ComboFix 12-03-13.01 - Lou 14/03/2012 2:48.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1249 [GMT 8:00]
Running from: c:\users\Lou\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\~GLH0014.TMP
c:\windows\system32\drivers\39f53c95945612ae.sys . . . . Failed to delete
c:\windows\system32\drivers\e100b325.sys . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys
Infected copy of c:\windows\system32\drivers\asyncmac.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\asyncmac.sys
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_39f53c95945612ae
-------\Service_39f53c95945612ae
-------\Service_E100B
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-13 18:59 . 2012-03-13 19:02 -------- d-----w- c:\users\Lou\AppData\Local\temp
2012-03-13 18:59 . 2012-03-13 18:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-13 18:59 . 2012-03-13 18:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 18:43 . 2012-03-13 18:43 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-13 17:58 . 2012-03-13 17:58 -------- d-----w- c:\users\Lou\AppData\Local\Comodo
2012-03-13 09:06 . 2012-03-13 09:06 -------- d--h--w- c:\windows\msdownld.tmp
2012-03-11 21:54 . 2012-03-11 21:54 -------- d-----w- c:\users\Lou\AppData\Local\Microsoft Corporation
2012-03-11 21:53 . 2012-03-11 21:53 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-07 21:36 . 2012-03-07 21:40 -------- d-----w- C:\MGADiagToolOutput
2012-03-05 19:13 . 2012-03-05 19:13 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-05 19:13 . 2012-03-05 19:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 18:58 . 2012-03-05 19:45 -------- d-----w- c:\programdata\CPA_VA
2012-03-05 18:51 . 2012-03-05 18:58 -------- d-----w- c:\programdata\Comodo
2012-03-05 18:48 . 2012-03-05 18:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-05 18:48 . 2012-03-05 18:49 -------- d-----w- c:\program files\COMODO
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\users\Lou\AppData\Roaming\SUPERAntiSpyware.com
2012-03-04 19:13 . 2012-03-04 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-04 19:13 . 2012-03-04 19:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-02 13:24 . 2012-03-02 13:24 43352 ----a-w- c:\windows\system32\drivers\58eb7.sys
2012-02-29 10:27 . 2012-03-02 13:53 -------- d-----w- c:\users\Lou\AppData\Roaming\Onxe
2012-02-29 10:27 . 2012-03-02 13:20 -------- d-----w- c:\users\Lou\AppData\Roaming\Veuhen
2012-02-21 13:06 . 1998-11-22 06:23 84992 ----a-w- c:\windows\system32\Ledit32.dll
2012-02-21 13:06 . 1998-11-18 03:40 89600 ----a-w- c:\windows\system32\Leocx32.ocx
2012-02-21 13:06 . 1998-06-25 16:00 644400 ----a-w- c:\windows\system32\Mscomct2.ocx
2012-02-21 13:06 . 1998-06-23 16:00 369696 ----a-w- c:\windows\system32\Comct332.ocx
2012-02-21 13:06 . 2012-02-21 13:07 -------- d-----w- c:\program files\PageBreeze
2012-02-21 13:06 . 2008-09-12 06:55 1245184 ----a-w- c:\windows\system32\ChilkatCert.dll
2012-02-21 13:06 . 2008-09-12 06:50 1105920 ----a-w- c:\windows\system32\ChilkatFtp2.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 06:03 . 2012-03-02 08:50 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81B92148-B0DB-4FD1-9999-A6DD375EC2AD}\mpengine.dll
2012-01-28 21:10 . 2010-05-02 21:28 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-17 13:00 . 2012-01-17 13:00 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-01-12 19:52 . 2012-02-16 09:00 2044416 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 10:59 . 2011-12-19 10:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 10:59 . 2011-12-19 10:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 10:59 . 2011-12-19 10:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 10:58 . 2011-12-19 10:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 10:58 . 2011-12-19 10:58 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-15 06:22 . 2012-02-16 09:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-02-17 13:14 . 2011-05-08 10:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 27648 --sh--w- c:\windows\System32\Smab0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 04:44 212992 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-11-23 10:27 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
2011-12-20 16:41 6676808 ----a-w- c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-11-23 10:27 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileOpenBroker]
2011-10-21 07:08 724352 ----a-w- c:\program files\FileOpen\Services\FileOpenBroker32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 20:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-10-03 23:15 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 23:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 20:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-01-13 06:53 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 20:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-28 00:05 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 06:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-29 21:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-14 00:32 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 58eb7;1rxzhicpme.exe;c:\windows\system32\drivers\58eb7.sys [2012-03-02 43352]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 39F53C95945612AE
*NewlyCreated* - WS2IFSL
*Deregistered* - 39f53c95945612ae
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-12 22:44]
.
2011-02-28 c:\windows\Tasks\Norton Security Scan for Lou.job
- c:\progra~1\NORTON~2\Engine\310~1.21\Nss.exe [2011-02-28 14:02]
.
2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{A7F3F3D5-62F7-427C-B5D4-201B298E7C61}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
mStart Page =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptopuInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspxIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
TCP: DhcpNameServer = 203.185.0.35 203.185.0.36
TCP: Interfaces\{1B476100-CBD2-4DB2-B7ED-0C4B02C3BD76}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{B9B091AA-3F61-4407-8F4F-838AD2721C82}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Lou\AppData\Roaming\Mozilla\Firefox\Profiles\i1isjn8p.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.bing.com/search?FORM=IEFM1&q=FF - prefs.js: browser.startup.homepage -
hxxp://google.com/FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-1117921776.www.telechart.com - c:\program files\Microsoft Silverlight\4.0.60129.0\Silverlight.Configuration.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\39f53c95945612ae]
"ImagePath"="\SystemRoot\System32\Drivers\39f53c95945612ae.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-03-14 03:09:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 19:09
ComboFix2.txt 2010-08-07 16:16
.
Pre-Run: 89,004,785,664 bytes free
Post-Run: 88,956,080,128 bytes free
.
- - End Of File - - D0D6261F0ED0C2433130E648BE9F9EAD