You are on page 1of 6

ComboFix 09-10-28.08 - Luther 10/29/2009 18:57.1.

1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.442 [GMT 2:00]
Running from: c:\documents and settings\Luther\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-
435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other
Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Luther\LOCALS~1\Temp\tmp1.tmp

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-
29 )))))))))))))))))))))))))))))))
.

2009-10-29 15:41 . 2009-10-29 15:41 -------- dc----w- c:\documents and


settings\Luther\Application Data\Lavasoft
2009-10-14 17:17 . 2009-07-17 16:22 1435648 -c----w-
c:\windows\system32\dllcache\query.dll
2009-10-14 17:07 . 2009-09-04 21:03 58880 -c----w-
c:\windows\system32\dllcache\msasn1.dll
2009-10-13 22:17 . 2009-10-13 22:17 -------- dc----w- c:\documents and
settings\Luther\Application Data\Apple Computer
2009-10-13 22:09 . 2009-10-13 22:09 -------- dc----w- c:\documents and
settings\Luther\Local Settings\Application Data\KodakGallery
2009-10-13 22:08 . 2009-10-24 17:56 664 -c--a-w-
c:\windows\system32\d3d9caps.dat
2009-10-13 22:06 . 2009-10-13 22:07 -------- dc----w- c:\program
files\QuickTime
2009-10-13 22:06 . 2009-10-13 22:06 -------- dc----w- c:\documents and
settings\All Users\Application Data\Apple Computer
2009-10-13 22:06 . 2009-10-13 22:06 -------- dc----w- c:\documents and
settings\Luther\Local Settings\Application Data\Apple Computer
2009-10-13 22:04 . 2001-08-17 20:36 5632 -c--a-w-
c:\windows\system32\ptpusb.dll
2009-10-13 22:04 . 2008-04-14 00:12 159232 -c--a-w-
c:\windows\system32\ptpusd.dll
2009-10-13 22:04 . 2009-10-13 22:04 -------- dc----w- c:\program files\Common
Files\Kodak
2009-10-13 22:03 . 2009-10-13 22:06 -------- dc----w- c:\program files\Kodak
2009-10-13 22:01 . 2009-10-13 22:08 -------- dc----w- c:\documents and
settings\All Users\Application Data\Kodak
2009-10-07 09:14 . 2009-09-11 14:18 136192 -c----w-
c:\windows\system32\dllcache\msv1_0.dll
2009-10-07 09:14 . 2009-06-25 08:25 54272 -c----w-
c:\windows\system32\dllcache\wdigest.dll
2009-10-07 09:14 . 2009-06-24 11:18 92928 -c----w-
c:\windows\system32\dllcache\ksecdd.sys
2009-10-07 09:14 . 2009-06-25 08:25 301568 -c----w-
c:\windows\system32\dllcache\kerberos.dll
2009-09-30 21:56 . 2009-09-30 21:56 -------- dc----w- c:\documents and
settings\All Users\Application Data\Macrovision
2009-09-30 21:56 . 2002-01-05 05:10 57344 -c----w-
c:\windows\system32\mfc70enu.dll
2009-09-30 21:56 . 2009-09-30 21:56 -------- dc----w- c:\program files\Common
Files\Macromedia Shared
2009-09-30 21:56 . 2009-09-30 21:56 -------- dc----w- c:\program files\Common
Files\Macromedia
2009-09-30 21:55 . 2009-09-30 21:55 -------- dc----w- c:\program
files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M
Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 13:32 . 2009-09-05 15:22 10 -c--a-w- c:\windows\popcinfo.dat
2009-09-30 21:55 . 2009-08-28 09:00 -------- dc-h--w- c:\program
files\InstallShield Installation Information
2009-09-30 21:55 . 2009-08-28 08:09 -------- dc----w- c:\program files\Common
Files\InstallShield
2009-09-26 10:28 . 2009-08-28 07:47 89504 -c--a-w- c:\documents and
settings\Luther\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 20:04 . 2009-09-25 20:04 -------- dc----w- c:\program
files\Microsoft.NET
2009-09-25 20:04 . 2009-09-25 20:04 -------- dc----w- c:\program
files\Microsoft ActiveSync
2009-09-25 19:03 . 2009-08-30 23:56 -------- dc----w- c:\documents and
settings\All Users\Application Data\Microsoft Help
2009-09-25 13:18 . 2009-08-31 05:38 -------- dc----w- c:\program
files\AskTBar
2009-09-25 12:50 . 2009-08-31 00:39 -------- dc----w- c:\program files\e-
Sword
2009-09-25 08:09 . 2009-08-28 08:10 -------- dc----w- c:\documents and
settings\All Users\Application Data\ScanSoft
2009-09-24 03:23 . 2009-09-24 03:23 -------- dc----w- c:\documents and
settings\Luther\Application Data\MSNInstaller
2009-09-24 02:02 . 2009-08-28 21:44 -------- dc----w- c:\documents and
settings\All Users\Application Data\AVG Security Toolbar
2009-09-24 01:49 . 2009-09-24 01:49 -------- dc----w- c:\documents and
settings\All Users\Application Data\Office Genuine Advantage
2009-09-24 01:48 . 2009-09-24 01:48 -------- dc----w- c:\documents and
settings\Luther\Application Data\Office Genuine Advantage
2009-09-23 05:22 . 2009-09-23 05:22 -------- dc----w- c:\program
files\Microsoft CAPICOM 2.1.0.2
2009-09-23 05:19 . 2009-09-23 05:19 -------- dc----w- c:\program files\MSXML
6.0
2009-09-23 04:52 . 2009-09-23 04:52 -------- dc----w- c:\program files\MSXML
4.0
2009-09-21 06:43 . 2009-09-21 05:56 -------- dc----w- c:\program
files\4shared Desktop
2009-09-18 23:11 . 2009-09-18 23:11 -------- dc----w- c:\documents and
settings\Luther\Application Data\Canon
2009-09-11 14:18 . 2004-08-04 12:00 136192 -c--a-w-
c:\windows\system32\msv1_0.dll
2009-09-05 15:20 . 2009-09-05 15:20 -------- dc----w- c:\program
files\ReflexiveArcade
2009-09-05 15:16 . 2009-09-05 15:07 -------- dc--a-w- c:\documents and
settings\All Users\Application Data\TEMP
2009-09-05 09:03 . 2009-08-28 20:55 -------- dc----w- c:\documents and
settings\Luther\Application Data\shamela
2009-09-04 21:03 . 2004-08-04 12:00 58880 -c--a-w-
c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2007-07-22 11:57 916480 -c--a-w-
c:\windows\system32\wininet.dll
2009-08-28 23:31 . 2009-08-28 23:31 172032 -c----w- c:\windows\Setup1.exe
2009-08-28 23:31 . 2009-08-28 23:31 73216 -c--a-w- c:\windows\ST6UNST.EXE
2009-08-28 21:45 . 2009-08-28 21:45 11952 ----a-w-
c:\windows\system32\avgrsstx.dll
2009-08-28 21:45 . 2009-08-28 21:45 108552 ----a-w-
c:\windows\system32\drivers\avgtdix.sys
2009-08-28 21:45 . 2009-08-28 21:45 335240 ----a-w-
c:\windows\system32\drivers\avgldx86.sys
2009-08-28 21:45 . 2009-08-28 21:45 27784 ----a-w-
c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 07:33 . 2009-08-28 07:33 21640 -c--a-w-
c:\windows\system32\emptyregdb.dat
2009-08-27 23:01 . 2009-08-27 23:01 552 -c--a-w-
c:\windows\system32\d3d8caps.dat
2009-08-26 08:00 . 2007-07-22 11:57 247326 -c--a-w-
c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 -c--a-w-
c:\windows\system32\mswebdvd.dll
2009-08-04 18:44 . 2007-07-22 11:56 2189184 -c--a-w-
c:\windows\system32\ntoskrnl.exe
2009-08-04 17:52 . 2009-08-04 17:52 1193832 -c--a-w-
c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 2007-02-28 07:15 2066048 -c--a-w-
c:\windows\system32\ntkrnlpa.exe
2009-08-03 22:07 . 2009-08-03 22:07 403816 -c--a-w-
c:\windows\system32\OGACheckControl.dll
2009-08-03 22:07 . 2009-08-03 22:07 322928 ----a-w-
c:\windows\system32\OGAAddin.dll
2009-08-03 22:07 . 2009-08-03 22:07 230768 -c--a-w-
c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading


Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program
files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-


5347D756017C}]
2009-09-02 09:58 1107200 -c--a-w- c:\program
files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program
files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program
files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\


Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare
software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 21:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start


Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader
Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authorized
Applications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver


x86;c:\windows\system32\drivers\avgldx86.sys [8/28/2009 11:45 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys
[8/28/2009 11:45 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/28/2009
11:44 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/28/2009 11:44 PM
297752]
S3 FXDrv32;FXDrv32;\??\h:\fxdrv32.sys --> h:\FXDrv32.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
2009-10-29 c:\windows\Tasks\User_Feed_Synchronization-{5CC17446-32E2-4EC1-B3DE-
09011C9F3091}.job
- c:\windows\system32\msfeedssync.exe [2009-08-28 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)


URLSearchHooks-*{09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,


http://www.gmer.net
Rootkit scan 2009-10-29 19:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully


hidden files: 0

**************************************************************************
.
Completion time: 2009-10-29 19:14
ComboFix-quarantined-files.txt 2009-10-29 17:14

Pre-Run: 738,484,224 bytes free


Post-Run: 1,327,112,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional"
/noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional"
/noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional"
/noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Microsoft Windows XP Professional"
/noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(6)\WINDOWS="Microsoft Windows XP Professional"
/noexecute=optin /fastdetect

- - End Of File - - 4B8A5ADB32C351860777CCA4CB533FA2