ComboFix 10-12-11.03 - Owner 12/11/2010 21:11:11.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.53 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\completescan
c:\documents and settings\Owner\Application Data\install
c:\documents and settings\Owner\Application Data\Xiurz
c:\documents and settings\Owner\Application Data\Ysez
c:\documents and settings\Owner\Application Data\Ysez\zavi.vif
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{9943D1B2-DB9A-4D3E-A0F2-583F318A9828}\install.rdf
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\0066FA0F
c:\program files\Need2Find\bar\Cache\00673A73
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\prevcfg.htm
c:\program files\Shared
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_449600.htm
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_449600.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\tmp.reg
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.
2010-12-12 01:52 . 2010-12-12 01:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-12-11 00:17 . 2010-12-11 00:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-11 00:17 . 2010-12-11 00:17 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-11 00:01 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-11 00:01 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-11 00:01 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-11 00:01 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-11 00:01 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-12-11 00:01 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-12-11 00:01 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-12-11 00:00 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-11 00:00 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-12-10 23:17 . 2010-12-10 23:17 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-10 23:05 . 2010-12-10 23:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-10 23:04 . 2010-12-10 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-12-10 23:04 . 2010-12-10 23:04 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-10 00:34 . 2010-12-10 00:34 -------- d-----w- c:\program files\Common Files\Java
2010-12-10 00:33 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-09 21:25 . 2010-12-09 21:25 -------- d-----w- C:\_OTL
2010-12-02 23:05 . 2010-12-02 23:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-11-30 23:50 . 2010-12-04 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Qerie
2010-11-30 23:50 . 2010-12-02 03:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Owuvw
2010-11-30 21:09 . 2010-11-30 21:09 230 ----a-w- C:\agtyjkj.bat
2010-11-27 19:19 . 2010-12-04 00:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Owovy
2010-11-27 19:19 . 2010-12-02 03:01 -------- d-----w- c:\documents and settings\Owner\Application Data\Edgubo
2010-11-25 22:50 . 2010-11-25 22:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-25 21:06 . 2010-12-10 23:47 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-25 02:56 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-25 02:56 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-25 01:45 . 2010-11-25 01:45 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-24 23:59 . 2010-11-24 23:59 -------- d-----w- c:\program files\Loaris
2010-11-24 21:48 . 2010-11-24 21:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-11-24 15:37 . 2010-11-24 15:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-24 12:17 . 2010-11-24 12:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-11-23 23:19 . 2010-11-23 23:19 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2010-11-08 22:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-11-08 22:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 07:29 . 2009-10-26 21:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-23 67128]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 28160]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-23 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-2 532480]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/10/2010 7:01 PM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/10/2010 7:01 PM 17744]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [2/28/2008 5:57 PM 18944]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/24/2010 9:41 AM 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 7:02 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/8/2010 5:11 PM 38224]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
2010-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]
2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-11 00:02]
2010-12-12 c:\windows\Tasks\User_Feed_Synchronization-{15BE7D63-A464-42B5-B135-F874DC36DC73}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.columbus.rr.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Show All Original Images - c:\program files\NetZero\qsacc\appres.dll/228
IE: Show Original Image - c:\program files\NetZero\qsacc\appres.dll/227
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: musicmatch.com\online
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.leaguelineup.com/_incl/uploader/ImageUploader6.cab
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Webroot Desktop Firewall - c:\program files\Webroot\Webroot Desktop Firewall\WDF.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
AddRemove-CS - c:\program files\CS\cs.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-12-11 21:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-11 21:29:22
ComboFix-quarantined-files.txt 2010-12-12 02:29
ComboFix2.txt 2007-08-04 00:14
Pre-Run: 53,781,041,152 bytes free
Post-Run: 54,003,970,048 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - 0265D77BE2C3088F354422474419C642