ComboFix 09-05-08.03 - Canucklehead 05/10/2009 12:20.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.584 [GMT -4:00]
Running from: c:\documents and settings\Canucklehead\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Canucklehead\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Bitdefender Antivirus *On-access scanning enabled* (Outdated)
FILE ::
c:\windows\system32\drivers\antispyware.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Vuze
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.zip
c:\program files\Vuze\plugins\azemp\azemp_2.0.34.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.34.zip
c:\program files\Vuze\plugins\azemp\azemp_2.1.02.jar
c:\program files\Vuze\plugins\azemp\azemp_2.1.02.zip
c:\program files\Vuze\plugins\azemp\azmplay.exe.bak
c:\program files\Vuze\plugins\azemp\cp1250-a.raw.bak
c:\program files\Vuze\plugins\azemp\cp1250-b.raw.bak
c:\program files\Vuze\plugins\azemp\font.desc.bak
c:\program files\Vuze\plugins\azemp\mplayer\config
c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.32
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.34
c:\program files\Vuze\plugins\azemp\plugin.properties_2.1.02
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.17.zip
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.zip
c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.17
c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.5
c:\windows\system32\drivers\antispyware.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ANTISPYWARE
-------\Legacy_NPF
-------\Service_antispyware
((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.
2009-05-09 15:41 . 2009-05-09 15:42 -------- d-----w c:\program files\ERUNT
2009-04-29 08:32 . 2009-04-29 08:35 -------- d-----w c:\program files\fishsim2
2009-04-13 18:59 . 2009-04-13 19:00 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-13 18:31 . 2009-04-13 18:31 -------- dc----w c:\documents and settings\Canucklehead\Tracing
2009-04-13 17:39 . 2009-04-13 17:39 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-13 17:38 . 2009-02-06 22:08 55152 ----a-w c:\windows\system32\drivers\fssfltr_tdi.sys
2009-04-13 17:38 . 2009-04-13 17:38 -------- d-----w c:\program files\Microsoft Sync Framework
2009-04-13 17:37 . 2006-11-29 17:06 3426072 ----a-w c:\windows\system32\d3dx9_32.dll
2009-04-13 17:37 . 2009-04-13 17:37 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-04-13 17:35 . 2009-04-13 17:35 -------- d-----w c:\program files\Microsoft
2009-04-13 17:35 . 2009-04-13 17:35 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-13 17:34 . 2009-04-13 17:38 -------- d-----w c:\program files\Windows Live
2009-04-13 17:29 . 2009-04-13 17:29 -------- d-----w c:\program files\Common Files\Windows Live
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 08:13 . 2006-09-13 07:55 -------- d-----w c:\program files\xnews
2009-05-02 12:02 . 2009-03-18 13:27 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-02 12:02 . 2009-03-18 13:27 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-02 12:02 . 2009-03-18 13:27 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-21 23:53 . 2008-04-06 23:01 -------- d-----w c:\program files\cLog Reader
2009-04-13 18:23 . 2008-08-31 09:55 39696 -c--a-w c:\documents and settings\Canucklehead\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-15 08:57 . 2008-07-08 18:25 -------- d-----w c:\program files\Spybot - Search & Destroy
2006-10-04 16:23 . 2006-10-04 16:23 1446442 -c--a-w c:\program files\moviecodec.zip
2006-09-13 07:54 . 2006-09-13 07:48 713503 ----a-w c:\program files\xnews.zip
2001-10-29 03:56 . 2001-10-29 03:56 10098 -c--a-w c:\program files\readme.txt
2005-07-14 19:31 . 2006-05-24 17:37 27648 -csha-w c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 . 2006-05-08 18:07 616448 -csha-r c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2006-05-24 17:37 45568 -csha-r c:\windows\system32\cygz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ioloDelayModule"="c:\program files\iolo\System Mechanic Professional 6\delay.exe" [2005-06-09 96256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-05-17 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2009-01-09 22:39 46392 ----a-w c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_winlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 12:02 11952 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\windows\system32
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WM Recorder 10\\WMR90.exe"=
"c:\\Program Files\\WM Recorder 10\\WMR.exe"=
"c:\\Program Files\\WM Recorder 10\\RMR.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Pro Home 2007\\sandra.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Pro Home 2007\\RpcSandraSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Pro Home 2007\\Win32\\RpcDataSrv.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:@xpsp2res.dll,-22002
"1087:UDP"= 1087:UDP:Windows Media Format SDK (iexplore.exe)
"1086:UDP"= 1086:UDP:Windows Media Format SDK (iexplore.exe)
"1089:UDP"= 1089:UDP:Windows Media Format SDK (iexplore.exe)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"RemoteAddresses"= *
"Enabled"= 1 (0x1)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/18/2009 9:27 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/18/2009 9:27 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/18/2009 9:27 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/18/2009 9:27 AM 298776]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/13/2009 1:38 PM 55152]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1/14/2009 5:53 PM 226656]
S2 gupdate1c98c18bb6bdaa2;Google Update Service (gupdate1c98c18bb6bdaa2);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2009 3:17 AM 133104]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_service.exe [1/9/2009 6:39 PM 46392]
S3 PentaxUsb;PENTAX Optio E10 on USB;c:\windows\system32\drivers\CoachUsb.sys [5/2/2007 6:04 PM 50976]
S3 PentaxVc;PENTAX Optio E10 Video Capture;c:\windows\system32\drivers\CoachVc.sys [5/2/2007 6:04 PM 44256]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2009-05-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-06 15:51]
2009-05-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 07:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
uInternet Settings,ProxyServer = socks=
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-10 12:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(384)
c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_winlogon.dll
- - - - - - - > 'explorer.exe'(1880)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-05-10 12:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-10 16:27
ComboFix2.txt 2009-05-10 10:01
Pre-Run: 34,195,316,736 bytes free
Post-Run: 34,193,264,640 bytes free
188 --- E O F --- 2007-09-08 07:09