ComboFix 10-11-02.03 - WulfTop 11/03/2010 7:54.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1087 [GMT -4:00]
Running from: c:\users\WulfTop\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))
.
2010-11-03 12:08 . 2010-11-03 12:09 -------- d-----w- c:\users\WulfTop\AppData\Local\temp
2010-11-03 12:08 . 2010-11-03 12:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-11-03 12:08 . 2010-11-03 12:08 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-11-03 12:08 . 2010-11-03 12:08 -------- d-----w- c:\users\demianwulf\AppData\Local\temp
2010-11-03 12:08 . 2010-11-03 12:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-03 12:08 . 2010-11-03 12:08 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-11-02 02:42 . 2010-11-02 02:42 -------- d-----w- C:\_OTL
2010-11-02 02:28 . 2010-11-02 02:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-02 02:28 . 2010-11-02 02:28 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-01 04:59 . 2010-11-01 04:59 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Opera
2010-11-01 04:55 . 2010-11-01 04:55 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2010-10-31 20:58 . 2010-10-31 20:58 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Logitech
2010-10-26 16:51 . 2010-10-26 16:53 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2010-10-24 19:38 . 2010-10-24 19:38 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-10-24 19:38 . 2010-10-24 19:38 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Yahoo
2010-10-23 16:42 . 2010-10-23 16:42 -------- d-----w- c:\programdata\eMule
2010-10-23 14:46 . 2010-10-23 14:46 -------- d-----w- c:\users\WulfTop\AppData\Local\eMule
2010-10-23 14:46 . 2010-10-23 14:46 -------- d-----w- c:\program files\eMule
2010-10-22 08:05 . 2007-05-24 23:13 251904 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2010-10-22 07:52 . 2007-01-31 02:03 205312 ----a-w- c:\windows\system32\drivers\rtl8187.sys
2010-10-22 07:49 . 2010-10-22 07:49 -------- d-----w- c:\program files\REALTEK RTL8187 Wireless LAN Driver
2010-10-22 05:47 . 2010-10-22 05:48 -------- d-----w- c:\users\Administrator\AppData\Local\Inquisitor
2010-10-22 05:47 . 2010-10-22 05:47 -------- d-----w- c:\users\Administrator\AppData\Local\Yahoo
2010-10-20 15:58 . 2006-09-28 20:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-10-20 15:58 . 2006-09-28 20:04 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2010-10-20 15:57 . 2010-10-20 18:41 -------- d-----w- c:\users\WulfTop\AppData\Local\Microsoft Game Studios
2010-10-20 15:57 . 2010-10-20 18:42 -------- d-----w- c:\programdata\Microsoft Games
2010-10-20 15:55 . 2010-10-20 18:42 -------- d-----w- c:\users\WulfTop\AppData\Roaming\Microsoft Game Studios
2010-10-20 01:43 . 2009-06-25 17:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2010-10-12 15:17 . 2010-08-25 19:41 263272 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2010-10-12 15:17 . 2009-12-03 21:27 80416 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-10-12 14:59 . 2005-01-12 15:19 456536 ----a-w- c:\windows\system32\XCEEDZIP.DLL
2010-10-12 14:59 . 2004-09-28 15:13 526184 ----a-w- c:\windows\system32\XceedCry.dll
2010-10-12 14:59 . 2004-08-11 19:55 110602 ----a-w- c:\windows\system32\xcdsfx32.bin
2010-10-12 14:59 . 2004-03-09 04:00 224016 ----a-w- c:\windows\system32\Tabctl32.ocx
2010-10-12 14:59 . 2004-03-09 04:00 132880 ----a-w- c:\windows\system32\Msinet.ocx
2010-10-12 14:59 . 2010-10-12 15:02 -------- d-----w- c:\program files\Driver Magician
2010-10-12 14:43 . 2010-10-12 14:46 -------- d-----w- c:\users\WulfTop\AppData\Roaming\GetRightToGo
2010-10-12 14:14 . 2010-10-12 14:14 -------- d-----w- c:\program files\Driver-Soft
2010-10-12 13:12 . 2010-10-12 13:12 -------- d-----w- C:\dell
2010-10-08 19:23 . 2008-06-26 10:25 337920 ----a-w- c:\windows\system\rtl8187B.sys
2010-10-08 19:23 . 2010-10-08 19:23 -------- d-----w- c:\program files\REALTEK RTL8187B Wireless LAN Driver
2010-10-08 19:22 . 2010-10-08 19:22 -------- d-----w- c:\users\WulfTop\AppData\Roaming\InstallShield
2010-10-08 18:33 . 2008-02-15 20:19 361472 ----a-w- c:\windows\system32\drivers\RTL85n86.sys
2010-10-08 18:33 . 2008-02-15 20:19 361472 ----a-w- c:\windows\system\RTL85n86.sys
2010-10-08 18:33 . 2007-04-23 14:50 25896 ----a-w- c:\windows\system32\drivers\RtlProt.sys
2010-10-08 18:33 . 2010-10-08 18:33 -------- d-----w- c:\windows\system32\REALTEK RTL8185 Wireless LAN Driver and Utility
2010-10-08 04:20 . 2010-10-08 04:20 -------- d-----w- c:\users\WulfTop\{cea92844-0dbf-4f09-a038-2dc1383c5570}
2010-10-08 02:57 . 2010-10-08 02:57 -------- d-----w- c:\program files\MozBackup
2010-10-07 21:56 . 2010-10-07 21:56 -------- d-----w- c:\users\WulfTop\{8517c860-6671-4a8c-8483-66ad267c2024}
2010-10-07 04:15 . 2010-10-07 04:15 -------- d-----w- c:\programdata\Samsung
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-02 21:59 . 2009-10-21 19:47 226280 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-09-26 22:45 . 2010-09-26 22:45 13031 ----a-w- c:\users\WulfTop\
www.blogger.com
2010-09-07 15:12 . 2010-07-26 13:48 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2009-08-20 18:43 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2009-08-20 18:44 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2009-08-20 18:44 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2009-08-20 18:44 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2009-08-20 18:43 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-07 14:47 . 2009-08-20 18:44 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-17 14:11 . 2010-09-15 11:44 128000 ----a-w- c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 865840]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-08 1800464]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-26 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Turbo Tax Agent]
2010-02-28 18:41 632685 ----a-w- c:\windows\txagent.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
"PackageAware"="c:\users\WulfTop\Local Settings\Application Data\PackageAware\mpa.exe"
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"Sidebar"=c:\program files\Windows Sidebar\sidebar.exe /autoRun
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe"
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe"
"SansaDispatch"=c:\users\WulfTop\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"ESPDemo"=c:\program files\ESP Demo\ESPDemo.exe
"Windows Mobile-based device management"=%windir%\WindowsMobile\wmdSync.exe
"Windows Mobile Device Center"=%windir%\WindowsMobile\wmdc.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"TaskTray"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1846439569-3478701832-3505936554-1000]
"EnableNotificationsRef"=dword:00000003
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-05-24 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-02-08 130960]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-02-08 29520]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 InquisitorService;Inquisitor Service;c:\program files\Yahoo!\Inquisitor\InquisitorService.exe [2008-10-17 185624]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-14 809296]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASPI32
*Deregistered* - ASPI32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-11-03 c:\windows\Tasks\User_Feed_Synchronization-{2CD5E54C-4FA3-45DF-A73E-DA2DA128980B}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
2010-10-24 c:\windows\Tasks\User_Feed_Synchronization-{DD8CDFA0-23E3-41C6-8DBC-401A227904AC}.job
- c:\windows\system32\msfeedssync.exe [2010-08-12 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: {A6288ECF-58B8-467B-900E-B93BD4A29404} = 68.87.73.246,68.87.71.230
TCP: {C6E2F843-68CB-4826-8318-E0D89A7E2F60} = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\WulfTop\AppData\Roaming\Mozilla\Firefox\Profiles\xivfcrut.default\
FF - prefs.js: browser.startup.homepage -
www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\users\WulfTop\AppData\Local\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\users\WulfTop\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
MSConfigStartUp-svchost - c:\program files\Internet Explorer\svchost.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-11-03 08:08
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\users\WulfTop\AppData\Local\Temp\catchme.dll 53248 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(4724)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2010-11-03 08:13:14
ComboFix-quarantined-files.txt 2010-11-03 12:13
ComboFix2.txt 2010-10-31 19:58
ComboFix3.txt 2010-10-30 18:16
ComboFix4.txt 2010-10-30 05:46
Pre-Run: 19,195,162,624 bytes free
Post-Run: 19,043,295,232 bytes free
- - End Of File - - 17A56DC6E5C9E6CDB95449AA2121358E