ComboFix 12-08-07.05 - Sean 08/09/2012 13:52:19.4.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3325.1950 [GMT -7:00] Running from: c:\users\Sean\Desktop\ComboFix.exe Command switches used :: C:\CFScript4.txt SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . FILE :: "c:\program files\Google\Update\GoogleUpdate.exe" "c:\windows\jreii.dll" "c:\windows\rjuek.dll" "c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe" "c:\windows\Tasks\Adobe Flash Player Updater.job" "c:\windows\Tasks\GoogleUpdateTaskMachineCore.job" "c:\windows\Tasks\GoogleUpdateTaskMachineUA.job" . [i] ADS - Windows: deleted 0 bytes in 1 streams. [/i] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\real\realplayer\update c:\program files\real\realplayer\update\faus3270.dll c:\program files\real\realplayer\update\pnmi3270.dll c:\program files\real\realplayer\update\r1puninst.exe c:\program files\real\realplayer\update\realonemessagecenter.exe c:\program files\real\realplayer\update\realsched.exe c:\program files\real\realplayer\update\rnad3201.dll c:\program files\real\realplayer\update\rnms3270.dll c:\program files\real\realplayer\update\rnqu3270.dll c:\program files\real\realplayer\update\rnup3270.dll c:\program files\real\realplayer\update\rnxproc.exe c:\program files\real\realplayer\update\rpelevation.dll c:\program files\real\realplayer\update\setu3270.dll c:\program files\real\realplayer\update\UI\ath.vs c:\program files\real\realplayer\update\UI\default.png c:\program files\real\realplayer\update\UI\default.smi c:\program files\real\realplayer\update\UI\Images\real_logo_93x44.gif c:\program files\real\realplayer\update\UI\loc\msgdata.js c:\program files\real\realplayer\update\UI\loc\msgstyle.css c:\program files\real\realplayer\update\UI\mirak.vs c:\program files\real\realplayer\update\UI\msgoff.htm c:\program files\real\realplayer\update\UI\msgui.vs c:\program files\real\realplayer\update\UI\rnupgui.vs c:\program files\real\realplayer\update\upgr3270.dll c:\program files\real\realplayer\update\upgrdhlp.exe c:\users\Sean\AppData\Roaming\Microsoft\Jreii c:\users\Sean\AppData\Roaming\Microsoft\Jreii\jrei.dll c:\users\Sean\AppData\Roaming\Microsoft\Jreii\jreii.exe c:\users\Sean\AppData\Roaming\Microsoft\Jreii\jreii32.dll c:\users\Sean\AppData\Roaming\Microsoft\Jreii\MdDEyPn2 . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_AdobeFlashPlayerUpdateSvc -------\Service_eoxskhvwp . . ((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 ))))))))))))))))))))))))))))))) . . 2012-08-09 21:02 . 2012-08-09 21:11 -------- d-----w- c:\users\Sean\AppData\Local\temp 2012-08-09 21:02 . 2012-08-09 21:02 -------- d-----w- c:\users\QBDataServiceUser19\AppData\Local\temp 2012-08-09 21:02 . 2012-08-09 21:02 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-09 19:00 . 2012-08-09 19:01 -------- d-----w- c:\users\Sean\AppData\Roaming\QuickScan 2012-08-09 18:58 . 2012-08-09 18:58 -------- d-----w- c:\program files\ESET 2012-08-08 20:54 . 2012-08-09 20:47 184320 ----a-w- c:\users\QBDataServiceUser19\AppData\Roaming\Microsoft\Okyprtw\okyprtw.exe 2012-08-06 18:27 . 2012-07-16 09:41 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{141459E4-D7A2-4B86-A067-35D3B61CB2F3}\mpengine.dll 2012-08-05 16:24 . 2012-08-05 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-08-05 16:24 . 2012-07-03 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-08-03 16:52 . 2012-08-03 16:52 -------- d-----w- C:\_OTL 2012-08-02 17:54 . 2012-08-02 17:54 -------- d-----w- c:\program files\DLLSuite 2012-08-02 16:32 . 2012-08-02 16:32 2881 ----a-w- C:\Sharedaccess.reg . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-31 19:25 . 2009-10-03 08:48 237072 ------w- c:\windows\system32\MpSigStub.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-13 68856] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920] "RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-03 1862144] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048] "PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-10-28 1085704] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "Nike+ Connect"="c:\program files\Nike\Nike+ Connect\Nike+ Connect daemon.exe" [2010-10-01 299008] "Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-04-06 136416] "Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-04-13 79112] "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-28 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-28 81920] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder V3.1\CardLauncher.exe [2008-6-12 36864] Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2008-6-12 24576] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-3 50688] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-10 984352] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344] ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2008-6-12 1769472] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr bthsvcs REG_MULTI_SZ BthServ . Contents of the 'Scheduled Tasks' folder . 2012-08-09 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 19:59] . 2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 17:34] . 2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 17:34] . 2012-08-09 c:\windows\Tasks\TradeStation Backup - Weekly.job - c:\program files\TradeStation 8.6 (Build 2696)\Program\TSBackupRestore.exe [2009-10-12 08:06] . . ------- Supplementary Scan ------- . uStart Page = file:///C:/Proj/dbtraderlinks/index.html IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 Trusted Zone: ameritrade.com\wwws Trusted Zone: turbotax.com TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 DPF: {0FB028C2-2704-40F6-A983-2A2405027A19} - hxxps://epresent.sungard.com/ws/dropslot.cab . - - - - ORPHANS REMOVED - - - - . HKCU-Run-InetAlarm - c:\users\Sean\AppData\Roaming\Microsoft\Jreii\jreii.exe HKCU-Run-nydvq - c:\users\Sean\AppData\Roaming\Microsoft\Jreii\jreii.exe AddRemove-RealPlayer 12.0 - c:\program files\real\realplayer\Update\r1puninst.exe . . . ************************************************************************** scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,8d,2c,57,3f,5f,45,49,a9,85,cb,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,8d,2c,57,3f,5f,45,49,a9,85,cb,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\AstSrv.exe c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe c:\windows\System32\JRService.exe c:\tal\log_service32.exe c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\TeamViewer3\TeamViewer_Service.exe c:\program files\TeamViewer\Version5\TeamViewer_Service.exe c:\windows\system32\DRIVERS\xaudio.exe c:\program files\CQG\CQG.AutoUpgrade.Service\CQG.AutoUpgrade.StartUpNTService.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\windows\RtHDVCpl.exe c:\windows\System32\rundll32.exe c:\windows\System32\rundll32.exe c:\windows\ehome\ehmsas.exe c:\program files\Windows Media Player\wmpnscfg.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe . ************************************************************************** . Completion time: 2012-08-09 14:15:06 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-09 21:14 ComboFix2.txt 2012-08-08 18:36 ComboFix3.txt 2012-08-08 07:16 ComboFix4.txt 2012-08-05 00:05 . Pre-Run: 95,076,167,680 bytes free Post-Run: 94,857,064,448 bytes free . - - End Of File - - 899451702BF8BA38CC730596E9BE261E