ComboFix 08-12-11.06 - veronique 2008-12-12 19:43:10.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.615 [GMT 1:00] Running from: c:\documents and settings\veronique\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Accoona c:\program files\Accoona\tbquiesce.exe c:\program files\autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 ))))))))))))))))))))))))))))))) . 2008-12-12 19:29 . 2008-12-12 19:29 d--h----- C:\$AVG8.VAULT$ 2008-12-12 19:25 . 2008-12-12 19:25 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-12 19:25 . 2008-12-12 19:25 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-12 19:25 . 2008-12-12 19:25 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-12-12 19:24 . 2008-12-12 19:26 d-------- c:\windows\system32\drivers\Avg 2008-12-12 19:24 . 2008-12-12 19:24 d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-12 19:24 . 2008-12-12 19:24 d-------- c:\program files\AVG 2008-12-12 19:24 . 2008-12-12 19:24 d-------- c:\documents and settings\veronique\Application Data\Malwarebytes 2008-12-12 19:24 . 2008-12-12 19:24 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-12 19:24 . 2008-12-12 19:24 d-------- c:\documents and settings\All Users\Application Data\avg8 2008-12-12 19:24 . 2008-12-12 19:24 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-12-12 19:24 . 2008-12-12 19:24 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys 2008-12-12 19:24 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-12 19:24 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-12 19:21 . 2008-12-12 19:21 d-------- c:\program files\CCleaner 2008-12-12 18:39 . 2008-12-12 18:39 d-------- c:\program files\Trend Micro 2008-12-12 17:54 . 2008-12-12 17:54 d-------- c:\windows\system32\scripting 2008-12-12 17:54 . 2008-12-12 17:54 d-------- c:\windows\system32\en 2008-12-12 17:54 . 2008-12-12 17:54 d-------- c:\windows\system32\bits 2008-12-12 17:54 . 2008-12-12 17:54 d-------- c:\windows\l2schemas 2008-12-12 17:52 . 2008-12-12 17:52 d-------- c:\windows\ServicePackFiles 2008-12-12 17:44 . 2008-12-12 17:44 d-------- c:\windows\EHome 2008-11-13 13:37 . 2008-10-24 12:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-12 18:25 --------- d-----w c:\program files\Java 2008-12-12 18:19 --------- d-----w c:\program files\Google 2008-12-12 18:18 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-12 18:15 --------- d-----w c:\program files\Teamspeak2_RC2 2008-12-12 18:06 --------- d-----w c:\program files\GameSpy Arcade 2008-12-12 18:03 --------- d-----w c:\program files\EA GAMES 2008-12-12 17:51 --------- d-----w c:\program files\Common Files\Borland Shared 2008-12-12 17:46 --------- d-----w c:\program files\BearShare 2008-12-12 17:37 --------- d-----w c:\program files\MSN Messenger 2008-12-01 09:29 1,680 ----a-w c:\documents and settings\veronique\Application Data\wklnhst.dat 2008-11-15 10:05 1,220 ----a-w c:\documents and settings\joseph\Application Data\wklnhst.dat 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 13:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 13:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 13:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 13:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 13:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 13:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll 2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys 2008-05-19 19:47 64,792 ----a-w c:\documents and settings\joseph\Application Data\GDIPFONTCACHEV1.DAT 2007-10-14 12:54 64,792 ----a-w c:\documents and settings\veronique\Application Data\GDIPFONTCACHEV1.DAT 2005-08-19 12:35 49,272,232 ----a-w c:\program files\[u]0[/u]compressed.zip 2005-08-19 12:35 1,391 ----a-w c:\program files\common_filelist.txt 2005-08-19 12:34 733,184 ----a-w c:\program files\AutoRun.exe 2005-08-19 12:34 339,968 ----a-w c:\program files\eauninstall.exe 2005-08-19 12:30 4,124,672 ----a-w c:\program files\fifa06 demo.exe 2005-08-05 00:15 585,728 ----a-w c:\program files\AutoRunGUI.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Acewma"="c:\docume~1\VERONI~1\APPLIC~1\LOUDME~1\Live enc.exe" [2008-06-13 460288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-20 4583424] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-02-06 1757184] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-11 282624] "ante cast ooze tray"="c:\documents and settings\All Users\Application Data\Bin Wait Ante Cast\Admin Exit.exe" [2008-12-12 9005568] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-12 1261336] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe] "SoundMan"="SOUNDMAN.EXE" [2004-11-02 c:\windows\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2004-11-29 c:\windows\ALCWZRD.EXE] "nwiz"="nwiz.exe" [2004-09-20 c:\windows\system32\nwiz.exe] "PRISMSTA.EXE"="PRISMSTA.EXE" [2003-08-04 c:\windows\system32\PRISMSTA.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [1/7/2005 4:12:47 PM 83360] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [11/16/2006 8:21:26 PM 389120] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\support.com\\bin\\tgcmd.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8767:UDP"= 8767:UDP:TS2 "8786:UDP"= 8786:UDP:ts2 *Newly Created Service* - AVG8EMC *Newly Created Service* - AVG8WD *Newly Created Service* - AVGLDX86 *Newly Created Service* - AVGMFX86 *Newly Created Service* - AVGTDIX *Newly Created Service* - JAVAQUICKSTARTERSERVICE *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-12-12 c:\windows\Tasks\AA1C9457918B0647.job - c:\docume~1\joseph\applic~1\loudme~1\Math Aim 32.exe [2008-06-13 13:51] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-(Default) - (no file) BHO-{944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hln.be/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.accoona.com/search?q=%s . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-12 19:45:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-12-12 19:46:57 ComboFix-quarantined-files.txt 2008-12-12 18:46:55 Pre-Run: 218,554,503,168 bytes free Post-Run: 218,801,397,760 bytes free 168 --- E O F --- 2008-12-12 17:02:16