ComboFix 10-05-27.03 - CAllen 05/28/2010 11:27:49.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3006.1959 [GMT -4:00]
Running from: c:\users\CAllen\Desktop\zzz.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\progra~2\sysReserve.ini
c:\users\CAllen\AppData\Local\dchirlkmn
c:\users\CAllen\AppData\Local\dchirlkmn\alryfejtssd.exe
c:\users\CAllen\AppData\Local\dpmqtvmmm
c:\users\CAllen\AppData\Local\dpmqtvmmm\wvtsapvtssd.exe
c:\users\CAllen\AppData\Local\flfvovdpf
c:\users\CAllen\AppData\Local\flfvovdpf\lyniyujtssd.exe
c:\users\CAllen\AppData\Local\wtytfrenm
c:\users\CAllen\AppData\Local\wtytfrenm\ibepmoftssd.exe
c:\windows\system32\AbaleZip.dll
c:\windows\system32\sysogg.dll
Infected copy of c:\windows\system32\drivers\tdx.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.
2010-05-28 15:38 . 2010-05-28 15:38 -------- d-----w- c:\users\CAllen\AppData\Local\temp
2010-05-28 15:38 . 2010-05-28 15:38 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-05-27 23:41 . 2010-05-27 23:41 -------- d-----w- c:\program files\NCH Software
2010-05-27 23:41 . 2010-05-27 23:41 -------- d-----w- c:\users\CAllen\AppData\Roaming\NCH Software
2010-05-27 05:24 . 2010-05-27 05:24 -------- d-----w- c:\users\CAllen\AppData\Local\VS Revo Group
2010-05-27 05:24 . 2009-12-30 16:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-05-27 05:23 . 2010-05-27 05:23 -------- d-----w- c:\program files\VS Revo Group
2010-05-25 21:07 . 2010-05-25 21:42 -------- d-----w- c:\program files\CamStudio
2010-05-25 20:01 . 2010-05-25 20:01 -------- d-----w- c:\users\CAllen\AppData\Roaming\Avira
2010-05-25 19:44 . 2010-05-25 19:44 -------- d-----w- c:\program files\Avira
2010-05-25 19:44 . 2010-05-25 19:44 -------- d-----w- c:\progra~2\Avira
2010-05-25 19:44 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-05-25 19:44 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-25 19:44 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-05-25 19:44 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-05-24 22:48 . 2010-05-24 22:54 -------- d-----w- c:\program files\GPL MPEG Decoder
2010-05-24 22:41 . 2010-05-24 22:41 -------- d-----w- c:\program files\YouTube Downloader
2010-05-24 22:33 . 2010-05-24 22:33 -------- d-----w- c:\program files\SuperWebcam
2010-05-24 22:33 . 2006-06-27 12:56 31872 ----a-w- c:\windows\system32\drivers\superwebcam.sys
2010-05-24 04:15 . 2010-05-24 04:16 -------- d-----w- c:\users\CAllen\AppData\Local\ManyCam
2010-05-22 09:47 . 2010-05-22 09:47 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Apple Computer
2010-05-22 09:47 . 2010-05-22 09:47 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\AOL OCP
2010-05-18 00:55 . 2010-05-18 00:56 -------- d-----w- c:\users\CAllen\AppData\Roaming\ManyCam
2010-05-18 00:55 . 2010-05-18 02:02 -------- d-----w- c:\program files\Ask.com
2010-05-11 20:44 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-02 05:13 . 2010-05-02 05:13 -------- d-----w- c:\program files\iPod
2010-05-02 05:10 . 2010-05-02 05:10 -------- d-----w- c:\program files\Bonjour
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 15:23 . 2009-09-24 18:04 0 ----a-w- c:\windows\system32\drivers\tdx.sys
2010-05-28 02:27 . 2010-01-02 00:33 -------- d-----w- c:\program files\Mozilla Firefox 3.6 Beta 5
2010-05-27 05:15 . 2008-02-29 04:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-25 15:21 . 2010-01-12 22:50 -------- d-----w- c:\users\CAllen\AppData\Roaming\uTorrent
2010-05-24 22:33 . 2008-02-29 04:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 05:48 . 2009-02-21 02:37 2974 ----a-w- c:\users\CAllen\AppData\Roaming\wklnhst.dat
2010-05-14 22:42 . 2009-11-30 05:48 -------- d-----w- c:\progra~2\Propellerhead Software
2010-05-14 22:42 . 2009-11-30 05:42 -------- d-----w- c:\users\CAllen\AppData\Roaming\Propellerhead Software
2010-05-13 17:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 17:13 . 2008-02-29 05:15 -------- d-----w- c:\progra~2\Microsoft Help
2010-05-12 15:21 . 2009-10-03 05:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 23:38 . 2008-07-04 03:22 680 ----a-w- c:\users\CAllen\AppData\Local\d3d9caps.dat
2010-05-03 14:42 . 2009-12-19 17:47 -------- d-----w- c:\progra~2\Radialpoint
2010-05-02 05:15 . 2009-09-10 16:56 -------- d-----w- c:\program files\iTunes
2010-05-02 05:13 . 2008-06-25 17:08 -------- d-----w- c:\program files\Common Files\Apple
2010-04-26 00:23 . 2009-10-07 04:14 -------- d-----w- c:\users\CAllen\AppData\Roaming\vlc
2010-04-25 06:11 . 2010-04-25 06:11 -------- d-----w- c:\program files\Common Files\Java
2010-04-25 06:10 . 2010-04-25 06:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-25 06:09 . 2008-02-29 05:45 -------- d-----w- c:\program files\Java
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-04 20:12 . 2010-04-04 20:11 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-04 20:09 . 2010-04-04 20:08 -------- d-----w- c:\program files\QuickTime
2010-03-05 14:01 . 2010-04-14 13:48 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 05:26 . 2010-03-03 05:26 1691 ----a-w- c:\users\CAllen\AppData\Roaming\.purple\certificates\x509\tls_peers\api.screenname.aol.com
2009-12-20 00:33 . 2009-12-19 19:20 6148384 --sha-w- c:\windows\System32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-07-13 50480]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll
"midi2"=ma_cmidn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^CAllen^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\CAllen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2007-07-13 14:36 50480 ----a-w- c:\program files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-02 00:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 16:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 22:50 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-12-20 02:27 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 23:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):86,df,45,f0,19,5d,ca,01
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [2009-11-18 668912]
S3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;c:\windows\system32\DRIVERS\superwebcam.sys [2006-06-27 31872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-05-28 c:\windows\Tasks\User_Feed_Synchronization-{6DFFBE1E-577F-4EB1-BBB2-8971CA403F8E}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\CAllen\AppData\Roaming\Mozilla\Firefox\Profiles\sygs4tdl.default\
FF - prefs.js: browser.startup.homepage -
hxxp://en-US.start2.mozilla.com/firefox ... S:officialFF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\CAllen\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\users\CAllen\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\CAllen\AppData\Roaming\Mozilla\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-05-28 11:38
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi]
"ImagePath"="system32\Drivers\atapi.tsk"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-28 11:41:22
ComboFix-quarantined-files.txt 2010-05-28 15:41
Pre-Run: 52,217,507,840 bytes free
Post-Run: 52,279,742,464 bytes free
- - End Of File - - 8B79D85A14762F02DE3200FF105CFDAC