ComboFix 10-01-04.01 - User 10.01.2010 22:48:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.499 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100110-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\khq
c:\windows\system32\msvcrt2.dll
c:\windows\system32\twain.dll
D:\khq
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ICF
((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.
2010-01-10 15:25 . 2010-01-10 15:25 -------- d-----w- c:\windows\system32\scripting
2010-01-10 15:25 . 2010-01-10 15:25 -------- d-----w- c:\windows\l2schemas
2010-01-10 15:25 . 2010-01-10 15:25 -------- d-----w- c:\windows\system32\en
2010-01-10 15:25 . 2010-01-10 15:25 -------- d-----w- c:\windows\system32\bits
2010-01-10 14:20 . 2010-01-10 14:20 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2010-01-10 14:19 . 2010-01-10 14:19 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-10 14:17 . 2010-01-10 14:17 -------- d-sh--w- c:\documents and settings\User\IETldCache
2010-01-10 14:12 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-10 14:12 . 2009-10-29 07:45 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-10 14:12 . 2009-10-29 07:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-10 14:12 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-10 14:12 . 2009-10-29 07:45 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-10 14:12 . 2009-10-29 07:45 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-10 14:12 . 2010-01-10 14:13 -------- d-----w- c:\windows\ie8updates
2010-01-10 14:12 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-10 14:09 . 2010-01-10 14:11 -------- dc-h--w- c:\windows\ie8
2010-01-10 13:39 . 2004-08-03 21:41 11868 ------w- c:\windows\system32\drivers\mdmxsdk.sys
2010-01-10 13:39 . 2004-08-03 21:41 1041536 ------w- c:\windows\system32\drivers\hsfdpsp2.sys
2010-01-10 13:39 . 2004-08-03 21:41 685056 ------w- c:\windows\system32\drivers\hsfcxts2.sys
2010-01-10 13:39 . 2004-08-03 21:41 220032 ------w- c:\windows\system32\drivers\hsfbs2s2.sys
2010-01-10 13:11 . 2010-01-10 13:11 -------- d-----w- c:\program files\MSXML 6.0
2010-01-10 13:02 . 2010-01-10 15:21 -------- d-----w- c:\windows\ServicePackFiles
2010-01-10 12:09 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-01-10 12:09 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-01-10 12:09 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-01-10 12:09 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-01-10 12:09 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-10 12:09 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-10 12:09 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-10 12:09 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-01-10 12:09 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-01-10 12:09 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-10 12:09 . 2009-08-04 19:44 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-10 12:09 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-10 11:58 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-10 11:55 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-10 11:55 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-10 11:46 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-10 11:45 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-10 11:45 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-10 11:44 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-10 11:12 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-10 11:05 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-10 11:05 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-10 10:32 . 2010-01-10 10:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-01-10 10:32 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-10 10:32 . 2010-01-10 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-10 10:32 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-10 10:32 . 2010-01-10 10:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 10:08 . 2001-08-17 11:11 66591 -c--a-w- c:\windows\system32\dllcache\el90xbc5.sys
2010-01-10 10:08 . 2001-08-17 11:11 66591 ----a-w- c:\windows\system32\drivers\el90xbc5.sys
2010-01-05 22:07 . 2010-01-10 13:23 81984 ----a-w- c:\windows\system32\bdod.bin
2010-01-05 21:59 . 2010-01-10 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-01-05 21:56 . 2010-01-10 13:41 -------- d-----w- c:\program files\Common Files\Softwin
2010-01-04 08:55 . 2010-01-05 23:00 -------- d-----w- c:\windows\system32\Z
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 22:00 . 2009-04-18 08:05 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-01-10 18:07 . 2007-06-19 08:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-10 15:29 . 2007-06-15 10:56 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-07 16:17 . 2009-04-18 08:30 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-07 16:17 . 2009-04-18 08:30 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-06 11:07 . 2008-03-21 14:42 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-06 11:06 . 2007-12-18 19:14 26 ----a-w- c:\windows\popcinfo.dat
2010-01-05 21:18 . 2009-06-22 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-26 14:16 . 2008-01-19 18:11 -------- d-----w- c:\program files\Ricochet Lost Worlds
2009-12-24 07:18 . 2007-06-16 09:22 434120 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 08:35 . 2009-05-01 18:25 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-20 13:49 . 2008-01-29 13:52 45056 ----a-w- c:\windows\NCUNINST.EXE
2009-12-20 10:36 . 2009-04-19 13:34 -------- d-----w- c:\program files\Star Defender 4
2009-12-01 08:46 . 2009-08-18 10:45 471040 ----a-w- c:\windows\HarryPotter Hogwarts.scr
2009-12-01 08:46 . 2009-08-18 10:45 12288 ----a-w- c:\windows\impborl.dll
2009-11-24 23:54 . 2009-04-18 07:58 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-18 07:59 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-18 07:59 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-09-03 07:10 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-09-03 07:10 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-18 07:59 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-18 07:59 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-18 07:59 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-18 07:59 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-11-11 2166296]
[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
2009-11-11 22:04 2166296 ----a-w- c:\program files\MyPlayCity\tbMyP1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-11-11 2166296]
[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-11-11 2166296]
[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-03-30 25263144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GhostStartTrayApp"="c:\program files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2003-05-28 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 132496]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-20 98304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-15 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Google\\Google Updater\\GoogleUpdater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8014:TCP"= 8014:TCP:nemgo
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/3/2009 8:10 AM 114768]
R1 GhPciScan;GhostPciScanner;c:\program files\Norton SystemWorks\Norton Ghost\GhPciScan.sys [5/28/2003 6:01 PM 5632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/3/2009 8:10 AM 20560]
R2 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~1\NORTON~2\NPROTECT.EXE [9/10/2003 4:26 AM 81920]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [8/30/2007 9:37 AM 7196]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [6/15/2007 1:45 PM 747392]
S2 dawnzyo;Network Update;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:00 PM 14336]
S3 ZD1211U(OvisLink);OvisLink WL-5480USB WLAN USB Driver(OvisLink);c:\windows\system32\drivers\ZD1211U.sys [6/18/2007 10:59 AM 247296]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [6/18/2007 10:59 AM 19200]
S4 OneStepSrch Service;OneStepSrch Service;"c:\documents and settings\All Users\Application Data\OneStepSrch\onestep210.exe" "c:\program files\OneStepSrch\onestep.dll" Service --> c:\documents and settings\All Users\Application Data\OneStepSrch\onestep210.exe [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dawnzyo
.
Contents of the 'Scheduled Tasks' folder
2010-01-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-19 20:23]
2010-01-01 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2003-09-12 18:16]
2009-10-20 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-04-22 13:37]
2010-01-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-07-30 16:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
SafeBoot-gdesjvru.sys
SafeBoot-qinxzmkt.sys
ActiveSetup-{YMS03AB-B707-11d2-9CBD-0000F87A369E} - c:\windows\conime.exe
AddRemove-HijackThis - c:\documents and settings\User\Desktop\HijackThis.exe
AddRemove-ElectroAirHockey - c:\program files\Electrotank\ElectroAirHockey\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-01-10 23:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dawnzyo]
"ServiceDll"="c:\windows\system32\zfcfft.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3144)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\progra~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-01-10 23:10:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-10 22:10
Pre-Run: 7.728.431.104 bytes free
Post-Run: 7.608.274.944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BA20B1B3DA6A0E420883AF863554A763