ComboFix 10-01-27.03 - bootcm7 01/27/2010 21:31:49.1.2 - x86 Microsoft® Windows Vista™ Enterprise 6.0.6001.1.1252.1.1033.18.1991.910 [GMT -5:00] Running from: c:\users\WFUT4002009\Desktop\ComboFix.exe AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\temp c:\programdata\Microsoft\Network\Downloader\qmgr0.dat c:\programdata\Microsoft\Network\Downloader\qmgr1.dat c:\windows\Fonts\MyriadPro-Regular.otf c:\windows\system32\drivers\27JV6476p.sys c:\windows\system32\nsprs.dll ----- BITS: Possible infected sites ----- hxxp://armmf.adobe.com hxxp://wsus.deacnet.wfu.edu . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_27JV6476p -------\Service_27JV6476p ((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 ))))))))))))))))))))))))))))))) . 2010-01-28 03:57 . 2010-01-28 03:57 53248 ----a-w- c:\temp\catchme.dll 2010-01-28 03:55 . 2010-01-28 03:55 -------- d-----w- c:\temp\WPDNSE 2010-01-28 02:41 . 2010-01-28 02:41 -------- d-----w- c:\users\WFUT4002009\AppData\Local\temp 2010-01-28 02:41 . 2010-01-28 02:41 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-01-28 02:13 . 2010-01-28 02:13 -------- d-----w- c:\programdata\Line 6 2010-01-28 02:07 . 2010-01-28 02:07 -------- d-----w- c:\program files\Line6 2010-01-26 04:46 . 2010-01-28 02:41 -------- d-----w- c:\temp\9jpspljw.tmp 2010-01-25 21:16 . 2010-01-28 02:41 -------- d-----w- c:\temp\plugtmp 2010-01-25 15:49 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll 2010-01-25 15:49 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll 2010-01-25 15:49 . 2010-01-28 02:41 -------- d-----w- c:\temp\DWDEFE0.tmp 2010-01-24 18:05 . 2010-01-28 03:57 -------- d-----w- c:\temp\Acrobat Distiller 9 2010-01-24 17:47 . 2010-01-28 02:41 -------- d-----w- c:\temp\o6mx25ck.tmp 2010-01-24 06:13 . 2010-01-24 06:13 -------- d-----w- c:\temp\Low 2010-01-24 01:27 . 2010-01-28 02:41 -------- d-----w- c:\temp\DWDB58A.tmp 2010-01-22 17:59 . 2010-01-28 02:41 -------- d-----w- c:\temp\wz9bb0 2010-01-22 05:46 . 2010-01-28 02:41 -------- d-----w- c:\temp\hk5n4vo3.tmp 2010-01-21 14:42 . 2010-01-24 06:05 -------- d-----w- c:\temp\hsperfdata_bootcm7 2010-01-21 14:40 . 2010-01-21 14:40 -------- d-----w- c:\temp\VBE 2010-01-21 14:39 . 2010-01-28 02:41 -------- d-----w- c:\temp\sre5at5l.tmp 2010-01-21 09:01 . 2010-01-28 02:41 -------- d-----w- c:\temp\RDRE84A.tmp 2010-01-21 04:57 . 2010-01-28 02:41 -------- d-----w- c:\temp\gzg8ca7f.tmp 2010-01-21 04:55 . 2010-01-28 02:41 -------- d-----w- c:\temp\{6F324A26-C823-455E-BD22-1026F7483FC1} 2010-01-20 18:34 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-20 18:34 . 2010-01-20 18:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-20 18:34 . 2010-01-20 18:34 -------- d-----w- c:\programdata\Malwarebytes 2010-01-20 18:34 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-20 18:34 . 2010-01-28 02:41 -------- d-----w- c:\temp\emifoq26.tmp 2010-01-20 18:33 . 2010-01-20 18:33 -------- d-----w- c:\program files\ERUNT 2010-01-20 18:32 . 2010-01-28 02:41 -------- d-----w- c:\temp\ih4yjnqf.tmp 2010-01-20 14:14 . 2010-01-20 14:14 -------- d-----w- c:\program files\CleanUp! 2010-01-20 13:42 . 2010-01-20 13:42 248784 ---ha-w- c:\windows\system32\mlfcache.dat 2010-01-19 18:53 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll 2010-01-19 18:53 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys 2010-01-19 18:53 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll 2010-01-19 18:44 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll 2010-01-19 18:44 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll 2010-01-19 18:44 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll 2010-01-19 18:43 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll 2010-01-19 18:43 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll 2010-01-19 13:30 . 2010-01-19 13:30 -------- d-----w- c:\program files\Logic 2000 2010-01-19 13:26 . 2010-01-19 13:26 -------- d-----w- C:\userdata 2010-01-15 19:43 . 2010-01-15 19:43 -------- d-----w- c:\program files\Rosetta Stone 2010-01-15 15:12 . 2010-01-15 15:13 -------- d-----w- c:\programdata\RosettaStoneLtdBackup 2010-01-15 15:02 . 2009-08-20 03:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll 2010-01-15 14:49 . 2010-01-15 20:57 -------- d-----w- c:\programdata\Rosetta Stone 2009-12-31 05:19 . 2009-12-31 05:19 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\PACE Anti-Piracy 2009-12-31 05:19 . 2009-12-31 05:19 -------- d-----w- c:\users\WFUT4002009\AppData\Local\PACE Anti-Piracy 2009-12-31 05:19 . 2009-12-31 05:19 -------- d-----w- c:\programdata\PACE Anti-Piracy 2009-12-31 05:19 . 2009-12-31 05:19 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy 2009-12-31 04:58 . 2009-12-31 04:58 -------- d-----w- c:\program files\InterLok 2009-12-31 04:55 . 2002-01-05 10:48 974848 ------w- c:\windows\system32\mfc70.dll 2009-12-31 04:55 . 2001-06-27 15:13 217088 ------w- c:\windows\system32\qtmlClient.dll 2009-12-31 04:55 . 2007-09-05 16:43 630784 ------w- c:\windows\system32\ilinet.dll 2009-12-31 04:54 . 2009-12-31 05:21 -------- d-----w- c:\program files\Digidesign 2009-12-30 02:57 . 2009-12-30 02:57 -------- d-----w- c:\program files\Propellerhead 2009-12-30 02:43 . 2009-03-19 18:26 594952 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe 2009-12-30 02:43 . 2009-03-19 18:26 156680 ----a-w- c:\windows\system32\drivers\mausbop.sys 2009-12-30 02:43 . 2009-03-19 18:25 42248 ----a-w- c:\windows\system32\drivers\madfuop.sys 2009-12-30 02:43 . 2009-12-30 02:43 -------- d-----w- c:\program files\M-Audio 2009-12-30 00:15 . 2009-12-30 00:15 -------- d-----w- c:\programdata\M-Audio . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-28 02:27 . 2009-01-23 17:36 12 ----a-w- c:\windows\bthservsdp.dat 2010-01-27 18:40 . 2009-08-24 23:59 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\Skype 2010-01-27 18:05 . 2009-08-25 00:00 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\skypePM 2010-01-24 17:42 . 2009-01-23 14:54 2032 ----a-w- c:\users\WFUT4002009\AppData\Local\d3d9caps.dat 2010-01-24 07:19 . 2009-08-25 00:45 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\uTorrent 2010-01-20 13:41 . 2009-08-25 00:20 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\Apple Computer 2010-01-19 13:27 . 2010-01-19 13:27 2232 ----a-w- c:\windows\Java\Packages\Data\T3VLNZ9V.DAT 2010-01-19 13:27 . 2010-01-19 13:27 155995 ----a-w- c:\windows\Java\Packages\PZ71JDB3.ZIP 2010-01-19 13:27 . 2010-01-19 13:27 2678 ----a-w- c:\windows\Java\Packages\Data\JJHNLFFP.DAT 2010-01-19 13:27 . 2010-01-19 13:27 2678 ----a-w- c:\windows\Java\Packages\Data\GETVT79N.DAT 2010-01-19 13:27 . 2010-01-19 13:27 2678 ----a-w- c:\windows\Java\Packages\Data\ZFJ7VDNB.DAT 2010-01-19 13:27 . 2010-01-19 13:27 2678 ----a-w- c:\windows\Java\Packages\Data\OHB5BJPN.DAT 2010-01-19 13:27 . 2010-01-19 13:27 2678 ----a-w- c:\windows\Java\Packages\Data\DJTJRF9F.DAT 2010-01-15 19:25 . 2009-03-19 14:28 -------- d-----w- c:\programdata\FLEXnet 2010-01-14 16:12 . 2009-10-23 16:58 181120 ------w- c:\windows\system32\MpSigStub.exe 2010-01-02 06:38 . 2010-01-27 15:39 916480 ----a-w- c:\windows\system32\wininet.dll 2010-01-02 06:32 . 2010-01-27 15:39 71680 ----a-w- c:\windows\system32\iesetup.dll 2010-01-02 06:32 . 2010-01-27 15:39 109056 ----a-w- c:\windows\system32\iesysprep.dll 2010-01-02 04:57 . 2010-01-27 15:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2009-12-31 05:26 . 2009-01-23 18:23 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-12-31 05:21 . 2009-08-25 16:48 -------- d-----w- c:\program files\Common Files\Digidesign 2009-12-30 00:15 . 2009-12-28 05:43 -------- d-----w- c:\program files\Steinberg 2009-12-29 02:32 . 2009-12-29 02:29 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\Propellerhead Software 2009-12-29 02:31 . 2009-12-29 02:31 233472 ----a-w- c:\windows\system32\REX Shared Library.dll 2009-12-29 02:31 . 2009-12-29 02:31 368640 ----a-w- c:\windows\system32\ReWire.dll 2009-12-29 02:29 . 2009-12-29 02:29 -------- d-----w- c:\programdata\Propellerhead Software 2009-12-28 23:15 . 2009-12-28 05:43 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\Steinberg 2009-12-28 22:56 . 2009-01-23 14:54 170376 ----a-w- c:\users\WFUT4002009\AppData\Local\GDIPFONTCACHEV1.DAT 2009-12-28 07:06 . 2009-12-28 07:06 -------- d-----w- c:\program files\Common Files\VST3 2009-12-28 07:02 . 2009-12-28 07:02 -------- d-----w- c:\programdata\VST3 Presets 2009-12-28 05:57 . 2009-12-28 05:57 -------- d-----w- c:\programdata\Steinberg 2009-12-28 05:57 . 2009-12-28 05:57 -------- d-----w- c:\program files\Common Files\Steinberg 2009-12-20 16:43 . 2009-12-20 16:43 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\Rock Your Phone 2009-12-20 16:43 . 2009-12-20 16:43 -------- d-----w- c:\program files\Rock Your Phone 2009-12-20 16:39 . 2009-12-20 16:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf 2009-12-20 16:20 . 2009-12-20 16:20 -------- d-----w- c:\program files\Addition 2009-12-19 21:11 . 2009-12-19 21:11 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\Macrovision 2009-12-17 04:32 . 2009-12-17 04:32 -------- d-----w- c:\programdata\Macrovision 2009-12-11 01:57 . 2009-12-11 01:57 -------- d-----w- c:\users\WFUT4002009\AppData\Roaming\Sibelius Software 2009-12-11 01:54 . 2009-12-11 01:54 -------- d-----w- c:\program files\Sibelius Software 2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2009-04-23 13:34 . 2009-04-21 14:55 952 --sha-w- c:\windows\System32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NPDTRAY"="c:\progra~1\Lenovo\NPDIRECT\NPDTray.exe" [2009-01-07 218400] "Google Update"="c:\users\WFUT4002009\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-08-24 133104] "ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-01-29 185688] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 824616] "TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-01-07 60704] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-09-30 68976] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976] "PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-03-23 644384] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-03-23 214576] "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-02-26 992816] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440] "EZEJTRAY"="c:\progra~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE" [2008-06-04 218400] "TpShocks"="TpShocks.exe" [2009-02-03 181536] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 178712] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 154136] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-03-19 594952] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360] VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2009-8-25 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\katrack.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3124484035-2013970399-3890865034-1000] "EnableNotificationsRef"=dword:00000001 R0 TPDIGIMN;TPDIGIMN;c:\windows\System32\drivers\ApsHM86.sys [1/28/2009 4:57 PM 20520] R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\System32\drivers\smiif32.sys [5/12/2008 6:04 PM 13480] R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312] R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [1/27/2009 1:56 PM 66848] R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [1/24/2009 9:20 AM 58736] R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [1/27/2009 1:04 PM 2058776] R3 amdkmdag;amdkmdag;c:\windows\System32\drivers\atipmdag.sys [4/1/2009 1:52 PM 4172288] R3 amdkmdap;amdkmdap;c:\windows\System32\drivers\atikmpag.sys [4/1/2009 12:18 PM 88576] R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [5/5/2009 4:05 PM 29736] R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\System32\drivers\e1y6032.sys [8/22/2008 2:10 PM 225408] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/23/2010 8:03 PM 102448] R3 intelkmd;intelkmd;c:\windows\System32\drivers\igdpmd32.sys [4/1/2009 12:04 PM 2473472] R3 MUXMP;My WiFi PAN MUX-IM Virtual Miniport Driver;c:\windows\System32\drivers\mux.sys [2/18/2009 5:08 AM 30768] R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [3/4/2009 9:49 AM 4232704] R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\System32\drivers\SMARTMouseFilterx86.sys [7/30/2008 10:08 PM 11048] R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\System32\drivers\SMARTVHidMini2000x86.sys [7/30/2008 10:08 PM 14120] S2 SessionLauncher;SessionLauncher;c:\users\WFUT40~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\users\WFUT40~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?] S3 MADFUOP;Service for M-Audio Axiom Pro DFU;c:\windows\System32\drivers\madfuop.sys [12/29/2009 9:43 PM 42248] S3 MAUSBOP;Service for M-Audio Axiom Pro;c:\windows\System32\drivers\mausbop.sys [12/29/2009 9:43 PM 156680] S3 MUXP;My WiFi PAN Mux-IM Protocol Driver;c:\windows\System32\drivers\mux.sys [2/18/2009 5:08 AM 30768] S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2/27/2009 6:52 AM 211216] S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\System32\drivers\netaapl.sys [7/9/2009 11:16 AM 17408] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 8:15 AM 1120752] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc bthsvcs REG_MULTI_SZ BthServ HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1474414563-1125766349-1731688626-55648Core.job - c:\users\WFUT4002009\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-24 23:44] 2010-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1474414563-1125766349-1731688626-55648UA.job - c:\users\WFUT4002009\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-24 23:44] 2009-12-14 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\PCDR5\pcdr5cuiw32.exe [2008-10-31 18:14] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.wakestudent.com/home/ mStart Page = hxxp://www.wakestudent.com/home/ uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab FF - ProfilePath - c:\users\WFUT4002009\AppData\Roaming\Mozilla\Firefox\Profiles\mdhygivy.default\ FF - prefs.js: browser.search.selectedEngine - AIM Search FF - prefs.js: browser.startup.homepage - hxxp://www.wakestudent.com/home/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query= FF - plugin: c:\program files\Mozilla Firefox\plugins\npchime.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npcosmop211.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npSfAppM.dll FF - plugin: c:\users\WFUT4002009\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\users\WFUT4002009\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false. - - - - ORPHANS REMOVED - - - - HKCU-Run-AdobeBridge - (no file) SafeBoot-27JV6476p SafeBoot-27JV6476p??†???e SafeBoot-Symantec Antvirus AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-27 22:57 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys span.sys >>UNKNOWN [0x84F83938]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0x88313322 \Driver\ACPI -> acpi.sys @ 0x805b2d4c \Driver\atapi -> 0x84fcd1f8 \Driver\iaStor -> iaStor.sys @ 0x87f036f0 IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection ! user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d4,d3,3d,1c,33,49,b9,4f,83,e1,08,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d4,d3,3d,1c,33,49,b9,4f,83,e1,08,\ [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(4648) c:\windows\system32\btncopy.dll c:\program files\WinSCP\DragExt.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\windows\system32\WLANExt.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Intel\WiFi\bin\EvtEng.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Intel\AMT\LMS.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\windows\system32\PSIService.exe c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\System32\TPHDEXLG.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE c:\windows\System32\rundll32.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\ThinkPad\Utilities\EZEJTRAY.EXE c:\windows\System32\TpShocks.exe c:\program files\Lenovo\NPDIRECT\NPDTRAY.EXE c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\Lenovo\Zoom\TpScrex.exe c:\program files\Synaptics\SynTP\SynTPLpr.exe c:\progra~1\ThinkPad\UTILIT~1\PWMUIAux.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-01-27 23:06:26 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-28 04:06 Pre-Run: 29,394,546,688 bytes free Post-Run: 30,481,965,056 bytes free - - End Of File - - 5B99E2D824472441AEE536A8E0FE62D0