OPENddemo: ComboFix

ComboFix 11-05-29.02 - Welcome 05/30/2011 19:20:02.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.570 [GMT 5.5:30]
Running from: c:\documents and settings\Welcome\My Documents\Downloads\commy.exe.exe
AV: AntiVir Desktop *Disabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Avira FireWall *Enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: ZoneAlarm Pro Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\Gomez
c:\program files\Gomez\GomezPEER\cache\helper\GomezGlobalFunctions.008.js
c:\program files\Gomez\GomezPEER\jre\bin\awt.dll
c:\program files\Gomez\GomezPEER\jre\bin\client\jvm.dll
c:\program files\Gomez\GomezPEER\jre\bin\dcpr.dll
c:\program files\Gomez\GomezPEER\jre\bin\fontmanager.dll
c:\program files\Gomez\GomezPEER\jre\bin\hpi.dll
c:\program files\Gomez\GomezPEER\jre\bin\java.dll
c:\program files\Gomez\GomezPEER\jre\bin\java.exe
c:\program files\Gomez\GomezPEER\jre\bin\msvcr71.dll
c:\program files\Gomez\GomezPEER\jre\bin\net.dll
c:\program files\Gomez\GomezPEER\jre\bin\nio.dll
c:\program files\Gomez\GomezPEER\jre\bin\sunmscapi.dll
c:\program files\Gomez\GomezPEER\jre\bin\SystemInfo.dll
c:\program files\Gomez\GomezPEER\jre\bin\verify.dll
c:\program files\Gomez\GomezPEER\jre\bin\zip.dll
c:\program files\Gomez\GomezPEER\jre\lib\endorsed\xalan.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\commons-codec.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\commons-lang.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\css.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\dnsjava.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\gomez-webcore.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\HeartBeatProject.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\jdom.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\JNIRegistry.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\jniwrap.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\js.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\jstools.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\Kernel.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\log4j.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\nekohtml.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\oro.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\peergui.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\PeerReviewProject.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\poi.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\porivo-agent.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\porivo-lib.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\porivo-modules.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\porivo-utils.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\sunjce_provider.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\sunmscapi.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\winpack.jar
c:\program files\Gomez\GomezPEER\jre\lib\ext\xerces.jar
c:\program files\Gomez\GomezPEER\jre\lib\fonts\LucidaSansRegular.ttf
c:\program files\Gomez\GomezPEER\jre\lib\jce.jar
c:\program files\Gomez\GomezPEER\jre\lib\jsse.jar
c:\program files\Gomez\GomezPEER\jre\lib\resources.jar
c:\program files\Gomez\GomezPEER\jre\lib\rt.jar
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))
.
.
2011-05-30 11:26 . 2011-05-30 11:26 -------- d-----w- C:\ComboFix
2011-05-29 07:13 . 2010-12-20 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 07:13 . 2010-12-20 12:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-29 07:13 . 2011-05-29 07:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-28 16:56 . 2011-05-28 16:56 -------- d-----w- c:\documents and settings\Administrator
2011-05-28 11:06 . 2011-05-28 11:06 -------- d-----w- C:\FOUND.005
2011-05-27 13:12 . 2011-05-27 13:12 -------- d-----w- c:\documents and settings\Welcome\Application Data\SUPERAntiSpyware.com
2011-05-27 13:12 . 2011-05-27 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-27 13:11 . 2011-05-27 13:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-22 06:37 . 2011-05-22 06:37 -------- d-----w- C:\FOUND.002
2011-05-17 10:29 . 2011-05-17 10:29 -------- d-----w- C:\FOUND.001
2011-05-17 10:01 . 2011-03-04 08:59 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
2011-05-17 10:01 . 2010-06-17 08:53 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
2011-05-16 05:49 . 2011-05-16 05:49 -------- d-----w- C:\Upload
2011-05-16 05:49 . 2011-05-16 05:49 -------- d-----w- C:\Customize
2011-05-16 05:04 . 2011-05-16 05:05 -------- d-----w- c:\program files\FileZilla FTP Client
2011-05-16 04:43 . 2011-05-16 04:43 -------- d-----w- C:\FOUND.000
2011-05-15 11:08 . 2011-05-15 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-05-15 04:31 . 2011-05-15 04:31 -------- d-----w- C:\FOUND.004
2011-05-08 07:06 . 2011-05-08 07:06 -------- d-----w- C:\FOUND.003
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-16 05:32 . 2011-05-16 05:32 456364 ----a-w- C:\2207-1281768339-thecure.zip
2011-04-27 10:25 . 2011-04-27 10:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-27 10:25 . 2011-04-27 10:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-04 10:41 . 2011-03-29 16:41 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-04 09:07 . 2011-03-29 16:41 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-30 08:49 . 2011-03-28 16:36 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-12-01 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2006-03-23 176128]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2005-09-06 450560]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-28 1039360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 17:37 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-05-23 15:00 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\System32\\ZoneLabs\\vsmon.exe"=
.
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [5/17/2011 3:31 PM 102856]
R1 ggc;ggc;c:\windows\system32\drivers\ggc.sys [2/22/2011 5:03 PM 46664]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:55 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 12:11 AM 67656]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [5/17/2011 3:31 PM 539304]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [5/17/2011 3:31 PM 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/29/2011 10:11 PM 136360]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [5/17/2011 3:31 PM 421032]
R2 catflt;catflt;c:\windows\system32\drivers\catflt.sys [2/22/2011 5:03 PM 110024]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [5/17/2011 3:31 PM 79432]
S0 mscank;mscank;c:\windows\system32\DRIVERS\mscank.sys --> c:\windows\system32\DRIVERS\mscank.sys [?]
S2 EMLSS;EMLSS;c:\windows\system32\drivers\emltdi.sys --> c:\windows\system32\drivers\emltdi.sys [?]
S3 ugldqpog;ugldqpog;\??\c:\docume~1\Welcome\LOCALS~1\Temp\ugldqpog.sys --> c:\docume~1\Welcome\LOCALS~1\Temp\ugldqpog.sys [?]
S3 wsnf;Network Filter Service;c:\windows\system32\DRIVERS\wsnf.sys --> c:\windows\system32\DRIVERS\wsnf.sys [?]
S3 wsnfmp;Network Filter Miniport;c:\windows\system32\DRIVERS\wsnf.sys --> c:\windows\system32\DRIVERS\wsnf.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-30 c:\windows\Tasks\User_Feed_Synchronization-{0E472ED2-1003-412F-B9AB-A9C29C26D665}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 23:01]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.ask.com/?o=102866&l=dis&gct=hp
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\Welcome\Application Data\Mozilla\Firefox\Profiles\l9qtid8b.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-30 19:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Welcome\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Welcome\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Welcome\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\documents and settings\Welcome\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
.
- - - - - - - > 'lsass.exe'(840)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(2556)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-05-30 19:31:50
ComboFix-quarantined-files.txt 2011-05-30 14:01
.
Pre-Run: 9,195,864,064 bytes free
Post-Run: 9,171,386,368 bytes free
.
- - End Of File - - 03C882C9194913BEC7E970D55CEF9680

OPENddemo

Saturday, April 7, 2012

ComboFix

No comments:

Post a Comment