ComboFix 11-09-27.04 - k1wata 09/28/2011 7:13.2.2 - x86 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1270 [GMT -7:00] Running from: c:\users\k1wata\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\Minibar\FrOGgy.dll c:\program files\Minibar\KaNGo.dll c:\users\k1wata\AppData\Local\{1F620FD6-FB28-4885-8D28-9F182DDB5F12} c:\users\k1wata\AppData\Local\{1F620FD6-FB28-4885-8D28-9F182DDB5F12}\chrome.manifest c:\users\k1wata\AppData\Local\{1F620FD6-FB28-4885-8D28-9F182DDB5F12}\chrome\content\_cfg.js c:\users\k1wata\AppData\Local\{1F620FD6-FB28-4885-8D28-9F182DDB5F12}\chrome\content\overlay.xul c:\users\k1wata\AppData\Local\{1F620FD6-FB28-4885-8D28-9F182DDB5F12}\install.rdf c:\users\k1wata\AppData\Local\dgrp.exe c:\users\k1wata\AppData\Local\iapd.exe c:\users\k1wata\AppData\Local\khwr.exe c:\users\k1wata\AppData\Local\varb.exe c:\users\k1wata\Documents\~WRL2002.tmp c:\users\k1wata\Documents\~WRL2241.tmp c:\users\k1wata\Documents\~WRL2363.tmp c:\users\k1wata\Documents\~WRL2381.tmp c:\windows\$NtUninstallKB5257$ c:\windows\$NtUninstallKB5257$\3241749071\@ c:\windows\$NtUninstallKB5257$\3241749071\bckfg.tmp c:\windows\$NtUninstallKB5257$\3241749071\cfg.ini c:\windows\$NtUninstallKB5257$\3241749071\Desktop.ini c:\windows\$NtUninstallKB5257$\3241749071\keywords c:\windows\$NtUninstallKB5257$\3241749071\kwrd.dll c:\windows\$NtUninstallKB5257$\3241749071\L\nqooolkt c:\windows\$NtUninstallKB5257$\3241749071\lsflt7.ver c:\windows\$NtUninstallKB5257$\3241749071\U\00000001.@ c:\windows\$NtUninstallKB5257$\3241749071\U\00000002.@ c:\windows\$NtUninstallKB5257$\3241749071\U\80000000.@ c:\windows\$NtUninstallKB5257$\3241749071\U\80000032.@ c:\windows\$NtUninstallKB5257$\472381809 . Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected Restored copy from - The cat found it :) . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_c1392a4f . . ((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-28 ))))))))))))))))))))))))))))))) . . 2011-09-28 14:25 . 2011-09-28 14:26 -------- d-----w- c:\users\k1wata\AppData\Local\temp 2011-09-28 14:25 . 2011-09-28 14:25 -------- d-----w- c:\users\Public\AppData\Local\temp 2011-09-28 14:25 . 2011-09-28 14:25 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-09-28 05:32 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys 2011-09-27 01:44 . 2011-09-27 01:44 167864 ----a-w- C:\antizeroaccess.exe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-08-14 16:38 . 2011-06-27 03:08 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-07-22 04:56 . 2011-08-11 04:31 1638912 ----a-w- c:\windows\system32\mshtml.tlb 2011-07-16 04:37 . 2011-08-11 04:31 169984 ----a-w- c:\windows\system32\winsrv.dll 2011-07-16 04:34 . 2011-08-11 04:31 290816 ----a-w- c:\windows\system32\KernelBase.dll 2011-07-16 04:31 . 2011-08-11 04:31 271360 ----a-w- c:\windows\system32\conhost.exe 2011-07-16 04:19 . 2011-08-11 04:31 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll 2011-07-16 04:19 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll 2011-07-16 02:21 . 2011-08-11 04:31 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll 2011-07-16 02:21 . 2011-08-11 04:31 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll 2011-07-16 02:21 . 2011-08-11 04:31 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll 2011-07-16 02:21 . 2011-08-11 04:31 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll 2011-07-09 04:30 . 2011-08-25 02:38 2048 ----a-w- c:\windows\system32\tzres.dll 2011-07-09 02:26 . 2011-08-11 04:31 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2011-07-07 02:52 . 2010-06-01 06:42 41272 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-09-09 01:10 . 2011-06-09 05:21 134104 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-23 2424192] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-24 1029416] "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-05-08 442433] "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-04-18 36864] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-19 3444736] "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560] "DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Freecorder FLV Service"="c:\program files\Freecorder 5\FLVSrvc.exe" [2011-03-24 167936] "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2008-07-08 23:46 10536 ---ha-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent] 2009-08-05 10:17 224712 ---ha-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe . R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-02 722416] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2009-11-04 17408] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-29 1343400] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_b281b655c5757ced\aestsrv.exe [2008-05-08 73728] S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-10-21 130640] S3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [2009-10-21 89680] . . --- Other Services/Drivers In Memory --- . *Deregistered* - Avgtdix *Deregistered* - SASENUM . Contents of the 'Scheduled Tasks' folder . 2011-09-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3342888686-2630374663-391894324-1000Core.job - c:\users\k1wata\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-13 07:53] . 2011-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3342888686-2630374663-391894324-1000UA.job - c:\users\k1wata\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-13 07:53] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080709 uInternet Settings,ProxyOverride = *.local; uInternet Settings,ProxyServer = http=127.0.0.1:57919 IE: {{AAA38851-3CFF-475F-B5E0-720D3645E4A5} - {AAA38851-3CFF-475F-B5E0-720D3645E4A5} - c:\program files\Minibar\MinibarButton.dll TCP: DhcpNameServer = 68.94.156.1 68.94.157.1 FF - ProfilePath - c:\users\k1wata\AppData\Roaming\Mozilla\Firefox\Profiles\rav408di.default\ . - - - - ORPHANS REMOVED - - - - . HKU-Default-Run-AbEVEEVRbhjjV.exe - c:\programdata\AbEVEEVRbhjjV.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(3948) c:\program files\WinSCP\DragExt.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_b281b655c5757ced\STacSV.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\windows\system32\RunDll32.exe . ************************************************************************** . Completion time: 2011-09-28 07:40:16 - machine was rebooted ComboFix-quarantined-files.txt 2011-09-28 14:40 . Pre-Run: 24,207,372,288 bytes free Post-Run: 23,981,780,992 bytes free . - - End Of File - - 0B987134B087629C9C89D1C56266D054