ComboFix 10-02-27.04 - johnglass 27/02/2010 13:39:40.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.2038.1097 [GMT -7:00]
Running from: c:\users\johnglass\Desktop\ComboFix.exe
AV: *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
SP: *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1917035585-2100144834-2150911557-500
c:\$recycle.bin\S-1-5-21-4255227170-3845029197-442413720-500
c:\windows\system32\KBL.LOG
.
((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.
2010-02-27 20:51 . 2010-02-27 20:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-25 12:40 . 2010-01-23 08:05 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-25 12:39 . 2010-01-25 12:58 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-25 12:39 . 2010-01-25 12:58 472576 ----a-w- c:\windows\system32\secproc.dll
2010-02-25 12:39 . 2010-01-25 08:36 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-25 12:39 . 2010-01-25 08:36 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-25 12:39 . 2010-01-25 08:36 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-25 12:39 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-25 12:39 . 2010-01-25 12:58 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-25 12:39 . 2010-01-25 12:58 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-25 12:39 . 2010-01-25 12:56 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-02-25 12:30 . 2010-02-25 12:30 -------- d-----w- c:\windows\CheckSur
2010-02-24 04:20 . 2010-02-24 04:20 -------- d-----w- c:\users\johnglass\AppData\Roaming\HTML Executable
2010-02-24 03:58 . 2010-02-24 03:58 -------- d-----w- c:\users\johnglass\AppData\Local\Threat Expert
2010-02-24 03:20 . 2010-02-24 03:20 -------- d-----w- c:\program files\Adobe(0)
2010-02-22 13:26 . 2010-02-22 13:26 -------- d-----w- c:\program files\Trend Micro
2010-02-22 12:47 . 2010-02-22 12:49 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-20 19:55 . 2010-02-20 19:59 -------- d-----w- c:\users\johnglass\AppData\Roaming\BitDefender
2010-02-20 19:55 . 2010-02-20 20:36 -------- d-----w- c:\programdata\BitDefender
2010-02-20 19:55 . 2010-02-20 19:55 -------- d-----w- c:\program files\BitDefender
2010-02-20 19:50 . 2010-02-20 19:56 -------- d-----w- c:\program files\Common Files\BitDefender
2010-02-20 18:38 . 2010-02-20 18:38 -------- d-----w- c:\users\johnglass\AppData\Roaming\Malwarebytes
2010-02-20 18:38 . 2010-02-20 18:38 -------- d-----w- c:\programdata\Malwarebytes
2010-02-20 18:38 . 2010-02-20 18:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 16:09 . 2010-02-20 16:10 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-14 19:15 . 2010-02-14 19:15 -------- d-----w- c:\program files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 14:29 . 2008-11-09 00:46 -------- d-----w- c:\programdata\Google Updater
2010-02-24 16:16 . 2009-10-02 21:44 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 06:13 . 2008-01-30 02:55 108816 ----a-w- c:\users\johnglass\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 04:41 . 2008-04-23 04:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-24 04:41 . 2007-12-24 17:55 -------- d-----w- c:\program files\WinTV
2010-02-24 04:41 . 2008-07-13 17:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-24 04:40 . 2010-01-01 18:24 -------- d-----w- c:\program files\Microsoft
2010-02-24 04:40 . 2009-11-18 05:46 -------- d-----w- c:\program files\QuickTime
2010-02-24 04:40 . 2008-09-18 03:40 -------- d-----w- c:\program files\Windows Live
2010-02-24 04:40 . 2007-11-27 17:38 -------- d-----w- c:\program files\Norton Internet Security
2010-02-24 04:40 . 2007-11-27 17:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-24 04:40 . 2007-12-24 17:58 -------- d-----w- c:\program files\HP
2010-02-20 20:39 . 2009-05-31 21:19 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-02-20 16:12 . 2008-11-09 00:46 -------- d-----w- c:\program files\Google
2010-02-20 16:10 . 2008-04-23 03:55 -------- d-----w- c:\program files\Lavasoft
2010-02-11 10:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-11 10:03 . 2008-01-30 02:46 -------- d-----w- c:\programdata\Microsoft Help
2010-02-08 03:11 . 2009-05-31 21:22 20 ---h--w- c:\programdata\PKP_DLdw.DAT
2010-01-20 11:10 . 2008-03-15 00:21 -------- d-----w- c:\users\johnglass\AppData\Roaming\LimeWire
2010-01-12 15:53 . 2008-02-20 19:21 -------- d-----w- c:\program files\Morpheus
2010-01-12 15:31 . 2009-03-29 17:12 680 ----a-w- c:\users\johnglass\AppData\Local\d3d9caps.dat
2010-01-01 18:26 . 2010-01-01 18:26 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-01-01 18:24 . 2010-01-01 18:24 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-01 18:17 . 2010-01-01 18:17 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-28 12:36 . 2010-02-10 11:47 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-10 11:47 1327616 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:34 . 2010-02-10 11:47 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:34 . 2010-02-10 11:47 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:34 . 2010-02-10 11:47 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:34 . 2010-02-10 11:47 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:33 . 2010-02-10 11:47 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:32 . 2010-02-10 11:47 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:30 . 2010-02-10 11:47 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:30 . 2010-02-10 11:47 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-18 12:52 . 2010-01-22 12:52 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48 . 2010-01-22 12:51 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 12:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:48 . 2010-01-22 12:51 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-12-18 12:46 . 2010-01-22 12:51 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 12:51 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 12:51 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-12-11 12:15 . 2010-02-10 11:47 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 12:15 . 2010-02-10 11:47 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:54 . 2010-02-10 11:47 3467848 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 20:54 . 2010-02-10 11:47 3502168 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:19 . 2010-02-10 11:47 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-12-08 17:58 . 2010-02-10 11:47 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 17:57 . 2010-02-10 11:47 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-12-08 04:14 . 2009-12-08 02:57 256 ----a-w- c:\windows\system32\pool.bin
2009-12-08 01:31 . 2009-12-08 01:15 26694 ----a-r- c:\users\johnglass\AppData\Roaming\Microsoft\Installer\{E9215042-291A-444B-8644-89888F367CD3}\BlackBerry.exe
2009-12-04 16:27 . 2010-02-10 11:47 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 16:27 . 2010-02-10 11:47 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-02-01 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2007-08-23 80896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-03 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-03 133656]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [09/07/2009 10:01 AM 85008]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [09/07/2009 10:01 AM 25104]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [24/08/2007 9:07 PM 149864]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20070823.002\IDSvix86.sys [27/11/2007 10:41 AM 180272]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\System32\drivers\nwusbser2.sys [02/11/2007 3:41 PM 166144]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2010-02-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-09 18:00]
2010-02-27 c:\windows\Tasks\User_Feed_Synchronization-{86811CE2-FC35-4DCC-B9FD-4D40B6D98566}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send Using &MailTo - c:\program files\SnipIT\SnipIT\sendusingmailto.htm
IE: Send Using &Outlook - c:\program files\SnipIT\SnipIT\sendusingoutlook.htm
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/ ... module.exe
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://remote.legalaid.ab.ca/+CSCOL+/relayp.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://remote.legalaid.ab.ca/+CSCOL+/cscopf.cab
FF - ProfilePath - c:\users\johnglass\AppData\Roaming\Mozilla\Firefox\Profiles\e9fc5kng.default\
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 13:52
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys >>UNKNOWN [0x8EE828C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82cdcd1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> ataport.SYS @ 0x806bf9c6
\Driver\iaStor -> iaStor.sys @ 0x807258d6
IoDeviceObjectType -> SecurityProcedure -> ntkrnlpa.exe @ 0x82595467
\Device\Harddisk0\DR0 -> SecurityProcedure -> ntkrnlpa.exe @ 0x82595467
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\guard32.dll
.
Completion time: 2010-02-27 13:58:19
ComboFix-quarantined-files.txt 2010-02-27 20:58
Pre-Run: 154,213,879,808 bytes free
Post-Run: 156,251,627,520 bytes free
- - End Of File - - D0EA87052A15864379CC408FB9E69691