ComboFix 10-01-04.01 - Nathalie 10/01/2010 17:36:53.1.2 - x86
Microsoft
Windows Vista
Home Premium 6.0.6001.1.1252.2.1033.18.3070.2412 [GMT -8:00]
Running from: c:\users\Nathalie\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1777521922-3288485073-514130652-500
c:\$recycle.bin\S-1-5-21-4210324160-1517605667-1552415996-500
c:\windows\system32\drivers\H8SRTmdrmprweog.sys
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTmrdeardaui.dll
c:\windows\system32\H8SRTqhyvjqlkvv.dat
c:\windows\system32\H8SRTrhfvuvkxua.dll
c:\windows\system32\H8SRTwrpdqfjyvr.dll
c:\windows\system32\H8SRTwucrwpuiwj.dll
c:\windows\system32\KBL.LOG
c:\windows\system32\oem15.inf
c:\windows\system32\oem4.inf
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.
2010-01-11 01:48 . 2010-01-11 01:52 -------- d-----w- c:\users\Nathalie\AppData\Local\temp
2010-01-11 01:48 . 2010-01-11 01:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-11 01:08 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-11 01:08 . 2010-01-11 01:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 01:08 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-11 00:46 . 2010-01-11 00:46 -------- d-----w- c:\program files\TrendMicro
2010-01-10 21:33 . 2010-01-10 21:33 -------- d-----w- C:\$AVG
2010-01-10 21:33 . 2010-01-10 21:33 -------- d-----w- c:\programdata\avg9
2010-01-10 21:28 . 2010-01-10 21:28 -------- d-----w- c:\users\Nathalie\AppData\Roaming\AVG8
2009-12-14 02:00 . 2009-12-14 02:00 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-12 17:14 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 17:14 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-12 17:14 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 01:39 . 2008-04-25 00:41 716356 ----a-w- c:\windows\system32\perfh00C.dat
2010-01-11 01:39 . 2008-04-25 00:41 147564 ----a-w- c:\windows\system32\perfc00C.dat
2010-01-10 23:48 . 2009-01-23 03:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-10 21:37 . 2008-04-25 02:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-10 21:33 . 2009-01-23 03:41 -------- d-----w- c:\program files\AVG
2010-01-09 20:45 . 2008-08-08 21:53 67100 ----a-w- c:\users\Nathalie\AppData\Roaming\nvModes.dat
2010-01-07 06:09 . 2009-05-04 03:16 -------- d-----w- c:\users\Nathalie\AppData\Roaming\dvdcss
2010-01-03 03:56 . 2008-12-16 10:20 -------- d-----w- c:\users\Nathalie\AppData\Roaming\LimeWire
2009-12-14 02:00 . 2009-08-17 01:03 -------- d-----w- c:\programdata\Norton
2009-12-14 02:00 . 2009-06-02 19:52 -------- d-----w- c:\program files\Norton Security Scan
2009-12-14 02:00 . 2009-08-17 01:03 -------- d-----w- c:\programdata\NortonInstaller
2009-12-11 23:32 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-11 19:15 . 2008-08-07 04:21 -------- d-----w- c:\programdata\Microsoft Help
2009-12-04 21:04 . 2009-11-15 08:03 226 ----a-w- c:\users\Nathalie\AppData\Roaming\wklnhst.dat
2009-12-02 21:39 . 2008-08-07 04:31 108632 ----a-w- c:\users\Nathalie\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-28 03:19 . 2009-11-28 03:19 -------- d-----w- c:\users\Nathalie\AppData\Roaming\Druide
2009-11-28 03:17 . 2009-11-28 03:17 -------- d-----w- c:\program files\Druide
2009-11-16 21:34 . 2008-08-08 06:10 -------- d-----w- c:\users\Nathalie\AppData\Roaming\CyberLink
2009-11-15 08:03 . 2009-11-15 08:03 -------- d-----w- c:\users\Nathalie\AppData\Roaming\Template
2009-11-03 04:42 . 2009-10-03 17:08 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 17:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 13:20 . 2009-12-10 15:36 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-10 15:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-10 15:36 26624 ----a-w- c:\windows\system32\ieUnatt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
2008-05-21 07:43 1526296 ----a-w- c:\program files\TorrentMan\tbTor0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7c5c0f58-e061-457d-9033-77307f5ed00c}"= "c:\program files\TorrentMan\tbTor0.dll" [2008-05-21 1526296]
[HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7C5C0F58-E061-457D-9033-77307F5ED00C}"= "c:\program files\TorrentMan\tbTor0.dll" [2008-05-21 1526296]
[HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-16 1830128]
"Gestionnaire Antidote.exe"="c:\program files\Druide\Antidote\Gestionnaire Antidote.exe" [2006-09-11 439992]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-08 1394000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Gestionnaire Antidote.exe"="c:\program files\Druide\Antidote\Gestionnaire Antidote.exe" [2006-09-11 439992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-01 23:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-12-20 02:27 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 06:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15/01/2009 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/01/2009 4:17 PM 55024]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [18/06/2008 5:55 AM 41456]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate1ca2d0924894d30;Google Update Service (gupdate1ca2d0924894d30);c:\program files\Google\Update\GoogleUpdate.exe [03/09/2009 6:41 PM 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/01/2009 4:17 PM 7408]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [28/05/2009 11:47 AM 721904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 02:40]
2010-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 02:40]
2010-01-09 c:\windows\Tasks\Norton Security Scan for Nathalie.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-14 02:00]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.facebook.com/home.phpmStart Page =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptopuInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nathalie\AppData\Roaming\Mozilla\Firefox\Profiles\wr7ad7gx.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage -
hxxp://www.firesearch.com/FF - component: c:\program files\Mozilla Firefox\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-Cognac - c:\users\Nathalie\AppData\Local\Temp\~tmp6.exe
AddRemove-AIM_6 - c:\program files\AIM6\uninst.exe
AddRemove-Cake Mania_is1 - c:\program files\Cake Mania\ReflexiveArcade\unins000.exe
AddRemove-Diner Dash - Flo Through Time 1.00 - c:\program files\Games\Diner Dash - Flo Through Time\Uninstall.exe
AddRemove-RollerCoaster Tycoon Setup - c:\windows\UniFish3.exe
AddRemove-The Clockwork Man 1.00 - c:\program files\Games\The Clockwork Man\Uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-01-10 17:54
Windows 6.0.6001 Service Pack 1 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{100EB1FD-D03E-47FD-81F3-EE91287F9465}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Flags"=dword:00000000
"Count"=dword:00000001
"Time"=hex:d9,07,01,00,05,00,17,00,03,00,00,00,0b,00,e2,01
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{500BCA15-57A7-4EAF-8143-8C619470B13D}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Flags"=dword:00000000
"Count"=dword:00000001
"Time"=hex:d9,07,01,00,05,00,17,00,03,00,00,00,0c,00,35,01
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B2}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000004
"Flags"=dword:00000000
"Count"=dword:00000003
"Time"=hex:d9,07,01,00,05,00,17,00,03,00,00,00,1f,00,bc,02
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000004
"Flags"=dword:00000000
"Count"=dword:00000003
"Time"=hex:d9,07,01,00,05,00,17,00,03,00,00,00,1f,00,bc,02
[HKEY_USERS\S-1-5-21-1777521922-3288485073-514130652-1000\Software\CrucialSoft Ltd\MS AntiSpyware 2009\5.7]
@DACL=(02 0000)
"Start Counter"=dword:00000001
"InstallTime"=hex:84,43,e5,eb,c2,7c,e3,40
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(2180)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\system32\conime.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-01-10 18:02:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-11 02:02
Pre-Run: 80,741,199,872 bytes free
Post-Run: 83,223,584,768 bytes free
- - End Of File - - C31B369BF2A11AE72FFE8F9D2FB00F07