ComboFix 12-05-03.01 - Reginald 05/03/2012 9:01.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1550 [GMT -5:00] Running from: i:\geeks\ComboFix.exe AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} . . ((((((((((((((((((((((((( Files Created from 2012-04-03 to 2012-05-03 ))))))))))))))))))))))))))))))) . . 2012-05-03 13:20 . 2012-05-03 13:20 -------- d-----w- C:\_OTL 2012-05-02 13:55 . 2012-05-02 13:55 -------- d-----w- C:\TDSSKiller_Quarantine 2012-05-01 17:53 . 2012-05-02 14:03 -------- d-----w- c:\windows\system32\drivers\AVG 2012-04-30 20:26 . 2012-04-30 20:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ 2012-04-30 16:54 . 2012-04-30 16:54 -------- d-----w- c:\documents and settings\Reginald\Application Data\Apple Computer 2012-04-30 16:11 . 2011-07-14 16:28 367616 ----a-w- c:\windows\system32\hpbrprtmon.dll 2012-04-30 16:11 . 2011-07-14 16:28 180224 ----a-w- c:\windows\system32\hpbprtmon.dll 2012-04-30 16:11 . 2011-07-14 16:28 148480 ----a-w- c:\windows\system32\hpbprtmonui.dll 2012-04-30 16:11 . 2011-07-14 16:28 1332736 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpbfpp1101.dll 2012-04-30 16:07 . 2012-04-30 20:22 -------- d-----w- C:\ePrint Mobil 2012-04-30 16:05 . 2012-04-30 16:05 -------- d-----w- c:\documents and settings\Reginald\Local Settings\Application Data\HP 2012-04-30 16:01 . 2012-04-30 16:01 -------- d-----w- c:\documents and settings\Reginald\Local Settings\Application Data\MicroVision Applications 2012-04-30 15:50 . 2012-04-30 15:50 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-04-30 15:48 . 2012-04-30 15:48 -------- d-----w- c:\documents and settings\Reginald\Application Data\AVG2012 2012-04-30 15:47 . 2012-04-30 15:47 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2012-04-30 15:45 . 2012-05-01 17:53 -------- d-----w- C:\$AVG 2012-04-30 15:45 . 2012-05-01 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012 2012-04-30 15:44 . 2012-04-30 15:44 -------- d-----w- c:\program files\AVG 2012-04-30 15:42 . 2012-05-03 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2012-04-30 15:36 . 2012-04-30 15:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll 2012-04-30 15:36 . 2012-04-30 15:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll 2012-04-30 15:36 . 2012-04-30 15:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll 2012-04-30 15:36 . 2012-04-30 15:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll 2012-04-30 15:36 . 2012-04-30 15:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll 2012-04-30 15:36 . 2012-04-30 15:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll 2012-04-30 15:36 . 2012-04-30 15:37 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll 2012-04-30 15:36 . 2012-04-30 15:37 -------- d-----w- c:\program files\QuickTime 2012-04-30 15:34 . 2012-04-30 15:34 -------- d-----w- c:\program files\Apple Software Update 2012-04-30 15:32 . 2012-04-30 15:32 -------- d-----w- c:\program files\Common Files\Java 2012-04-30 15:32 . 2012-04-30 15:32 772552 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-04-30 15:32 . 2012-04-30 15:32 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-04-30 14:30 . 2012-05-03 13:21 -------- d-----w- c:\windows\system32\CatRoot2 2012-04-27 15:48 . 2012-04-27 15:48 -------- d-----w- c:\documents and settings\Cathy\Application Data\Malwarebytes 2012-04-27 15:37 . 2012-04-27 15:37 -------- d-----w- c:\documents and settings\Reginald\Application Data\Visan 2012-04-27 13:09 . 2012-04-27 13:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2012-04-20 03:42 . 2012-04-20 03:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2012-04-19 09:50 . 2012-04-19 09:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys 2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-04-30 15:50 . 2011-05-11 00:35 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-30 15:32 . 2010-05-04 15:26 687560 ----a-w- c:\windows\system32\deployJava1.dll 2012-04-04 20:56 . 2011-05-09 01:52 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-03-19 10:17 . 2012-02-22 10:25 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2012-03-01 11:01 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll 2012-03-01 11:01 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-03-01 11:01 . 2004-08-10 17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-02-29 14:10 . 2004-08-10 17:51 177664 ----a-w- c:\windows\system32\wintrust.dll 2012-02-29 14:10 . 2004-08-10 17:51 148480 ----a-w- c:\windows\system32\imagehlp.dll 2012-02-29 12:17 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec 2012-02-22 10:25 . 2012-02-22 10:25 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2012-02-07 16:02 . 2012-02-07 16:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX . . ((((((((((((((((((((((((((((( SnapShot@2012-05-01_14.12.29 ))))))))))))))))))))))))))))))))))))))))) . + 2012-05-03 13:21 . 2012-05-03 13:21 16384 c:\windows\Temp\Perflib_Perfdata_61c.dat + 2012-01-31 09:46 . 2012-01-31 09:46 31952 c:\windows\system32\drivers\avgrkx86.sys + 2011-12-23 18:32 . 2011-12-23 18:32 41040 c:\windows\system32\drivers\avgmfx86.sys + 2011-12-23 18:32 . 2011-12-23 18:32 17232 c:\windows\system32\drivers\avgidsshimx.sys + 2011-12-23 18:32 . 2011-12-23 18:32 24144 c:\windows\system32\drivers\avgidsfilterx.sys + 2008-05-21 01:46 . 2012-05-02 19:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-05-21 01:46 . 2012-04-30 21:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-05-21 01:46 . 2012-05-02 19:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-05-21 01:46 . 2012-04-30 21:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2011-07-19 02:28 . 2012-05-02 19:01 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2011-07-19 02:28 . 2012-04-30 21:04 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2012-05-02 19:01 . 2012-05-02 19:01 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-05-21 01:46 . 2012-04-30 21:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2011-12-23 18:32 . 2011-12-23 18:32 139856 c:\windows\system32\drivers\avgidsdriverx.sys + 2012-05-01 17:53 . 2012-05-01 17:53 2208768 c:\windows\Installer\cd14ce.msi + 2012-05-02 14:05 . 2012-05-02 14:05 5163520 c:\windows\Installer\6978f.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-30 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-05-11 30192] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920] "Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080] . c:\documents and settings\Cathy\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . c:\documents and settings\Reginald\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2008-04-30 03:50 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"= "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"= "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"= "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"= . R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/31/2012 4:46 AM 31952] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/22/2012 5:25 AM 235216] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/22/2012 5:25 AM 301248] R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232] S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [4/8/2012 11:27 AM 5158992] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/10/2011 8:11 PM 136176] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/30/2012 10:50 AM 253600] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/29/2008 10:48 PM 30192] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/10/2011 8:11 PM 136176] . Contents of the 'Scheduled Tasks' folder . 2012-05-03 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 15:50] . 2012-05-02 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-30 22:51] . 2012-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-05-11 01:11] . 2012-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-05-11 01:11] . 2012-05-03 c:\windows\Tasks\HP Photo Creations Communicator.job - c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2012-03-11 19:10] . 2012-05-03 c:\windows\Tasks\HP Photo Creations Messager.job - c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2012-03-11 19:10] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Settings,ProxyServer = 10.24.32.3:3128 uInternet Settings,ProxyOverride = uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll TCP: Interfaces\{F8516821-161E-4818-A30F-13FC6C82F5D5}: NameServer = 10.24.32.2 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-05-03 09:06 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,e3,72,78,95,92,1d,4e,8a,9f,34,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,e3,72,78,95,92,1d,4e,8a,9f,34,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(752) c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll . - - - - - - - > 'explorer.exe'(2952) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2012-05-03 09:08:23 ComboFix-quarantined-files.txt 2012-05-03 14:08 ComboFix2.txt 2012-05-02 13:47 ComboFix3.txt 2012-05-01 14:15 . Pre-Run: 473,722,040,320 bytes free Post-Run: 473,832,562,688 bytes free . - - End Of File - - C80B23C1DC64249B301D163863B86C6A