ComboFix 12-11-23.02 - Crenshaw 11/23/2012 11:01:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2205 [GMT -8:00]
Running from: c:\users\Crenshaw\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-23 to 2012-11-23 )))))))))))))))))))))))))))))))
.
.
2012-11-23 18:00 . 2012-11-23 18:00 -------- d-----w- c:\windows\system32\sda
2012-11-23 17:59 . 2012-11-23 17:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2012-11-23 17:58 . 2000-01-01 00:00 9112168 ----a-w- c:\windows\system32\RtsUStoricon.dll
2012-11-23 17:58 . 2000-01-01 00:00 193640 ----a-w- c:\windows\system32\drivers\RtsUStor.sys
2012-11-23 17:58 . 2012-11-23 17:58 -------- d-----w- c:\program files\Realtek
2012-11-23 17:58 . 2000-01-01 00:00 313960 ----a-w- c:\windows\system32\RtsUStor.dll
2012-11-23 07:01 . 2012-11-23 07:01 -------- d-----w- c:\programdata\Malwarebytes
2012-11-23 07:01 . 2012-11-23 07:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-11-23 07:01 . 2012-09-30 03:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-22 22:21 . 2012-11-22 22:21 60872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FC11C01D-C4DB-4D05-A982-40B03DCCA973}\offreg.dll
2012-11-22 20:51 . 2012-11-22 20:51 -------- d-----w- c:\program files\CPUID
2012-11-22 20:45 . 2012-11-22 20:45 -------- d-----w- C:\312c0bcb908c8f4143c8
2012-11-22 20:39 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2012-11-22 20:39 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2012-11-22 20:38 . 2012-03-01 14:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-11-22 20:38 . 2012-03-01 14:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-11-22 20:38 . 2012-02-29 14:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-11-22 20:38 . 2012-02-29 13:44 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-11-22 20:38 . 2012-02-29 13:41 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-11-22 20:38 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2012-11-22 20:28 . 2012-11-22 20:28 740784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4CB0EE2D-13B9-42F2-9EC1-0AFD4B374764}\gapaengine.dll
2012-11-22 20:28 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FC11C01D-C4DB-4D05-A982-40B03DCCA973}\mpengine.dll
2012-11-22 20:28 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-11-22 20:23 . 2012-11-22 20:24 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-22 20:23 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-11-22 20:18 . 2012-11-22 20:18 -------- d-----w- c:\program files\uTorrent
2012-11-22 19:57 . 2007-06-29 22:47 34304 ----a-w- c:\windows\system32\drivers\AmdLLD.sys
2012-11-22 19:57 . 2012-11-22 19:57 -------- d-----w- c:\program files\AMD
2012-11-22 19:34 . 2012-11-22 19:34 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-11-22 19:01 . 2012-11-22 19:01 -------- d-----w- c:\program files\Windows Portable Devices
2012-11-22 18:30 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2012-11-22 18:30 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2012-11-22 18:30 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2012-11-22 18:29 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2012-11-22 18:29 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2012-11-22 18:29 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2012-11-22 18:29 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2012-11-22 18:29 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2012-11-22 18:29 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2012-11-22 18:29 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2012-11-22 18:29 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2012-11-22 18:29 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2012-11-22 18:29 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2012-11-22 18:29 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2012-11-22 18:29 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2012-11-22 18:27 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-11-22 18:27 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-11-22 18:27 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-11-22 18:22 . 2012-11-22 18:22 0 ----a-w- c:\windows\ativpsrm.bin
2012-11-22 18:10 . 2012-11-22 18:10 98816 ----a-w- c:\windows\system32\mfps.dll
2012-11-22 18:01 . 2009-07-30 10:36 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2012-11-22 17:59 . 2012-11-22 17:59 -------- d-----w- c:\program files\Microsoft.NET
2012-11-22 17:57 . 2009-11-08 18:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2012-11-22 17:57 . 2009-11-08 18:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2012-11-22 17:57 . 2009-11-08 18:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2012-11-22 17:57 . 2009-11-08 18:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2012-11-22 17:57 . 2009-11-08 18:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-11-22 17:49 . 2012-11-22 17:49 -------- d-----w- c:\program files\SlimCleaner
2012-11-22 17:48 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2012-11-22 17:48 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2012-11-22 17:48 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2012-11-22 17:44 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-11-22 17:44 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2012-11-22 17:44 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2012-11-22 17:44 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2012-11-22 17:44 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2012-11-22 17:44 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2012-11-22 17:44 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2012-11-22 17:44 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2012-11-22 17:44 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2012-11-22 17:44 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2012-11-22 17:42 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2012-11-22 17:42 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2012-11-22 17:42 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2012-11-22 17:42 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2012-11-22 17:42 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2012-11-22 17:42 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2012-11-22 17:42 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2012-11-22 17:42 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2012-11-22 17:38 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2012-11-22 17:38 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2012-11-22 17:38 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-11-22 17:38 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2012-11-22 17:38 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
2012-11-22 17:38 . 2012-05-11 15:57 623616 ----a-w- c:\windows\system32\localspl.dll
2012-11-22 17:38 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-11-22 17:38 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2012-11-22 17:38 . 2010-06-16 15:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2012-11-22 17:38 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2012-11-22 17:38 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2012-11-22 17:36 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2012-11-22 17:31 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2012-11-22 17:31 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2012-11-22 17:31 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2012-11-22 17:31 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-11-22 17:27 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2012-11-22 17:26 . 2012-11-22 17:26 -------- d--h--w- c:\programdata\Common Files
2012-11-22 17:26 . 2012-11-22 17:26 -------- d-----w- c:\program files\SlimDrivers
2012-11-22 17:26 . 2012-11-22 09:44 -------- d-sh--w- c:\windows\Installer
2012-11-22 17:26 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-11-22 17:21 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-11-22 17:21 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-11-22 17:21 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-11-22 17:21 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-11-22 17:21 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-11-22 17:21 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-11-22 17:21 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-11-22 17:20 . 2012-06-02 23:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-11-22 17:20 . 2012-06-02 23:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-11-22 17:18 . 2012-11-23 18:00 -------- d-----w- c:\users\Crenshaw
2012-11-22 17:06 . 2012-11-22 18:18 -------- d-----w- c:\windows\Debug
2012-11-22 16:54 . 2012-11-22 16:58 -------- d-----w- c:\windows\Panther
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-22 18:10 . 2012-11-22 18:10 4096 ----a-w- c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
2012-08-31 06:03 . 2012-08-31 06:03 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-31 06:03 . 2012-08-31 06:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-11-20 06:17 . 2012-11-22 19:34 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2905338454-1592271558-3262912420-1000]
"EnableNotificationsRef"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-22 08:13]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
FF - ProfilePath - c:\users\Crenshaw\AppData\Roaming\Mozilla\Firefox\Profiles\54u90y8y.default\
FF - ExtSQL: 2012-11-22 09:46; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2012-11-22 11:39; {4DC70064-89E2-4a55-8FC6-E8CDEAE3618C}; c:\users\Crenshaw\AppData\Roaming\Mozilla\Firefox\Profiles\54u90y8y.default\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3618C}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-11-23 11:07
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
.
**************************************************************************
.
Completion time: 2012-11-23 11:10:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-23 19:10
.
Pre-Run: 358,268,788,736 bytes free
Post-Run: 358,434,029,568 bytes free
.
- - End Of File - - E7EA7A81BB7A08F6E65FAB62EF6CD9BC