Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2038.989 [GMT -5:00]
Running from: c:\users\MichelleC\Desktop\zzz.exe
Command switches used :: c:\users\MichelleC\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
.
2010-12-04 02:30 . 2010-12-04 02:30 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-04 02:30 . 2010-12-04 02:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-30 21:21 . 2010-11-30 21:21 -------- d-----w- c:\program files\ESET
2010-11-29 12:22 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8BF8DE9E-5DF2-4C56-8C05-84FB5ED6D857}\mpengine.dll
2010-11-26 23:27 . 2010-11-26 23:27 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-11-26 23:19 . 2010-11-26 23:19 -------- d-----w- c:\program files\CCleaner
2010-11-26 23:14 . 2010-11-26 23:14 -------- d-----w- C:\!KillBox
2010-11-26 20:24 . 2010-11-26 23:50 -------- d-----w- c:\program files\Sophos
2010-11-26 18:45 . 2010-11-26 18:45 35 ----a-w- c:\users\MichelleC\AppData\Roaming\SetValue.bat
2010-11-26 18:45 . 2010-11-26 18:45 691 ----a-w- c:\users\MichelleC\AppData\Roaming\GetValue.vbs
2010-11-26 17:27 . 2010-09-22 06:05 110752 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2010-11-26 17:26 . 2010-11-26 17:27 -------- d-----w- c:\program files\Intel
2010-11-26 17:02 . 2010-11-26 17:02 -------- d-----w- C:\TDSSKiller_Quarantine
2010-11-26 16:54 . 2010-11-26 19:25 -------- d-----w- c:\windows\system32\catroot2
2010-11-26 14:54 . 2010-11-26 14:54 -------- d-----w- c:\program files\Common Files\Java
2010-11-26 14:53 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-26 13:16 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-11-26 13:16 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-11-26 13:16 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll
2010-11-26 13:16 . 2010-08-16 06:15 804864 ----a-w- c:\windows\system32\FntCache.dll
2010-11-26 13:16 . 2010-08-16 06:14 1076224 ----a-w- c:\windows\system32\DWrite.dll
2010-11-26 13:16 . 2010-08-16 06:14 737280 ----a-w- c:\windows\system32\d2d1.dll
2010-11-26 13:16 . 2010-08-16 06:14 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-11-26 13:16 . 2010-08-16 06:14 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2010-11-26 13:15 . 2010-05-09 09:15 279552 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-11-26 13:15 . 2010-05-09 09:15 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-11-26 13:15 . 2010-06-26 05:14 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
2010-11-26 13:14 . 2010-11-26 13:14 -------- d-----w- c:\program files\Feedback Tool
2010-11-23 20:42 . 2010-11-23 20:42 -------- d-----w- c:\program files\iPod
2010-11-23 20:37 . 2010-11-23 20:37 -------- d-----w- c:\program files\Apple Software Update
2010-11-23 20:36 . 2010-11-23 20:36 -------- d-----w- c:\program files\Bonjour
2010-11-09 16:46 . 2010-11-09 16:46 -------- d-----w- C:\my dvd
2010-11-09 16:42 . 2010-11-09 16:50 -------- d-----w- c:\program files\Easy DVD Creator
2010-11-06 16:37 . 2010-11-06 16:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-12 17:43 . 2010-10-12 17:43 183808 ----a-w- c:\windows\system32\Ncs2Setp.dll
2010-10-11 21:19 . 2010-10-11 21:19 642680 ----a-w- c:\windows\system32\ncs2dmix.dll
2010-10-11 21:19 . 2010-10-11 21:19 509560 ----a-w- c:\windows\system32\accesor.dll
2010-10-11 20:53 . 2010-10-11 20:53 134776 ----a-w- c:\windows\system32\ncs2instutility.dll
2010-10-11 20:34 . 2010-10-11 20:34 1843832 ----a-w- c:\windows\system32\ncscolib.dll
2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23 . 2010-10-07 17:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 17:23 . 2010-10-07 17:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-10-01 09:39 . 2010-09-29 10:57 0 ----a-w- c:\users\MichelleC\AppData\Local\Axequh.bin
2010-09-28 20:44 . 2010-09-28 20:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-09-28 20:44 . 2010-09-28 20:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-20 09:32 . 2010-09-20 09:32 136416 ----a-w- c:\windows\system32\drivers\iANSW60.sys
2010-09-17 09:02 . 2010-09-17 09:02 30368 ----a-w- c:\windows\system32\drivers\iqvw32.sys
2010-09-09 11:03 . 2010-09-09 11:03 239768 ----a-w- c:\windows\system32\PRONtObj.dll
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-07-15 22:05 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-07-15 22:05 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-07-15 22:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-07-15 22:06 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-07-15 22:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-07-15 22:06 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-07 14:47 . 2010-07-15 22:06 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-01 39408]
"Google Update"="c:\users\MichelleC\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-10 20480]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
c:\users\MichelleC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\microsoft office\Office14\ONENOTEM.EXE [2010-3-29 227712]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2010-4-16 604008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOBCA7~1\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 135664]
R3 dsiarhwprog;dsiarhwprog;c:\windows\system32\Drivers\dsiarhwprog.sys [2007-02-08 29184]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-11 30192]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\F392.tmp [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-09 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2009-10-07 239464]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2009-10-07 97128]
S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-26 20992]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752]
S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-26 81920]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2009-10-07 376680]
S3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [2009-10-07 44776]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - UWLCYUOC
*Deregistered* - uwlcyuoc
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-12-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-01 19:18]
2010-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 21:27]
2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-21 21:27]
2010-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4249644563-712330806-2779167662-1000Core.job
- c:\users\MichelleC\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-27 04:38]
2010-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4249644563-712330806-2779167662-1000UA.job
- c:\users\MichelleC\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-27 04:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/?ref=hp
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
.
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST9160411AS rev.SD13 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-2
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85DCEEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86ee2872; SUB DWORD [EBP-0x4], 0x86ee212e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82C58458] -> \Device\Harddisk0\DR0[0x85EB87C8]
3 CLASSPNP[0x88D7E59E] -> ntkrnlpa!IofCallDriver[0x82C58458] -> \IdeDeviceP1T0L0-2[0x85986908]
[0x86102F38] -> IRP_MJ_CREATE -> 0x85DCEEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-2 -> \??\IDE#DiskST9160411AS_____________________________SD13____#5&286c039e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F392.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-12-03 21:50:22
ComboFix-quarantined-files.txt 2010-12-04 02:50
ComboFix2.txt 2010-12-02 00:03
ComboFix3.txt 2010-11-26 20:19
ComboFix4.txt 2010-11-26 19:17
Pre-Run: 52,338,434,048 bytes free
Post-Run: 52,305,719,296 bytes free
- - End Of File - - 9CB7BBB41A83F8139CD4B0585A65799E