ComboFix 10-12-21.01 - ap 12/22/2010 17:32:25.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1145 [GMT -6:00]
Running from: c:\users\ap\Desktop\ComboFix.exe
Command switches used :: c:\users\ap\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FILE ::
"c:\windows\TEMP\A277.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\ap\AppData\Roaming\Meyq
c:\users\ap\AppData\Roaming\Meyq\opyq.exe
c:\users\ap\AppData\Roaming\Moere\byip.exe
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-11-22 to 2010-12-22 )))))))))))))))))))))))))))))))
.
2010-12-22 23:47 . 2010-12-22 23:47 -------- d-----w- c:\users\ap\AppData\Local\temp
2010-12-22 23:47 . 2010-12-22 23:47 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2010-12-22 23:47 . 2010-12-22 23:47 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-12-22 23:47 . 2010-12-22 23:47 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-12-22 23:47 . 2010-12-22 23:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-22 23:11 . 2010-12-22 23:14 -------- d-----w- c:\users\ap\AppData\Roaming\Ehput
2010-12-22 23:11 . 2010-12-22 23:11 174592 ----a-w- c:\users\Mcx2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\uladv.exe
2010-12-22 23:11 . 2010-12-22 23:11 174592 ----a-w- c:\users\Mcx1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\esvehe.exe
2010-12-22 23:11 . 2010-12-22 23:11 174592 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\acamu.exe
2010-12-22 23:11 . 2010-12-22 23:11 174592 ----a-w- c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\axoro.exe
2010-12-22 00:59 . 2010-12-22 01:00 -------- d-----w- c:\users\ap\AppData\Roaming\uTorrent
2010-12-21 21:46 . 2010-12-21 21:46 180736 ----a-w- c:\users\Mcx2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\niyv.exe
2010-12-21 21:46 . 2010-12-21 21:46 180736 ----a-w- c:\users\Mcx1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\uwofvo.exe
2010-12-21 21:46 . 2010-12-21 21:46 180736 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\xulodu.exe
2010-12-21 16:25 . 2010-12-21 16:25 -------- d-----w- c:\program files\iPod
2010-12-21 16:25 . 2010-12-21 16:26 -------- d-----w- c:\program files\iTunes
2010-12-20 22:19 . 2010-12-20 22:19 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2010-12-20 22:19 . 2010-12-20 22:19 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer
2010-12-20 20:18 . 2010-12-20 20:18 -------- d-----w- c:\users\ap\AppData\Roaming\Avira
2010-12-20 20:12 . 2010-12-13 14:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-20 20:12 . 2010-12-13 14:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-20 20:12 . 2010-12-20 20:12 -------- d-----w- c:\programdata\Avira
2010-12-20 20:12 . 2010-12-20 20:12 -------- d-----w- c:\program files\Avira
2010-12-17 22:07 . 2010-12-17 22:07 -------- d-----w- c:\program files\Common Files\PocketSoft
2010-12-17 22:07 . 2002-02-28 00:50 197120 ----a-w- c:\windows\patchw32.dll
2010-12-16 04:04 . 2010-11-04 18:56 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-16 04:04 . 2010-11-04 18:55 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-12-16 04:04 . 2010-11-04 18:55 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-16 04:04 . 2010-11-04 18:55 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-16 04:04 . 2010-11-04 16:34 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-12-16 04:04 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-16 04:04 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
2010-12-16 04:04 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
2010-12-16 04:04 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
2010-12-16 04:02 . 2010-10-18 13:31 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-12-16 04:01 . 2010-10-18 13:37 81920 ----a-w- c:\windows\system32\consent.exe
2010-12-16 04:01 . 2010-10-28 15:44 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-16 04:01 . 2010-10-28 13:27 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-16 04:01 . 2010-06-16 15:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-12-16 03:57 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-12-15 00:42 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{602C609C-1104-41E2-B861-34C8E29F4793}\mpengine.dll
2010-12-13 16:22 . 2010-12-13 16:22 -------- d-----w- c:\users\ap\AppData\Roaming\Atari
2010-12-13 14:11 . 2010-12-13 23:45 -------- d-----w- c:\program files\Landwirtschafts Simulator 2011
2010-12-09 20:30 . 2010-12-13 13:57 -------- d-----w- c:\users\ap\AppData\Local\FullTiltPoker.NET
2010-12-09 20:29 . 2010-12-13 13:57 -------- d-----w- c:\program files\Full Tilt Poker.Net
2010-12-06 00:53 . 2010-12-06 00:53 -------- d-----w- c:\users\ap\AppData\Roaming\OpenOffice.org
2010-12-06 00:34 . 2010-12-06 00:34 -------- d-----w- c:\program files\JRE
2010-12-06 00:33 . 2010-12-06 00:34 -------- d-----w- c:\program files\OpenOffice.org 3
2010-12-03 02:13 . 2010-12-03 02:13 -------- d-----w- c:\users\ap\AppData\Roaming\AnvSoft
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-27 00:29 . 2010-11-27 00:29 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-11-27 00:20 . 2010-11-27 00:20 -------- d-----w- c:\program files\Codemasters
2010-11-24 02:32 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 16:41 . 2009-10-02 22:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-16 18:55 . 2010-11-15 17:00 5473896 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-10-16 18:55 . 2010-11-15 17:00 888424 ----a-w- c:\windows\system32\nvdispco322050.dll
2010-10-16 18:55 . 2010-11-15 17:00 813672 ----a-w- c:\windows\system32\nvgenco322030.dll
2010-10-16 18:55 . 2010-11-15 17:00 14899816 ----a-w- c:\windows\system32\nvoglv32.dll
2010-10-16 18:55 . 2010-11-15 17:00 10084360 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-10-16 18:55 . 2010-11-15 17:00 57960 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-16 18:55 . 2010-11-15 17:00 4837480 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-16 18:55 . 2010-11-15 17:00 2912360 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-16 18:55 . 2010-11-15 17:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-16 18:55 . 2010-11-15 17:00 13019752 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-16 18:55 . 2010-11-15 17:00 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2010-10-16 18:55 . 2007-09-16 03:41 10023528 ----a-w- c:\windows\system32\nvd3dum.dll
2010-10-16 18:55 . 2007-09-16 03:41 1719912 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 18:42 . 2010-10-16 18:42 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-10-16 18:42 . 2010-10-16 18:42 600680 ----a-w- c:\windows\system32\nvvsvc.exe
2010-10-16 18:42 . 2010-10-16 18:42 1881704 ----a-w- c:\windows\system32\nvsvcr.dll
2010-10-16 18:42 . 2010-10-16 18:42 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 18:42 . 2010-10-16 18:42 3420776 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 18:42 . 2010-10-16 18:42 2079336 ----a-w- c:\windows\system32\nvsvc.dll
2010-10-14 07:36 . 2010-10-14 07:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 07:36 . 2010-10-14 07:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-10-11 09:07 . 2010-10-11 09:07 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-09-28 21:44 . 2010-09-28 21:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-09-28 21:44 . 2010-09-28 21:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
2010-09-24 18:25 . 2010-09-24 18:25 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
2010-09-24 18:19 . 2010-09-24 18:19 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-09-24 17:14 . 2010-09-24 17:14 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui
2003-03-19 02:20 . 2010-06-07 12:47 1060864 ----a-w- c:\program files\mozilla firefox\plugins\mfc71.dll
2003-02-21 09:42 . 2010-06-07 12:47 348160 ----a-w- c:\program files\mozilla firefox\plugins\msvcr71.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-11-14 17:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-11-14 17:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AprvRemoveLegacyExcelKeys"="c:\program files\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn" [X]
"AprvRemoveLegacyWordKeys"="c:\program files\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn" [X]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 204800]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-04 4702208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"ApproveItForOfficeSetup"="c:\program files\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe" [2009-04-30 155648]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-11-14 49416]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
axoro.exe [2010-12-22 174592]
c:\users\ap\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 130600]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-2-4 813584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-11-14 17:07 96008 ----a-w- c:\windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 23:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2008-07-07 20480]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2008-05-09 174336]
R3 samhidb;samhidb;c:\windows\system32\drivers\samhidb.sys [2007-05-12 22391]
R3 SCMUSB;SCM Microsystems SCR300 USB Smart Card Reader;c:\windows\system32\DRIVERS\stcusb.sys [2008-01-19 22016]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-03-21 32408]
R3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-30 717296]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-16 369256]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
2010-12-22 c:\windows\Tasks\User_Feed_Synchronization-{350F5D5B-B8B6-4082-ACFC-49A0CDBA7EF4}.job
- c:\windows\system32\msfeedssync.exe [2010-12-16 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://flyingincognitosleep.com/cgi-bin/h.pluInternet Settings,ProxyOverride = <local>;*.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\ap\AppData\Roaming\Mozilla\Firefox\Profiles\w65xxmtu.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage -
hxxp://flyingincognitosleep.com/cgi-bin/h.plFF - prefs.js: keyword.URL -
hxxp://search.avg.com/route/?d=4cc6d786 ... g=en-US&q=FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: tab-search:
tab@search.com - %profile%\extensions\tab@search.com
FF - Ext: ICQ Toolbar: {800b5000-a755-47e1-992b-48a1c1357f07} - %profile%\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage -
hxxp://flyingincognitosleep.com/cgi-bin/h.plFF - user.js: browser.startup.page - 1
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-{21C729FD-8AB5-B391-3463-39B325BFBD00} - c:\users\ap\AppData\Roaming\Moere\byip.exe
HKCU-Run-{2FDBE596-3212-B33C-DEFA-633B71495038} - c:\users\ap\AppData\Roaming\Meyq\opyq.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-12-22 17:47
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.netWindows 6.0.6002 Disk: TOSHIBA_MK1237GSX rev.DL130M -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-4
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86AF1555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86af77b0]; MOV EAX, [0x86af782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A60962] -> \Device\Harddisk0\DR0[0x86456470]
3 CLASSPNP[0x8890C8B3] -> ntkrnlpa!IofCallDriver[0x82A60962] -> [0x86C80C88]
\Driver\atapi[0x86B01F38] -> IRP_MJ_CREATE -> 0x86AF1555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-4 -> \??\IDE#DiskTOSHIBA_MK1237GSX_______________________DL130M__#5&1348f061&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi -> 0x85a1c1f8
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
Completion time: 2010-12-22 17:52:23
ComboFix-quarantined-files.txt 2010-12-22 23:52
ComboFix2.txt 2010-12-21 20:39
Pre-Run: 19,985,952,768 bytes free
Post-Run: 19,955,187,712 bytes free
- - End Of File - - A959C91631CEFD0545A68C240FDCEFBD