ComboFix 13-04-08.03 - User 04/08/2013 19:15:38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1177 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2013-03-08 to 2013-04-08 )))))))))))))))))))))))))))))))
.
.
2013-03-26 19:10 . 2013-03-26 19:10 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-03-23 22:14 . 2013-03-23 22:14 -------- d-----w- c:\windows\system32\wbem\Repository
2013-03-23 22:13 . 2013-03-23 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-03-23 22:13 . 2013-03-23 22:13 -------- d-----w- c:\program files\Bonjour
2013-03-23 22:13 . 2013-03-23 22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-22 22:57 . 2013-03-23 22:13 -------- d-s---w- c:\documents and settings\Administrator
2013-03-21 19:47 . 2013-03-21 21:54 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\NPE
2013-03-21 16:41 . 2013-03-22 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2013-03-17 01:02 . 2013-03-06 22:33 49248 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-17 01:02 . 2013-03-06 22:33 164736 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-17 01:02 . 2013-03-06 22:33 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-20 19:13 . 2012-05-25 09:22 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-20 19:13 . 2011-05-17 19:47 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-06 22:33 . 2011-08-19 15:13 368176 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-06 22:33 . 2011-08-19 15:13 62376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-06 22:33 . 2011-08-19 15:13 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-03-06 22:33 . 2011-08-19 15:13 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-06 22:33 . 2011-08-19 15:13 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-06 22:32 . 2011-08-19 15:13 41664 ----a-w- c:\windows\avastSS.scr
2013-03-06 22:32 . 2011-08-19 15:13 228600 ----a-w- c:\windows\system32\aswBoot.exe
2013-03-05 18:47 . 2013-03-05 18:47 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-05 18:47 . 2011-12-31 15:47 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-05 18:47 . 2012-10-14 17:38 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-05 18:47 . 2010-08-20 02:32 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-08 17:17 . 2013-03-08 17:17 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 22:32 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-05 23:12 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-25 98304]
"SetDefPrt"="c:\program files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-10 45056]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 22:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 07:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-07-02 11:11 18665472 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-01-08 19:45 18708224 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2013-01-24 23:28 4763008 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [3/16/2013 9:02 PM 49248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/19/2011 11:13 AM 765736]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/19/2011 11:13 AM 368176]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 2:54 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/19/2011 11:13 AM 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [3/16/2013 9:02 PM 66336]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [10/23/2009 12:25 PM 22328]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/23/2009 12:47 PM 1684736]
S3 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [3/16/2013 9:02 PM 164736]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2/12/2010 10:41 AM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2/12/2010 10:40 AM 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2/12/2010 10:41 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/12/2010 10:41 AM 10368]
S3 EraserUtilDrv11220;EraserUtilDrv11220;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/26/2013 3:10 PM 40776]
S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/8/2013 3:41 PM 161536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-31 22:55 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.43\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-25 19:13]
.
2013-04-08 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-10-03 22:32]
.
2013-04-08 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 3a296ec9-a9da-49d4-b7cf-df31bd23c436.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = google.com
uInternet Settings,ProxyServer = http=;ftp=;https=;
uInternet Settings,ProxyOverride = *.local
IE: Download with Mipony - file://c:\program files\MiPony\Browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\jat6louc.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-APSDaemon - c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
AddRemove-WinLiveSuite_Wave3 - c:\program files\Windows Live\Installer\wlarp.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-04-08 19:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-796845957-1659004503-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{01767313-9EF8-ED95-4E34-0FCCA27F3724}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(432)
c:\windows\system32\WININET.dll
c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-04-08 19:30:21
ComboFix-quarantined-files.txt 2013-04-08 23:30
.
Pre-Run: 627,417,583,616 bytes free
Post-Run: 628,142,096,384 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3B716FE07C666B421FB96670DD398748