ComboFix 12-06-12.03 - Victor 06/13/2012 12:03:54.3.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1064 [GMT -5:00] Running from: c:\users\Victor\Desktop\ComboFix.exe AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} SP: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Victor\AppData\Local\Temp\6ed24e3b7b12475781cabe1d317abec1\filesys.dll c:\users\Victor\AppData\Local\Temp\6ed24e3b7b12475781cabe1d317abec1\http.dll . Infected copy of c:\windows\system32\Services.exe was found and disinfected Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!services.exe . . ((((((((((((((((((((((((( Files Created from 2012-05-13 to 2012-06-13 ))))))))))))))))))))))))))))))) . . 2012-06-13 17:13 . 2012-06-13 17:43 -------- d-----w- c:\users\Victor\AppData\Local\temp 2012-06-13 17:13 . 2012-06-13 17:13 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-06-12 22:07 . 2012-06-12 22:07 -------- d-----w- C:\_OTL 2012-06-12 19:32 . 2012-06-12 19:32 -------- d-----w- c:\users\Victor\AppData\Roaming\Malwarebytes 2012-06-12 19:30 . 2012-06-12 22:01 -------- d-----w- c:\programdata\Malwarebytes 2012-06-12 19:30 . 2012-06-12 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-06-12 19:30 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-12 19:25 . 2012-06-12 19:25 -------- d-----w- c:\program files\CCleaner . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-24 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-24 154392] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-24 133912] "Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-13 118784] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2007-02-08 411768] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-01-23 321656] "VAIO Center Access Bar"="c:\program files\sony\VAIO Center Access Bar\VCAB.exe" [2007-03-06 36864] "VAIOSecurity"="c:\program files\Sony\VAIO Security Center\VSC.exe" [2007-03-14 2322432] "QuickBooks Simple Start"="c:\program files\Intuit\SimpleStartEntice\entice.exe" [2007-01-31 371712] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "VAIOSurvey"="c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe" [2006-12-07 577536] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2011-6-25 295606] Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-11-29 968224] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2007-02-13 22:19 98304 ----a-w- c:\windows\System32\VESWinlogon.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY] 2012-01-18 02:03 2339168 ----a-w- c:\program files\AVG\AVG10\avgtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2521497658-2663824407-520755313-1005] "EnableNotificationsRef"=dword:00000001 . S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] NecUsb3Sevic REG_MULTI_SZ NecUsb3 . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs SE27obex ibmpmdrv NVR0Dev w810obex NPPTNT qkbfiltr WmaCDriverV32 LC7981 earthlinksafeconnectagent swmidi pavatscheduler Defrag32b Hardlock akshhl . Contents of the 'Scheduled Tasks' folder . 2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2521497658-2663824407-520755313-1005Core.job - c:\users\Victor\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-14 16:37] . 2012-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2521497658-2663824407-520755313-1005UA.job - c:\users\Victor\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-14 16:37] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-13 12:43 Windows 6.0.6001 Service Pack 1 NTFS . scanning hidden processes ... . [0] 0x00000001 . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\progra~1\AVG\AVG10\avgchsvx.exe c:\progra~1\AVG\AVG10\avgrsx.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\program files\Sony\VAIO Event Service\VESMgr.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe c:\windows\system32\DRIVERS\xaudio.exe c:\program files\Sony\VAIO Event Service\VESMgrSub.exe c:\windows\system32\WUDFHost.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe c:\windows\system32\igfxext.exe c:\windows\system32\igfxsrvc.exe c:\program files\Sony\VAIO Power Management\SPMgr.exe c:\program files\Sony\VAIO Service Utility\VAIO-SUTOOL.exe c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe c:\windows\system32\wbem\unsecapp.exe c:\\?\c:\windows\system32\wbem\WMIADAP.EXE . ************************************************************************** . Completion time: 2012-06-13 12:49:44 - machine was rebooted ComboFix-quarantined-files.txt 2012-06-13 17:49 ComboFix2.txt 2012-06-13 16:11 . Pre-Run: 134,227,849,216 bytes free Post-Run: 134,030,569,472 bytes free . - - End Of File - - F3A1AAD382E1F02EF12BAE112C13549B