-h--w- c:\windows\ie8
2009-06-26 17:11 . 2009-04-29 04:46 81920 -c----w- c:\windows\system32\dllcache\ieencode.dll
2009-06-26 17:11 . 2009-04-29 04:46 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-26 17:10 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-06-26 17:10 . 2009-04-17 12:26 1847168 -c----w- c:\windows\system32\dllcache\win32k.sys
2009-06-26 17:10 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-06-26 17:08 . 2008-12-20 22:14 1288192 -c----w- c:\windows\system32\dllcache\quartz.dll
2009-06-26 17:08 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-26 17:08 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-26 17:08 . 2008-06-17 19:02 8461312 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-06-26 17:07 . 2008-12-05 06:54 144896 -c----w- c:\windows\system32\dllcache\schannel.dll
2009-06-26 17:07 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-06-26 17:05 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-06-26 17:05 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-06-26 16:09 . 2009-06-26 16:09 -------- d-----w- c:\windows\ServicePackFiles
2009-06-26 16:09 . 2008-04-14 09:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2009-06-26 15:27 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-06-26 15:24 . 2008-10-16 18:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-06-26 15:23 . 2009-06-26 15:23 -------- d-sh--w- c:\documents and settings\Andrew\UserData
2009-06-26 15:21 . 2003-07-03 19:59 189056 ----a-w- c:\windows\system32\drivers\HSFHWICH.sys
2009-06-26 15:21 . 2003-07-03 19:56 631680 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2009-06-26 15:21 . 2003-07-03 19:55 1063936 ----a-w- c:\windows\system32\drivers\HSF_DP.sys
2009-06-26 15:21 . 2003-04-14 22:53 27765 ----a-w- c:\windows\system32\HSFCI006.dll
2009-06-26 15:21 . 2003-04-09 18:01 90112 ----a-w- c:\windows\system32\mdmxsdk.dll
2009-06-26 15:21 . 2003-04-09 17:48 11043 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2009-06-26 15:21 . 2009-06-26 15:21 -------- d-----w- c:\program files\CONEXANT
2009-06-26 15:17 . 2009-06-26 15:17 -------- d-----w- c:\program files\Apoint
2009-06-26 15:17 . 2003-08-21 23:25 94600 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2009-06-26 15:17 . 2003-07-04 19:00 87805 ----a-w- c:\windows\system32\Vxdif.dll
2009-06-26 15:15 . 2009-06-26 15:15 -------- d--h--w- c:\documents and settings\Andrew\WLANProfiles
2009-06-26 15:14 . 2009-06-26 15:14 14037 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2009-06-26 15:14 . 2009-06-26 15:14 -------- d-----w- c:\windows\system32\LogFiles
2009-06-26 15:14 . 2003-03-18 01:03 966656 ----a-w- c:\windows\system32\W70MLRES.DLL
2009-06-26 15:14 . 2003-03-18 01:01 966656 ----a-w- c:\windows\system32\W20MLRES.DLL
2009-06-26 15:13 . 2003-06-11 09:06 2477952 ----a-w- c:\windows\system32\drivers\w70n51.sys
2009-06-26 15:13 . 2003-05-06 17:24 315392 ----a-w- c:\windows\system32\W20NCPA.dll
2009-06-26 15:13 . 2003-01-19 20:49 32768 ----a-w- c:\windows\system32\w70n5msg.dll
2009-06-26 15:12 . 2003-05-21 22:47 175360 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2009-06-26 15:12 . 2003-05-21 22:47 175360 ----a-r- c:\windows\system32\drivers\b57xp32.sys
2009-06-26 15:12 . 2009-06-26 15:12 -------- d-----w- c:\program files\Broadcom
2009-06-26 15:10 . 2002-11-08 17:13 20579 ----a-w- c:\windows\system32\drivers\ozscr.sys
2009-06-26 15:08 . 2009-06-26 15:08 -------- d-----w- c:\program files\ATI Technologies
2009-06-26 15:05 . 2009-06-26 15:14 -------- d-----w- c:\program files\Intel
2009-06-26 15:01 . 2003-03-06 18:02 666 ----a-w- c:\windows\speed.reg
2009-06-26 15:01 . 2009-06-26 15:01 -------- d-----w- c:\program files\Dell Computer Corporation
2009-06-26 15:01 . 2002-10-09 14:20 53248 ----a-w- c:\windows\system32\DellSys.dll
2009-06-26 15:01 . 2009-06-26 15:01 -------- d-----w- c:\program files\Dell
2009-06-26 15:00 . 2002-01-08 21:00 176128 ----a-w- c:\windows\system32\RcdScan.dll
2009-06-26 15:00 . 2000-03-23 16:50 446464 ----a-r- c:\windows\system32\hhactivex.dll
2009-06-26 15:00 . 1998-06-18 03:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-06-26 15:00 . 2009-06-26 15:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 15:00 . 2002-10-09 14:20 17153 ----a-w- c:\windows\system32\drivers\omci.sys
2009-06-26 15:00 . 2009-06-26 15:12 -------- d-----w- c:\program files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 19:28 . 2009-06-26 19:28 -------- d-----w- c:\program files\Alwil Software
2009-06-26 16:15 . 2009-06-26 14:51 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-26 15:16 . 2009-06-26 15:16 -------- d-----w- c:\program files\SigmaTel
2009-06-26 14:53 . 2009-06-26 14:53 -------- d-----w- c:\program files\microsoft frontpage
2009-06-26 14:48 . 2009-06-26 14:48 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-13 05:15 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 10:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 335872]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-06-20 11:03 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/26/2009 3:28 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/26/2009 3:28 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/26/2009 2:58 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\3f2dk4km.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNfox000&fl=0&ptb=Xip6MeZFKcF058iUh8wnjw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 12:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(2408)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\1XConfig.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-07-12 12:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-12 16:27

Pre-Run: 32,989,749,248 bytes free
Post-Run: 33,054,298,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213
Everest63 is offline   Reply With Quote