ComboFix 09-12-09.04 - CornFlake 12/10/2009 22:25:12.1.2 - x86
Running from: c:\documents and settings\CornFlake\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\csrss.log
c:\windows\help\svchost.exe
c:\windows\system32\calc32.exe
c:\windows\system32\twain_32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OREANS32
-------\Service_oreans32
((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.
2009-12-10 13:56 . 2009-12-10 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2009-12-10 13:54 . 2009-12-10 13:54 -------- d-----w- c:\program files\Panda USB Vaccine
2009-12-10 03:58 . 2009-12-10 00:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-10 00:44 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-10 00:33 . 2009-12-10 00:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-10 00:31 . 2009-12-10 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-10 00:31 . 2009-12-10 00:31 -------- d-----w- c:\program files\Lavasoft
2009-12-09 14:32 . 2009-12-09 14:32 -------- d-----w- c:\documents and settings\CornFlake\Application Data\Malwarebytes
2009-12-09 14:31 . 2009-12-09 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-09 10:50 . 2009-12-09 10:40 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-12-09 10:50 . 2009-12-09 10:40 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-12-09 10:50 . 2009-12-09 10:40 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-09 10:49 . 2009-12-09 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-12-09 10:49 . 2009-12-09 10:50 -------- d-----w- c:\program files\Trend Micro
2009-12-09 10:40 . 2009-12-09 10:40 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-12-09 10:40 . 2009-12-09 10:40 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-12-09 10:40 . 2009-12-09 10:40 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-12-09 10:40 . 2009-12-09 10:40 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-12-04 11:40 . 2007-09-29 12:00 2648576 --sh--w- c:\program files\RRecycled.scr
2009-12-04 11:39 . 2007-09-29 12:00 2648576 ---h--r- C:\Recycled.scr
2009-12-04 11:39 . 2009-12-10 14:34 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 14:36 . 2009-08-18 10:19 -------- d-----w- c:\program files\BitComet
2009-12-10 11:11 . 2008-09-21 16:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-12-10 11:11 . 2009-08-23 09:27 -------- d-----w- c:\documents and settings\CornFlake\Application Data\HpUpdate
2009-12-10 11:11 . 2008-12-23 15:16 -------- d-----w- c:\documents and settings\CornFlake\Application Data\YouSendIt
2009-12-10 04:49 . 2008-10-26 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-10 00:43 . 2009-12-10 00:42 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-10 00:41 . 2009-12-10 00:41 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-10 00:41 . 2009-12-10 00:41 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-10 00:41 . 2009-12-10 00:41 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-09 10:48 . 2008-12-14 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-06 13:27 . 2008-12-26 12:11 -------- d-----w- c:\documents and settings\CornFlake\Application Data\Skype
2009-12-06 12:50 . 2008-12-26 12:15 -------- d-----w- c:\documents and settings\CornFlake\Application Data\skypePM
2009-12-06 11:57 . 2008-10-20 05:38 -------- d-----w- c:\documents and settings\CornFlake\Application Data\ZoomBrowser EX
2009-12-06 11:57 . 2008-10-20 05:39 -------- d-----w- c:\documents and settings\CornFlake\Application Data\CameraWindowDC
2009-12-03 13:51 . 2008-09-26 18:03 1 ----a-w- c:\documents and settings\CornFlake\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-03 13:51 . 2008-09-26 18:02 -------- d-----w- c:\documents and settings\CornFlake\Application Data\OpenOffice.org2
2009-11-03 11:54 . 2008-09-23 13:43 -------- d-----w- c:\documents and settings\CornFlake\Application Data\Creative
2009-11-03 11:21 . 2009-11-03 11:21 -------- d-----w- c:\documents and settings\CornFlake\Application Data\ScanSoft
2009-10-29 07:45 . 2004-08-04 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 21:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 21:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 21:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 21:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 08:02 . 2008-09-21 16:33 82976 ----a-w- c:\documents and settings\CornFlake\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 04:16 . 2006-05-15 05:16 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 13:38 . 2004-08-04 21:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 21:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-03 08:15 . 2009-12-10 00:33 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-09-29 09:33 . 2008-12-07 05:05 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
2007-05-14 15:19 . 2008-09-22 07:27 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 10:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43BEAFD9-E005-483D-A367-146BA6C8A32E}]
2009-09-29 09:33 87448 ----a-w- c:\program files\Tudou\·ÉËÙTudou\tudouDetector.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-07 2262352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-19 39408]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2009-07-31 2674488]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot" [X]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe -r" [X]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-11 102400]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-02-16 131072]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-26 7561216]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-12-09 1020248]
c:\documents and settings\CornFlake\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-15 581693]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-25 73728]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Tudou\\·ÉËÙTudou\\TudouVa.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10822:TCP"= 10822:TCP:BitComet 10822 TCP
"10822:UDP"= 10822:UDP:BitComet 10822 UDP
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/10/2009 8:44 AM 64288]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [3/7/2009 8:53 PM 464264]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/20/2009 3:11 PM 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 PM 1184912]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/9/2009 6:40 PM 36368]
R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [2/4/2009 3:39 PM 4224]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/9/2009 6:50 PM 50704]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/9/2009 6:50 PM 689416]
S1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [12/4/2009 7:39 PM 33824]
S2 Windows Recycled Services;Windows Recycled Services;c:\program files\Common Files\Microsoft Shared\MSInfo\Recycled.scr [12/4/2009 7:39 PM 2648576]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys --> c:\windows\system32\XDva208.sys [?]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sg.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\CornFlake\Application Data\Mozilla\Firefox\Profiles\8rueen1n.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 22:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Recycled Services]
"ImagePath"="c:\program files\Common Files\Microsoft Shared\MSINFO\Recycled.scr"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3244103689-29222448-1897911390-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7d,cb,5d,ef,6d,32,35,80,d5,ab,6c,62,0e,c1,09,02,56,fa,e4,90,50,bc,c8,
14,3f,f0,af,d5,e1,c9,36,2f,5b,9b,a1,32,c6,69,00,13,6a,61,d9,05,0d,6d,f0,b0,\
"??"=hex:76,6d,7e,d8,d8,a5,03,04,62,11,d9,76,75,e8,6b,bd
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Panda USB Vaccine\USBVaccine.exe
c:\program files\Tudou\·ÉËÙTudou\TudouVa.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-12-10 22:45:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-10 14:41
Pre-Run: 5,436,919,808 bytes free
Post-Run: 6,330,191,872 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - C4BDFE968B3D8F131B2470C85F7B5D76