ComboFix 12-08-07.05 - Sean 08/08/2012 11:12:18.3.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3325.1807 [GMT -7:00] Running from: c:\users\Sean\Desktop\ComboFix.exe Command switches used :: C:\CFScript.txt SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . [i] ADS - Windows: deleted 0 bytes in 1 streams. [/i] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\QBDataServiceUser19\AppData\Roaming\Microsoft\Okyprtw c:\users\QBDataServiceUser19\AppData\Roaming\Microsoft\Okyprtw\okyprt.dll c:\users\QBDataServiceUser19\AppData\Roaming\Microsoft\Okyprtw\okyprtw.exe . . ((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 ))))))))))))))))))))))))))))))) . . 2012-08-08 18:22 . 2012-08-08 18:22 -------- d-----w- c:\users\QBDataServiceUser19\AppData\Local\temp 2012-08-08 18:22 . 2012-08-08 18:22 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-08 15:58 . 2012-08-08 15:58 184320 ----a-w- c:\users\Sean\AppData\Roaming\Microsoft\Jreii\jreii.exe 2012-08-06 18:27 . 2012-07-16 09:41 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{141459E4-D7A2-4B86-A067-35D3B61CB2F3}\mpengine.dll 2012-08-05 16:24 . 2012-08-05 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-08-05 16:24 . 2012-07-03 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-08-03 16:52 . 2012-08-03 16:52 -------- d-----w- C:\_OTL 2012-08-02 17:54 . 2012-08-02 17:54 -------- d-----w- c:\program files\DLLSuite 2012-08-02 16:32 . 2012-08-02 16:32 2881 ----a-w- C:\Sharedaccess.reg . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-31 19:25 . 2009-10-03 08:48 237072 ------w- c:\windows\system32\MpSigStub.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-13 68856] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920] "RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-03 1862144] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048] "PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-10-28 1085704] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "Nike+ Connect"="c:\program files\Nike\Nike+ Connect\Nike+ Connect daemon.exe" [2010-10-01 299008] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-08-03 273544] "Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-04-06 136416] "Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-04-13 79112] "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-28 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-28 81920] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe [2008-6-12 36864] Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2008-6-12 24576] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-3 50688] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-10 984352] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344] ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2008-6-12 1769472] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr bthsvcs REG_MULTI_SZ BthServ . Contents of the 'Scheduled Tasks' folder . 2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 19:59] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 17:34] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 17:34] . 2012-08-08 c:\windows\Tasks\TradeStation Backup - Weekly.job - c:\program files\TradeStation 8.6 (Build 2696)\Program\TSBackupRestore.exe [2009-10-12 08:06] . . ------- Supplementary Scan ------- . uStart Page = file:///C:/Proj/dbtraderlinks/index.html IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 Trusted Zone: ameritrade.com\wwws Trusted Zone: turbotax.com TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 DPF: {0FB028C2-2704-40F6-A983-2A2405027A19} - hxxps://epresent.sungard.com/ws/dropslot.cab . - - - - ORPHANS REMOVED - - - - . HKCU-Run- - (no file) HKCU-Run- - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-08-08 11:32 Windows 6.0.6001 Service Pack 1 NTFS . detected NTDLL code modification: ZwQuerySystemInformation . scanning hidden processes ... . c:\users\Sean\AppData\Roaming\Microsoft\Jreii\jreii.exe [2868] 0x858F7020 . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run InetAlarm = "c:\users\Sean\AppData\Roaming\Microsoft\Jreii\jreii.exe" /c c:\program files\TantusTrading\InetAlarm.exe nydvq = "c:\users\Sean\AppData\Roaming\Microsoft\Jreii\jreii.exe" . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "InetAlarm"="\"c:\\Users\\Sean\\AppData\\Roaming\\Microsoft\\Jreii\\jreii.exe\" /c c:\\Program Files\\TantusTrading\\InetAlarm.exe" "nydvq"="\"c:\\Users\\Sean\\AppData\\Roaming\\Microsoft\\Jreii\\jreii.exe\"" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,8d,2c,57,3f,5f,45,49,a9,85,cb,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,8d,2c,57,3f,5f,45,49,a9,85,cb,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(4988) c:\windows\jreii.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\AstSrv.exe c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe c:\program files\CQG\CQG.AutoUpgrade.Service\CQG.AutoUpgrade.StartUpNTService.exe c:\windows\System32\JRService.exe c:\tal\log_service32.exe c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\TeamViewer3\TeamViewer_Service.exe c:\program files\TeamViewer\Version5\TeamViewer_Service.exe c:\windows\system32\DRIVERS\xaudio.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\windows\servicing\TrustedInstaller.exe c:\windows\RtHDVCpl.exe c:\windows\System32\rundll32.exe c:\program files\Windows Media Player\wmpnscfg.exe c:\windows\ehome\ehmsas.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Google\Google Toolbar\GoogleToolbarUser_32.exe . ************************************************************************** . Completion time: 2012-08-08 11:36:30 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-08 18:36 ComboFix2.txt 2012-08-08 07:16 ComboFix3.txt 2012-08-05 00:05 . Pre-Run: 90,412,937,216 bytes free Post-Run: 90,301,059,072 bytes free . - - End Of File - - 518260A4924A293F2AE263E60A8CBE3A