ComboFix 09-05-18.04 - me 05/19/2009 1:20.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.298 [GMT -7:00] Running from: c:\documents and settings\me\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 ))))))))))))))))))))))))))))))) . 2009-05-19 07:48 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-05-19 07:48 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-19 07:48 . 2009-05-19 07:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-05-19 06:56 . 2009-05-19 06:56 577024 -c--a-w c:\windows\system32\dllcache\user32.dll 2009-05-19 06:54 . 2009-05-19 06:54 -------- d-----w c:\windows\ERUNT 2009-05-19 06:46 . 2009-05-19 07:33 -------- d-----w C:\SDFix 2009-05-18 01:32 . 2009-05-18 01:32 11952 ----a-w c:\windows\system32\avgrsstx.dll 2009-05-18 01:32 . 2009-05-18 01:32 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-05-18 01:32 . 2009-05-18 01:32 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-05-18 01:31 . 2009-05-18 20:32 -------- d-----w c:\windows\system32\drivers\Avg 2009-05-18 01:31 . 2009-05-18 01:31 -------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-05-17 21:06 . 2009-05-17 21:13 -------- d-----w c:\program files\EsetOnlineScanner 2009-05-17 15:22 . 2009-05-17 15:22 -------- d-----w c:\program files\Trend Micro 2009-05-15 00:16 . 2009-05-15 00:16 -------- d-----w c:\program files\AVG 2009-05-14 12:57 . 2009-05-14 12:57 -------- d-----w c:\documents and settings\me\Application Data\Malwarebytes 2009-05-14 12:57 . 2009-05-14 12:57 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-19 08:07 . 2004-11-16 05:28 37415 ----a-w c:\windows\nsreg.dat 2009-05-16 22:11 . 2008-12-07 07:27 -------- d-----w c:\program files\Lavasoft 2009-05-16 07:57 . 2005-12-27 19:43 1264 ----a-w c:\documents and settings\me\Application Data\wklnhst.dat 2009-05-07 18:55 . 2008-11-22 00:51 -------- d-----w c:\program files\SpybotSD 2009-05-05 07:31 . 2008-01-24 23:49 664 ----a-w c:\windows\system32\d3d9caps.dat 2009-04-27 03:41 . 2005-10-24 03:54 -------- d-----w c:\program files\DivX 2008-12-12 07:42 . 2006-01-13 03:55 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-12-12 07:42 . 2006-01-13 03:55 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-12 07:42 . 2007-03-07 13:05 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-12-12 07:42 . 2007-03-07 13:05 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-12-12 07:42 . 2006-01-13 03:55 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2006-05-03 09:06 . 2007-12-28 03:47 163328 --sh--r c:\windows\system32\flvDX.dll 2007-02-21 10:47 . 2007-12-28 03:47 31232 --sh--r c:\windows\system32\msfDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-18 1947928] c:\documents and settings\All Users\Start Menu\Programs\Startup\ RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-12-7 155648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-10-15 18:27 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-18 01:32 11952 ----a-w c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 Ramdisk;Ramdisk [ QSoft ];c:\windows\system32\drivers\RAMDisk.sys [9/30/2005 6:04 PM 8192] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/17/2009 6:32 PM 325896] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/17/2009 6:32 PM 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/17/2009 6:31 PM 298776] R2 PGPmemlock;PGPmemlock;c:\windows\system32\drivers\PGPmemlock.sys [10/9/2005 12:07 PM 6656] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [6/4/2008 10:54 AM 18864] . Contents of the 'Scheduled Tasks' folder 2008-11-21 c:\windows\Tasks\FAPZ.job - c:\util\FAPZ.BAT [2008-03-09 18:26] 2009-05-19 c:\windows\Tasks\GETFAP.job - c:\util\GETFAP.BAT [2008-11-21 23:19] . . ------- Supplementary Scan ------- . uStart Page = about:blank mStart Page = hxxp://www.google.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: microsoft.com\*.windowsupdate FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\lifqknpk.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: network.proxy.ftp - 12.175.230.60 FF - prefs.js: network.proxy.ftp_port - 80 FF - prefs.js: network.proxy.gopher - 12.175.230.60 FF - prefs.js: network.proxy.gopher_port - 80 FF - prefs.js: network.proxy.http - 12.175.230.60 FF - prefs.js: network.proxy.http_port - 80 FF - prefs.js: network.proxy.socks - 12.175.230.60 FF - prefs.js: network.proxy.socks_port - 80 FF - prefs.js: network.proxy.ssl - 12.175.230.60 FF - prefs.js: network.proxy.ssl_port - 80 FF - prefs.js: network.proxy.type - 2 FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-19 01:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2] "ImagePath"="\"\"" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(884) c:\program files\Intel\Wireless\Bin\LgNotify.dll - - - - - - - > 'explorer.exe'(3496) c:\windows\system32\msi.dll . Completion time: 2009-05-19 1:23 ComboFix-quarantined-files.txt 2009-05-19 08:23 Pre-Run: 3,465,932,800 bytes free Post-Run: 3,457,183,744 bytes free 123 --- E O F --- 2008-11-22 00:18