ComboFix 11-06-17.04 - Karen 06/17/2011 18:24:48.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2067 [GMT -4:00] Running from: c:\users\Karen\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7} SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\Install.exe c:\windows\desktop . Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((( Files Created from 2011-05-17 to 2011-06-17 ))))))))))))))))))))))))))))))) . . 2011-06-17 22:37 . 2011-06-17 22:37 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-06-17 22:37 . 2011-06-17 22:37 -------- d-----w- c:\users\Grant\AppData\Local\temp 2011-06-17 22:16 . 2011-06-17 22:16 -------- d-----w- C:\_OTL 2011-06-16 13:34 . 2011-06-16 13:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-15 07:08 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll 2011-06-15 07:08 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2011-06-15 07:08 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll 2011-06-14 22:29 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll 2011-06-14 22:29 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys 2011-06-14 22:29 . 2010-12-20 16:35 563712 ----a-w- c:\windows\system32\oleaut32.dll 2011-06-14 22:26 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys 2011-06-14 22:26 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys 2011-06-14 22:26 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys 2011-06-14 22:26 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2011-06-14 22:26 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys 2011-06-14 22:26 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-06-14 22:26 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat 2011-06-13 14:39 . 2009-02-11 16:48 109088 ----a-w- c:\windows\RTKAUDIOSERVICE.EXE 2011-06-12 18:01 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-06-12 18:01 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-06-12 16:47 . 2011-06-12 16:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2011-06-12 16:29 . 2011-06-12 16:30 -------- d-----w- c:\program files\iTunes 2011-06-12 03:08 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2DF57354-09D9-4DCD-A655-5BA1D304A594}\mpengine.dll 2011-06-12 01:26 . 2011-06-12 01:26 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-06-12 01:26 . 2011-06-12 01:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2011-06-08 00:35 . 2011-06-08 00:35 -------- d-----w- c:\users\Karen\AppData\Local\PackageAware 2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll 2011-06-05 14:04 . 2011-06-05 14:04 -------- d-----w- c:\programdata\Hitman Pro 2011-06-02 23:21 . 2011-06-02 23:21 -------- d-----w- c:\users\Karen\AppData\Roaming\Avira 2011-06-02 23:18 . 2011-06-02 23:18 -------- d-----w- c:\programdata\Avira 2011-06-02 23:18 . 2011-06-02 23:18 -------- d-----w- c:\program files\Avira 2011-06-02 21:26 . 2011-06-02 23:12 -------- d-----w- c:\programdata\AVG10 2011-06-02 21:21 . 2011-06-02 21:21 -------- d--h--w- c:\programdata\Common Files 2011-06-02 21:21 . 2011-06-02 23:10 -------- d-----w- c:\programdata\MFAData 2011-05-24 01:39 . 2011-05-24 01:39 0 ---ha-w- c:\users\Karen\AppData\Local\BITF0F2.tmp . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-24 23:14 . 2009-10-03 11:13 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll 2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-27 39408] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 942080] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936] "SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-08-05 104408] "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "Philips Device Listener"="c:\program files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe" [2011-05-06 380416] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-27 150552] "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784] "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-27 141848] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-11-03 182808] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-27 173592] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-9-13 97384] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 136176] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 136176] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360] S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-08-05 583640] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder . 2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 21:36] . 2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 21:36] . 2011-06-16 c:\windows\Tasks\RMSchedule.job - c:\program files\Registry Mechanic\RegMech.exe [2010-09-28 12:46] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html TCP: DhcpNameServer = 24.247.15.53 66.189.0.100 24.178.162.3 . - - - - ORPHANS REMOVED - - - - . HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe AddRemove-Trophy Bass 3D Demo - c:\dynamix\Trophy Bass 3D Demo\Uninst.isu . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-17 18:40 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2646239008-2084633532-2222816099-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2011-06-17 18:42:53 ComboFix-quarantined-files.txt 2011-06-17 22:42 . Pre-Run: 370,225,008,640 bytes free Post-Run: 370,937,114,624 bytes free . - - End Of File - - 55641A1973E59517D786A6B025F5EEE4