Malwarebytes' Anti-Malware 1.39
Database version: 2475
Windows 5.1.2600 Service Pack 2
22/07/2009 00:03:24
mbam-log-2009-07-22 (00-03-24).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 147987
Time elapsed: 25 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon (Backdoor.Poison) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regdiit (Backdoor.Poison) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\videocore.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winjpg.jpg (Backdoor.Poison) -> Delete on reboot.
C:\winfile.jpg (Backdoor.Poison) -> Delete on reboot.
C:\WINDOWS\system32\wscript.exe (Backdoor.Poison) -> Delete on reboot.
**************************************************
ComboFix 09-07-21.03 - Zecharia 07/22/2009 7:32.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1037.18.2047.1588 [GMT 3:00]
Running from: c:\documents and settings\Zecharia\שולחן העבודה\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\windows\system32\_005863_.tmp.dll
c:\windows\system32\_005864_.tmp.dll
c:\windows\system32\_005865_.tmp.dll
c:\windows\system32\_005866_.tmp.dll
c:\windows\system32\_005873_.tmp.dll
c:\windows\system32\_005874_.tmp.dll
c:\windows\system32\_005875_.tmp.dll
c:\windows\system32\_005876_.tmp.dll
c:\windows\system32\_005878_.tmp.dll
c:\windows\system32\_005879_.tmp.dll
c:\windows\system32\_005882_.tmp.dll
c:\windows\system32\_005883_.tmp.dll
c:\windows\system32\_005885_.tmp.dll
c:\windows\system32\_005886_.tmp.dll
c:\windows\system32\_005887_.tmp.dll
c:\windows\system32\_005889_.tmp.dll
c:\windows\system32\_005892_.tmp.dll
c:\windows\system32\_005893_.tmp.dll
c:\windows\system32\_005897_.tmp.dll
c:\windows\system32\_005898_.tmp.dll
c:\windows\system32\_005900_.tmp.dll
c:\windows\system32\_005903_.tmp.dll
c:\windows\system32\_005905_.tmp.dll
c:\windows\system32\_005906_.tmp.dll
c:\windows\system32\_005907_.tmp.dll
c:\windows\system32\_005908_.tmp.dll
c:\windows\system32\_005909_.tmp.dll
c:\windows\system32\_005912_.tmp.dll
c:\windows\system32\_005913_.tmp.dll
c:\windows\system32\_005914_.tmp.dll
c:\windows\system32\_005915_.tmp.dll
c:\windows\system32\_005916_.tmp.dll
c:\windows\system32\_005921_.tmp.dll
c:\windows\system32\_005923_.tmp.dll
c:\windows\system32\img_utils.dll
c:\windows\system32\imgscaler.dll
E:\autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.
2009-07-21 20:34 . 2009-07-21 20:34 -------- d-----w- c:\documents and settings\Zecharia\Application Data\Malwarebytes
2009-07-21 20:34 . 2009-07-13 10:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-21 20:34 . 2009-07-21 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-21 20:34 . 2009-07-13 10:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 10:52 . 2009-07-07 09:39 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-18 07:40 . 2009-07-18 07:41 -------- d-----w- c:\documents and settings\Zecharia\Local Settings\Application Data\Temp
2009-07-17 16:45 . 2009-07-17 16:45 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-11 17:43 . 2000-05-01 20:02 110592 ----a-w- c:\windows\system32\ccrpbds6.dll
2009-07-09 11:36 . 2009-07-07 09:39 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-06-29 20:34 . 2009-06-29 20:34 -------- d-----w- c:\documents and settings\Zecharia\Local Settings\Application Data\Identities
2009-06-25 14:50 . 2009-07-07 09:39 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-24 18:53 . 2009-06-24 18:53 -------- d-----w- c:\documents and settings\LocalService\שולחן העבודה
2009-06-24 03:29 . 2009-06-24 03:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-23 19:25 . 2009-06-23 19:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-23 19:24 . 2009-06-23 19:34 -------- d-----w- c:\documents and settings\Zecharia\Local Settings\Application Data\Google
2009-06-23 19:23 . 2009-06-23 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-23 19:23 . 2009-06-23 19:27 -------- d-----w- c:\program files\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 17:33 . 2009-03-01 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-07-17 16:44 . 2009-02-28 17:54 -------- d-----w- c:\program files\Common Files\Real
2009-07-10 06:38 . 2009-03-22 06:32 -------- d-----w- c:\documents and settings\Zecharia\Application Data\Canon
2009-07-07 09:39 . 2009-01-29 22:36 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-21 17:19 . 2009-01-29 22:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-19 20:51 . 2009-06-12 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 05:33 . 2009-06-12 05:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-02 10:37 . 2009-06-12 06:09 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-05-11 20:00 . 2009-01-29 22:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-11 20:00 . 2009-01-29 22:36 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-02 10:59 . 2003-04-09 12:00 59424 ----a-w- c:\windows\system32\perfc00d.dat
2009-05-02 10:59 . 2003-04-09 12:00 314342 ----a-w- c:\windows\system32\perfh00d.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-16 1004800]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-16 06:29 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-16 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-16 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-27 15360]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-08-27 1667584]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-17 7700480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"WinRemote"="c:\program files\InterVideo\WinDVR\WinRemote.exe" [2003-09-03 131072]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2005-07-28 483328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-17 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-17 198160]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-11-17 1622016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-27 15360]
c:\documents and settings\Zecharia\ \\\
ERUNT AutoBackup.lnk - e:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Netvision Cable Connect.url [2009-6-29 97]
c:\documents and settings\All Users\ \\\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-AF00-7760-100000000002}\SC_Acrobat.exe [2009-2-4 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-1-31 131072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 20:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LangOver"=c:\program files\LangOver\LangOver.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [30/01/2009 01:36 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [30/01/2009 01:36 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [30/01/2009 01:36 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [30/01/2009 01:36 298776]
R3 PhTVTune;TV Capture Card WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [02/02/2009 00:58 19616]
S2 gupdate1c9f43852980e14;שירות Google Update (gupdate1c9f43852980e14);c:\program files\Google\Update\GoogleUpdate.exe [23/06/2009 22:25 133104]
.
Contents of the 'Scheduled Tasks' folder
2009-07-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-23 19:23]
2009-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 19:24]
2009-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 19:24]
2009-07-17 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-02-02 13:31]
2009-07-21 c:\windows\Tasks\User_Feed_Synchronization-{990BAC38-7C00-4FB5-BBE6-BA6290288CBE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 16:36]
.
- - - - ORPHANS REMOVED - - - -
Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ynet.co.il/
uInternet Connection Wizard,ShellNext = iexplore
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 07:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\INTERV~1\WinDVR\WINSCH~1.EXE
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-22 7:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-22 04:40
Pre-Run: 6,819,102,720 bytes free
Post-Run: 6,939,074,560 bytes free
210 --- E O F --- 2009-02-04 04:48