Procedures completed, logfile follows.
T
ComboFix 08-08-21.02 - teylanad 2008-08-23 6:59:00.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2176 [GMT -7:00]
Running from: C:\Users\teylanad\Desktop\ComboFix.exe
Command switches used :: C:\Users\teylanad\Desktop\CFScript.txt`.txt
* Created a new restore point
FILE ::
C:\BACKUP TRNSFR FLDR\Backup to Dics 080706\Disc 2 612 MB Exprts\568 MB FlDwnldApps\File Navigators\Gnutella Bearshare\BS225.exe
C:\Users\teylanad\Documents\Apps\Files Downloaded\Applications\File Navigators\Gnutella Bearshare\BS225.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Users\teylanad\Documents\Apps\Files Downloaded\Applications\File Navigators\Gnutella Bearshare\BS225.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.
2008-08-19 11:55 . 2008-08-19 11:55 <DIR> d-------- C:\Windows\Sun
2008-08-19 11:19 . 2008-08-19 11:19 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-19 11:11 . 2008-08-19 11:35 <DIR> d-------- C:\Users\All Users\NOS
2008-08-19 11:11 . 2008-08-19 11:35 <DIR> d-------- C:\ProgramData\NOS
2008-08-19 11:11 . 2008-08-19 11:35 <DIR> d-------- C:\Program Files\NOS
2008-08-14 11:27 . 2008-07-15 16:48 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-10 08:39 . 2008-08-10 08:39 <DIR> d-------- C:\Users\teylanad\AppData\Roaming\Malwarebytes
2008-08-10 08:39 . 2008-08-10 08:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-10 08:39 . 2008-08-10 08:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-10 08:39 . 2008-08-10 10:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-10 08:39 . 2008-07-30 20:07 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-10 08:39 . 2008-07-30 20:07 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-04 19:49 . 2008-08-04 19:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 08:29 . 2008-06-25 17:33 11,722,752 --a------ C:\Windows\System32\NlsLexicons0001.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 13:50 --------- d-----w C:\Users\teylanad\AppData\Roaming\Spare Backup
2008-08-19 18:23 --------- d-----w C:\Program Files\Java
2008-08-19 18:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 18:24 --------- d-----w C:\Program Files\Windows Mail
2008-08-04 23:04 --------- d-----w C:\Program Files\Google
2008-07-09 21:43 174 --sha-w C:\Program Files\desktop.ini
2008-07-09 04:55 --------- d-----w C:\Users\teylanad\AppData\Roaming\CyberLink
2008-07-09 04:55 --------- d-----w C:\ProgramData\CyberLink
2008-07-03 02:45 --------- d-----w C:\Program Files\Red Orb
2008-07-03 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 02:41 --------- d-----w C:\Program Files\MicroProse
2008-07-03 02:38 --------- d-----w C:\Program Files\Core Design
2008-07-02 23:41 --------- d-----w C:\Program Files\InterActual
2008-07-02 19:26 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-07-02 19:26 69,128 ----a-w C:\Windows\system32\drivers\avgwfpx.sys
2008-07-02 19:26 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
2008-07-02 03:30 --------- d-----w C:\Program Files\Electronic Arts
2008-07-02 03:28 --------- d-----w C:\Program Files\Maxis
2008-07-02 00:57 --------- d-----w C:\Program Files\Creative
2008-07-02 00:46 --------- d-----w C:\Program Files\Eidos Interactive
2008-07-01 19:07 --------- d-----w C:\Users\teylanad\AppData\Roaming\Lavasoft
2008-07-01 19:07 --------- d-----w C:\Program Files\Lavasoft
2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-06-26 02:45 --------- d-----w C:\Users\teylanad\AppData\Roaming\Roxio
2008-06-26 02:45 --------- d-----w C:\ProgramData\Napster
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-24 18:01 --------- d-----w C:\ProgramData\Apple Computer
2008-06-24 18:01 --------- d-----w C:\Program Files\QuickTime
2008-06-23 17:38 --------- d-----w C:\ProgramData\avg8
2008-06-23 17:38 --------- d-----w C:\Program Files\AVG
2008-06-23 16:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-23 16:39 --------- d-----w C:\ProgramData\Symantec
2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-06-19 03:25 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-06-19 03:25 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll
2008-06-19 03:25 272,896 ----a-w C:\Windows\System32\polstore.dll
2008-06-12 06:54 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-12 06:54 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-12 01:21 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-04-30 07:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-30 07:20 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-30 07:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-08-15_15.39.55.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 22:06:42 295,606 ----a-r C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2008-08-23 13:49:33 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-23 13:49:33 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-15 22:33:28 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-23 13:50:56 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-15 22:33:28 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-23 13:55:33 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-15 16:28:39 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-23 04:48:55 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-15 16:28:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-23 04:48:55 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-15 16:28:39 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-23 04:48:55 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-15 22:29:40 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-08-23 13:58:56 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2007-03-14 08:31:24 135,168 ----a-w C:\Windows\System32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w C:\Windows\System32\java.exe
- 2007-03-14 08:31:28 135,168 ----a-w C:\Windows\System32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w C:\Windows\System32\javaw.exe
- 2007-03-14 10:04:46 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-06-10 09:32:34 139,264 ----a-w C:\Windows\System32\javaws.exe
- 2008-08-15 22:29:58 104,024 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-23 13:54:42 104,024 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-15 22:29:58 618,648 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-23 13:54:42 618,648 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-15 22:26:41 7,730 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1669751230-3628068341-3706583971-1000_UserData.bin
+ 2008-08-23 13:51:42 9,238 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1669751230-3628068341-3706583971-1000_UserData.bin
- 2008-08-15 22:26:41 70,340 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-23 13:51:42 70,610 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-15 22:26:38 35,868 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-23 13:51:41 36,524 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 20:59 2953216 --a------ C:\Program Files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 20:59 2953216 --a------ C:\Program Files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 14:37 174872]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-05 02:18 827392]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2007-03-28 20:23 49168]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2006-09-06 13:12 323216]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-09-13 17:22 5252936]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-06 11:05 185896]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-02 12:26 1232152]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" [2005-05-25 12:12 517632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
C:\Users\teylanad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2008-03-04 19:04:07 2342912]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-03-29 14:11:50 719664]
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 20:46 90112 C:\Windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1669751230-3628068341-3706583971-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{90A40444-73DE-4E5A-AE81-8232BC6376BF}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5ED803E3-D302-4CEC-B8D8-7535BA7E0B40}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9326A280-DDC0-4B13-B978-6F1AD8A943EF}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{02A8F421-A1D9-4EA6-AF65-061853A7D83C}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
"TCP Query User{EFEE5914-F223-4E80-BBA7-C51B38553DCA}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8CA8B965-F614-48B9-A3DC-FA672B47E913}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-07-02 12:26]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-02 12:26]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 12:26]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-10 07:54]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-07-02 12:26]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 12:46]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-02-26 23:20]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-26 23:20]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;C:\Windows\system32\DRIVERS\mstabbtn.sys [2007-03-08 19:40]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 00:30]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-23 07:01:09
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-08-23 7:03:19
ComboFix-quarantined-files.txt 2008-08-23 14:02:17
ComboFix2.txt 2008-08-15 22:41:43
Pre-Run: 166,039,674,880 bytes free
Post-Run: 166,073,511,936 bytes free
200 --- E O F --- 2008-08-14 18:28:08