ComboFix 10-01-15.01 - Owner 01/15/2010 19:58:39.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.430 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-741067002F\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-741067002F\Desktop\CFScript.txt
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}
FW: Webroot Internet Security Essentials *disabled* {2DB6657C-B970-44d3-AB42-6325A913CCC2}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Owner.YOUR-741067002F\Application Data\RebateInformer
c:\documents and settings\Owner.YOUR-741067002F\Application Data\RebateInformer\3190015.dat
c:\documents and settings\Owner.YOUR-741067002F\Application Data\RebateInformer\baddomaindb.dat
c:\documents and settings\Owner.YOUR-741067002F\Application Data\RebateInformer\domaindb.dat
c:\documents and settings\Owner.YOUR-741067002F\Local Settings\temp\IadHide5.dll
c:\program files\Crawler
c:\program files\Crawler\Shared\CShared.dll
c:\program files\Crawler\Smileys\CSHook.dll
c:\program files\Crawler\Smileys\CSIMHook.dll
c:\program files\Crawler\Smileys\CSmileyAX.dll
c:\program files\Crawler\Smileys\CSmileysH.config
c:\program files\Crawler\Smileys\CSmileysH.exe
c:\program files\Crawler\Smileys\CSmileysIM.exe
c:\program files\Crawler\Smileys\unins000.dat
c:\program files\Crawler\Smileys\unins000.exe
c:\program files\Crawler\Toolbar\adrkeys.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\CLEANUP_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\CLEANUP_MENU.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\DIRLIST_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\DIRLIST_MENU.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\ECARDS_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\ECARDS_MENU.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\EMAIL_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\GAMES_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\GAMES_MENU.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\SHOP_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\SPELL_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\TRAVEL_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\WAYBACK_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\WP_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\COMMON\YP_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\REBATEINF\RIBUTTON_BMP.dat
c:\program files\Crawler\Toolbar\Cache\REBATEINF\RIBUTTON_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\REBATEINF\RIBUTTON_MENU.dat
c:\program files\Crawler\Toolbar\Cache\SMILEYS\eCards_BMP.dat
c:\program files\Crawler\Toolbar\Cache\SMILEYS\eCards_CHBMP.dat
c:\program files\Crawler\Toolbar\Cache\SMILEYS\Smileys_BMP.dat
c:\program files\Crawler\Toolbar\Cache\SMILEYS\Smileys_CHBMP.dat
c:\program files\Crawler\Toolbar\confirm.dat
c:\program files\Crawler\Toolbar\ctbcomm.dll
c:\program files\Crawler\Toolbar\ctbr.dll
c:\program files\Crawler\Toolbar\CTConf.dat
c:\program files\Crawler\Toolbar\CTipsDef.dll
c:\program files\Crawler\Toolbar\CToolbar.exe
c:\program files\Crawler\Toolbar\CUpdate.exe
c:\program files\Crawler\Toolbar\Languages\TBR5_CS.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_DE.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_EN.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_ES.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_FR.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_IT.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_NL.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_PL.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_PT-BR.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_PT.cab
c:\program files\Crawler\Toolbar\Languages\TBR5_RU.cab
c:\program files\Crawler\Toolbar\lookfor.dat
c:\program files\Crawler\Toolbar\majorse.dat
c:\program files\Crawler\Toolbar\rootmenu.dat
c:\program files\Crawler\Toolbar\services.dat
c:\program files\Crawler\Toolbar\TBR5LanguageAct\info.ini
c:\program files\Crawler\Toolbar\TBR5LanguageAct\language.ini
c:\program files\RebateInformer
c:\program files\RebateInformer\RebateI.dll
c:\program files\RebateInformer\RebateInf.exe
c:\program files\RebateInformer\unins000.dat
c:\program files\RebateInformer\unins000.exe
.
--------------- FCopy ---------------
c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.
2010-01-16 00:58 . 2004-08-10 19:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-16 00:58 . 2004-08-10 19:00 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-15 04:25 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-25 22:38 . 2009-12-28 16:12 -------- d-----w- c:\documents and settings\Owner.YOUR-741067002F\Application Data\Inbox Toolbar
2009-12-25 22:38 . 2009-12-25 22:38 -------- d-----w- c:\program files\Inbox Toolbar
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 08:03 . 2009-01-29 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-13 22:03 . 2009-01-25 23:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-11 23:03 . 2009-07-16 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-11 23:03 . 2009-01-25 23:57 -------- d-----w- c:\program files\Norton Security Scan
2009-12-11 23:03 . 2009-07-16 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-11-27 04:43 . 2009-11-21 00:42 44906528 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-21 00:42 . 2009-11-21 00:42 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-15 22:13 . 2009-11-13 23:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-13 13:11 . 2006-06-19 04:25 63608 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 05:04 . 2006-06-17 09:23 668672 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2006-06-17 09:23 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2006-06-17 09:23 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-05-03 22:39 . 2009-05-03 22:31 170203312 ----a-w- c:\program files\VideoSpin_2_0_Setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 22:04 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-09 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-25 30192]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2006-04-04 16120832]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-15 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-11-13 6273400]
c:\documents and settings\Owner.YOUR-741067002F\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2009-1-23 2168360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\WildTangent\\Polar Bowler\\polar.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BigFix\\bigfix.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Webroot\\WebrootSecurity\\SpySweeperUI.exe"=
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/12/2008 4:02 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1/23/2009 10:39 PM 1086840]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/23/2009 9:41 PM 30192]
.
Contents of the 'Scheduled Tasks' folder
2010-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-01-15 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-11 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uSearch Page =
hxxp://www.google.comuSearch Bar =
hxxp://www.google.com/ieuInternet Settings,ProxyOverride = *.local
uSearchAssistant =
hxxp://www.google.com/ieuSearchURL,(Default) =
hxxp://www.google.com/search?q=%smSearchAssistant =
hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5048IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} -
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} -
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} -
hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll.
- - - - ORPHANS REMOVED - - - -
BHO-{CCB69577-088B-4004-9ED8-FF5BCC83A039} - c:\progra~1\REBATE~1\RebateI.dll
HKCU-Run-RebateInformer - c:\progra~1\REBATE~1\REBATE~1.EXE
AddRemove-CToolbar_UNINSTALL - c:\progra~1\Crawler\Toolbar\CToolbar.exe
AddRemove-{4EF645BD-65B0-4F98-AD56-D0437B7045F6}_is1 - c:\program files\RebateInformer\unins000.exe
AddRemove-{A64D224E-E06A-43D2-A919-8BE108F47305}_is1 - c:\program files\Crawler\Smileys\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-01-15 20:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1492)
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dlcccoms.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\program files\Webroot\WebrootSecurity\SSU.EXE
.
**************************************************************************
.
Completion time: 2010-01-15 20:27:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 01:27
ComboFix2.txt 2010-01-15 04:26
ComboFix3.txt 2009-11-16 01:52
Pre-Run: 33,048,211,456 bytes free
Post-Run: 32,994,930,688 bytes free
- - End Of File - - 6418E53AAEB6FB892378183C9E8EF034