ComboFix 12-02-16.01 - User01 17/02/2012 10:09:29.1.6 - x64 Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.8190.6383 [GMT 0:00] Running from: c:\users\User01\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\User01\g2mdlhlpx.exe c:\windows\svchost.exe . . ((((((((((((((((((((((((( Files Created from 2012-01-17 to 2012-02-17 ))))))))))))))))))))))))))))))) . . 2012-02-17 10:14 . 2012-02-17 10:14 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-02-16 15:33 . 2011-12-10 15:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-02-16 15:23 . 2012-01-04 09:03 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll 2012-02-16 15:23 . 2012-01-04 09:58 509952 ----a-w- c:\windows\system32\ntshrui.dll 2012-02-16 15:22 . 2012-01-03 05:44 478208 ----a-w- c:\windows\SysWow64\timedate.cpl 2012-02-16 15:22 . 2012-01-03 06:24 515584 ----a-w- c:\windows\system32\timedate.cpl 2012-02-16 15:22 . 2012-01-14 04:02 3143168 ----a-w- c:\windows\system32\win32k.sys 2012-02-16 15:22 . 2011-12-28 03:59 499200 ----a-w- c:\windows\system32\drivers\afd.sys 2012-02-16 15:21 . 2011-12-16 07:59 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll 2012-02-16 15:21 . 2011-12-16 08:42 634368 ----a-w- c:\windows\system32\msvcrt.dll 2012-02-16 12:37 . 2012-02-16 12:37 -------- d-----w- c:\users\User01\AppData\Roaming\Malwarebytes 2012-02-16 12:37 . 2012-02-16 15:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-02-16 12:37 . 2012-02-16 12:37 -------- d-----w- c:\programdata\Malwarebytes 2012-02-16 11:10 . 2012-02-16 15:01 -------- d-----w- c:\program files\Microsoft Security Client 2012-02-16 09:15 . 2012-02-16 09:15 -------- d-----w- c:\windows\Sun 2012-02-15 17:50 . 2012-02-15 17:50 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\464D.tmp 2012-02-15 17:50 . 2012-02-15 17:50 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\464C.tmp 2012-02-15 15:53 . 2012-02-15 17:49 -------- d-----w- c:\users\User01\AppData\Roaming\Viom 2012-02-10 10:07 . 2012-02-16 13:03 -------- d--h--w- c:\users\User01\AppData\Local\d3dWebTask . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-01-27 00:52 . 2010-11-26 14:49 279656 ------w- c:\windows\system32\MpSigStub.exe 2011-11-19 15:07 . 2012-01-11 12:28 77312 ----a-w- c:\windows\system32\packager.dll 2011-11-19 14:06 . 2012-01-11 12:28 67072 ----a-w- c:\windows\SysWow64\packager.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392] "TANDBERG Movi"="c:\program files (x86)\TANDBERG\Movi\movi.exe" [BU] "AdobeBridge"="" [BU] "CUCore Agent"="c:\users\User01\AppData\Local\Radvision\Conference Client\7.14.100.95\confagent.exe" [2012-02-02 126064] "RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU] "googletalk"="c:\users\User01\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "Akamai NetSession Interface"="c:\users\User01\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824] "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304] "Vidyo Desktop"="c:\program files (x86)\Vidyo\Vidyo Desktop\VidyoDesktop.exe" [2011-07-25 5656576] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2010-06-25 2441840] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432] "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872] . c:\users\User01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Polycom Pulse.lnk - c:\program files (x86)\Polycom Pulse\Polycom Pulse.exe [2011-7-5 142848] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ OpenVPN Connect.lnk - c:\program files (x86)\OpenVPN Technologies\OpenVPN Client\core\ovpntray.exe [2011-5-5 72192] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [x] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184] R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360] S2 OpenVPNAccessClient;OpenVPN Access Client;c:\program files (x86)\OpenVPN Technologies\OpenVPN Client\core\capiws.exe [2011-05-05 24064] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-08 369256] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x] S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [x] S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] Akamai REG_MULTI_SZ Akamai . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2009-08-20 13:24 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder . 2012-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-986034664-1798642717-4066168195-1000Core.job - c:\users\User01\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-26 08:56] . 2012-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-986034664-1798642717-4066168195-1000UA.job - c:\users\User01\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-26 08:56] . . --------- x86-64 ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.co.uk/ mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = 127.0.0.1:9421 IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105 IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\User01\AppData\Roaming\Mozilla\Firefox\Profiles\n9dyjpro.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} FF - Ext: Aardvark: aardvark@rob.brown - %profile%\extensions\aardvark@rob.brown FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com FF - Ext: Html Validator: {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e} - %profile%\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e} FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66} . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai] "ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_7de0ed9.dll" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-986034664-1798642717-4066168195-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice] @Denied: (2) (S-1-5-21-986034664-1798642717-4066168195-1000) @Denied: (2) (LocalSystem) "Progid"="Outlook.File.eml.14" . [HKEY_USERS\S-1-5-21-986034664-1798642717-4066168195-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice] @Denied: (2) (S-1-5-21-986034664-1798642717-4066168195-1000) @Denied: (2) (LocalSystem) "Progid"="Outlook.File.vcf.14" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe c:\\.\globalroot\systemroot\svchost.exe c:\users\User01\AppData\Local\Radvision\Conference Client\7.14.100.95\cucore.exe . ************************************************************************** . Completion time: 2012-02-17 10:25:23 - machine was rebooted ComboFix-quarantined-files.txt 2012-02-17 10:25 ComboFix2.txt 2012-02-16 13:16 . Pre-Run: 415,060,004,864 bytes free Post-Run: 415,765,938,176 bytes free . - - End Of File - - 939D74CFCF796172421B61694AB4D748