Tech Support Forum - View Single Post

**Nanigai** · 06-30-2009, 07:35 PM

Thanks. All done however I appear to have closed the log without saving it. I ran Combofix again and the log is posted below. Hope this is OK.
Cheers, Ian
ComboFix 09-06-29.07 - User 01/07/2009 10:25.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.2936.1676 [GMT 10:00]
Running from: c:\net_down\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-07-01 00:09 . 2009-07-01 00:29 -------- d-----w- c:\users\User\AppData\Local\temp
2009-06-29 12:22 . 2009-06-29 12:22 386560 ----a-w- c:\users\User\AppData\Roaming\Free-backup.info\JustZIPit\JustZIPit.exe
2009-06-29 12:22 . 2009-06-29 12:22 -------- d-----w- c:\users\User\AppData\Roaming\Free-backup.info
2009-06-29 05:47 . 2009-06-29 05:47 -------- d-----w- c:\program files\CCleaner
2009-06-19 23:48 . 2009-06-19 23:48 -------- d-----w- c:\users\User\AppData\Local\FileMaker
2009-06-16 08:25 . 2009-06-16 08:25 -------- d-----w- c:\users\User\AppData\Roaming\RootsMagic
2009-06-16 08:25 . 2009-06-16 08:25 -------- d-----w- c:\programdata\RootsMagic
2009-06-16 08:25 . 2009-06-16 08:25 -------- d-----w- c:\program files\RootsMagic 4
2009-06-11 05:53 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-06-11 05:53 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-06-10 10:41 . 2009-06-10 10:41 -------- d-----w- c:\users\User\AppData\Roaming\Apple Computer
2009-06-10 10:40 . 2009-03-19 06:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-10 10:40 . 2008-04-17 02:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-10 10:40 . 2009-06-10 10:40 -------- d-----w- c:\program files\iPod
2009-06-10 10:39 . 2009-06-10 10:40 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-10 10:39 . 2009-06-10 10:40 -------- d-----w- c:\program files\iTunes
2009-06-10 10:39 . 2009-06-10 10:39 -------- d-----w- c:\program files\Bonjour
2009-06-10 10:38 . 2009-06-10 10:40 -------- d-----w- c:\program files\Common Files\Apple
2009-06-10 10:34 . 2009-06-10 10:34 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 10:30 . 2009-06-10 10:31 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 23:57 . 2008-11-27 07:07 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-19 23:47 . 2009-01-19 13:01 -------- d-----w- c:\program files\Taunton
2009-06-15 17:01 . 2008-11-26 08:41 -------- d-----w- c:\programdata\Microsoft Help
2009-06-14 12:44 . 2009-01-11 23:01 -------- d-----w- c:\users\User\AppData\Roaming\Nokia
2009-06-10 10:39 . 2009-05-11 23:14 -------- d-----w- c:\programdata\Apple Computer
2009-06-04 01:59 . 2008-11-26 12:41 -------- d-----w- c:\program files\ESET
2009-05-29 04:40 . 2009-05-29 04:40 -------- d-----w- c:\users\User\AppData\Roaming\Canon
2009-05-14 05:49 . 2009-05-14 05:49 93312 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
2009-05-14 05:47 . 2009-05-14 05:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 05:41 . 2009-05-14 05:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-13 17:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-11 23:14 . 2009-05-11 23:14 -------- d-----w- c:\program files\Apple Software Update
2009-05-11 23:14 . 2009-05-11 23:14 -------- d-----w- c:\programdata\Apple
2009-05-03 01:02 . 2009-01-11 23:00 -------- d-----w- c:\program files\Common Files\PCSuite
2009-05-03 01:02 . 2009-01-11 23:22 -------- d-----w- c:\program files\Common Files\Nokia
2009-05-03 01:02 . 2009-01-11 22:58 -------- d-----w- c:\program files\Nokia
2009-05-03 01:00 . 2009-05-03 01:00 -------- d-----w- c:\program files\PC Connectivity Solution
2009-05-03 00:58 . 2009-05-03 00:58 8192 ----a-w- c:\programdata\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-05-03 00:58 . 2009-05-03 00:58 61440 ----a-w- c:\programdata\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-03 00:58 . 2009-05-03 00:58 10240 ----a-w- c:\programdata\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-05-03 00:57 . 2009-01-11 23:20 -------- d-----w- c:\programdata\Installations
2009-05-03 00:57 . 2009-05-03 00:58 33731296 ----a-w- c:\programdata\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng_us.exe
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-24 16:05 . 2009-06-11 05:52 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-11 05:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-11 05:52 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-11 05:52 784896 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-01_00.08.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-27 07:14 . 2009-06-30 23:58 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-27 07:14 . 2009-07-01 00:16 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-27 07:14 . 2009-06-30 23:58 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-27 07:14 . 2009-07-01 00:16 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-30 23:58 . 2009-06-30 23:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-30 23:58 . 2009-06-30 23:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-11-27 07:14 . 2009-07-01 00:16 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-27 07:14 . 2009-06-30 23:58 131072 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]
@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"
[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]
2008-07-25 05:41 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-30 1029416]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2008-04-24 430080]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Password Safe.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Password Safe.lnk
backup=c:\windows\pss\Password Safe.lnk.Startup
backupExtension=.Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{22D19F39-FCC0-4DCA-AEDD-BA3D716F0D86}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{2645F9A9-FBD7-4F5C-AAA7-B1E6990C5814}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{AB560BE6-ECF2-48F9-BB30-0A60CCAABEAA}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{C09D4BA7-4778-4A36-9B95-D4497EF488D1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{A89902DB-DAC3-4585-9C80-6AE00A7D971B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6007C76F-692B-4991-B83F-A621213B1791}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A23507DD-224B-4EA9-813F-4A470A16C4F7}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{F08AD1F6-CCDA-4392-96C1-C6002B83E0DD}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{24D91FAE-5232-4BD8-80D6-86106904C167}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{559263D8-E9CC-4BCA-BFFE-A3B671D1AB6F}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{E08FF61E-92F8-4FF1-966E-70474AE29808}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program files\\Telstra\\Telstra Turbo Connection Manager\\SwiApiMux.exe"= c:\program files\Telstra\Telstra Turbo Connection Manager\SwiApiMux.exe:*:Enabled:SwiApiMux

R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\System32\drivers\AlfaFF.sys [26/11/2008 7:01 PM 42608]
R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [14/05/2009 3:47 PM 107256]
R2 Authentec memory manager;Authentec memory manager service;c:\windows\System32\TAMSvr.exe [26/11/2008 7:01 PM 49152]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 5:50 PM 30312]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [17/04/2008 5:19 PM 40960]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 3:47 PM 731840]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfwwfpr.sys [14/05/2009 3:49 PM 93312]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [04/12/2007 11:03 AM 126976]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [27/06/2008 12:11 PM 112128]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 10:31 PM 29263712]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [06/05/2008 2:51 AM 3658752]
R3 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [15/04/2008 12:13 PM 51160]
R3 QIOMem;Generic IO & Memory Access;c:\windows\System32\drivers\QIOMem.sys [10/04/2007 10:13 AM 8192]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [25/04/2008 12:35 PM 73728]
S3 SWNC8U52;Sierra Wireless MUX NDIS Driver (UMTS52);c:\windows\System32\drivers\swnc8u52.sys [21/09/2007 3:47 PM 164480]
S3 SWUMX52;Sierra Wireless USB MUX Driver (UMTS52);c:\windows\System32\drivers\swumx52.sys [21/09/2007 3:48 PM 140672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://search.notepad.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: citec.com.au\www.confirm
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\ji9ehv6z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 10:29
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2532)
c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
Completion time: 2009-07-01 10:30
ComboFix-quarantined-files.txt 2009-07-01 00:30
ComboFix2.txt 2009-07-01 00:09

Pre-Run: 226,094,104,576 bytes free
Post-Run: 226,019,262,464 bytes free

197 --- E O F --- 2009-06-15 17:01