ComboFix 09-04-28.02 - Wilson 04/28/2009 22:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.535 [GMT -5:00]
Running from: c:\documents and settings\Wilson\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\DRIVERS\beep.sys
c:\windows\setup.exe
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 02:35 . 2009-04-29 02:35 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-29 02:35 . 2009-04-29 02:35 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 02:34 . 2009-04-29 02:34 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-29 02:34 . 2009-04-29 02:37 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-29 02:34 . 2009-04-29 02:34 -------- d-----w c:\program files\AVG
2009-04-29 02:34 . 2009-04-29 02:34 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-29 02:06 . 2009-04-29 02:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 01:02 . 2009-04-29 01:02 -------- d-----w c:\program files\VS Revo Group
2009-04-29 00:58 . 2009-04-29 00:58 0 ----a-w c:\windows\nsreg.dat
2009-04-29 00:58 . 2009-04-29 00:58 -------- d-----w c:\documents and settings\Wilson\Local Settings\Application Data\Mozilla
2009-04-29 00:08 . 2009-04-29 00:08 -------- d-----w c:\program files\CCleaner
2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\program files\CleanUp!
2009-04-28 23:46 . 2009-04-28 23:46 -------- d-----w c:\program files\MSConfig CleanUp
2009-04-28 03:29 . 2009-04-29 02:25 -------- d-----w c:\windows\system32\796525
2009-04-24 09:14 . 2009-04-24 09:14 -------- d-----w c:\documents and settings\NetworkService\Application Data\Webroot
2009-04-24 09:00 . 2009-04-24 09:06 -------- d-----w c:\program files\SmitFraudFixPro
2009-04-24 08:34 . 2009-04-24 08:34 -------- d-----w c:\documents and settings\Wilson\Application Data\Webroot
2009-04-24 08:34 . 2009-04-24 08:34 -------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-04-24 08:34 . 2009-04-24 08:34 -------- d-----w c:\program files\Webroot
2009-04-24 08:34 . 2009-04-24 08:34 -------- d-----w c:\documents and settings\LocalService\Application Data\Webroot
2009-04-24 08:33 . 2009-04-24 08:33 -------- d-----w c:\program files\Sony Pictures Games
2009-04-24 08:33 . 2009-04-24 08:33 -------- d-----w c:\documents and settings\Wilson\Local Settings\Application Data\Kodak EasyShare Gallery Software
2009-04-24 02:02 . 2009-04-24 02:02 -------- d-----w c:\documents and settings\All Users\Application Data\K7 Computing
2009-04-24 02:02 . 2009-04-24 08:36 -------- d-----w c:\program files\K7 Computing
2009-04-23 21:32 . 2009-04-24 08:35 -------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-04-23 20:52 . 2009-04-29 02:56 -------- d-----w c:\windows\system32\179223
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 02:01 . 2006-03-07 14:59 -------- d-----w c:\program files\Trend Micro
2009-04-28 23:39 . 2007-02-03 06:32 -------- d-----w c:\program files\Yahoo!
2009-04-28 23:35 . 2006-12-01 01:10 -------- d-----w c:\program files\LimeWire
2009-04-24 08:34 . 2006-07-22 17:57 -------- d-----w c:\program files\IrfanView
2009-04-24 07:57 . 2007-05-22 02:03 -------- d-----w c:\program files\MSN Games
2009-04-24 07:48 . 2006-03-07 14:46 -------- d-----w c:\program files\Common Files\AOL
2009-04-16 18:51 . 2006-07-22 17:57 -------- d-----w c:\program files\Google
2009-04-06 20:32 . 2008-11-26 02:22 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-11-26 02:22 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-24 03:16 . 2008-11-24 03:16 12345 ----a-w c:\program files\Common Files\ovihyryhel._dl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-29 1932568]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-29 02:35 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w c:\windows\system32\VESWinlogon.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R2 fkesccbm;Remote Access NDIS WAN Helper;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-18 311872]
S0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;c:\windows\SYSTEM32\Drivers\SSFS041A.SYS [2006-07-07 13824]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-29 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-29 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-29 298264]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-18 7520337]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2004-08-04 14336]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - AVG8WD
*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGMFX86
*NewlyCreated* - AVGTDIX
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fkesccbm
.
Contents of the 'Scheduled Tasks' folder
2008-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*
Yahoo!
FF - ProfilePath - c:\documents and settings\Wilson\Application Data\Mozilla\Firefox\Profiles\nqymfcp3.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-04-28 22:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\VESWinlogon.dll
c:\windows\system32\WRLogonNTF.dll
.
Completion time: 2009-04-29 22:08
ComboFix-quarantined-files.txt 2009-04-29 03:08
Pre-Run: 54,411,776,000 bytes free
Post-Run: 54,447,980,544 bytes free
139 --- E O F --- 2008-11-24 03:39