ComboFix 12-08-22.03 - Admin 08/23/2012 7:01.2.2 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2856 [GMT -4:00] Running from: c:\users\Admin\Downloads\Desktop\ComboFix.exe Command switches used :: c:\users\Admin\Downloads\Desktop\CFScript.txt SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\zyifbaa.tmp c:\windows\SysWow64\win5E83.tmp . Infected copy of c:\windows\system32\Services.exe was found and disinfected Restored copy from - c:\windows\erdnt\cache64\services.exe . . --------------- FCopy --------------- . c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll --> c:\windows\SysWOW64\user32.dll . ((((((((((((((((((((((((( Files Created from 2012-07-23 to 2012-08-23 ))))))))))))))))))))))))))))))) . . 2012-08-23 11:25 . 2012-08-23 11:25 906 ----a-w- c:\programdata\vkefbaa.tmp 2012-08-23 11:09 . 2012-08-23 11:09 -------- d-----w- c:\users\Katie's Account\AppData\Local\temp 2012-08-23 11:09 . 2012-08-23 11:09 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-23 10:45 . 2012-08-23 10:45 -------- d-----w- C:\_OTL 2012-08-22 23:17 . 2012-08-22 23:17 -------- d-----w- c:\programdata\GFI Software 2012-08-22 00:31 . 2012-08-22 01:11 -------- d-----w- C:\Downloads 2012-08-22 00:20 . 2012-08-22 00:20 -------- d-----w- c:\program files (x86)\PC Speed Maximizer 2012-08-22 00:20 . 2012-08-22 01:15 -------- d-----w- c:\program files (x86)\Free Download Manager 2012-08-22 00:20 . 2012-08-22 00:32 -------- d-----w- c:\programdata\blekko toolbars 2012-08-20 10:37 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll 2012-08-19 23:33 . 2012-08-19 23:33 -------- d-----w- c:\users\Admin\AppData\Roaming\HPAppData 2012-08-19 14:22 . 2012-07-06 20:07 552960 ----a-w- c:\windows\system32\drivers\bthport.sys 2012-08-19 14:18 . 2012-08-19 14:18 603648 ----a-w- c:\windows\system32\vbscript.dll 2012-08-19 14:06 . 2012-08-22 23:18 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus 2012-08-19 13:57 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll 2012-08-19 13:57 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll 2012-08-19 13:57 . 2012-04-28 05:32 1112064 ----a-w- c:\windows\system32\rdpcorets.dll 2012-08-19 13:57 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-08-19 13:57 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll 2012-08-19 13:57 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll 2012-08-19 13:56 . 2011-04-28 03:54 80384 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS 2012-08-19 13:53 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll 2012-08-19 13:53 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll 2012-08-19 13:53 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll 2012-08-19 13:53 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll 2012-08-19 13:53 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll 2012-08-19 13:53 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-08-09 01:24 . 2012-08-09 01:24 -------- d-----w- c:\users\Admin\AppData\Local\Skyrim 2012-08-09 01:22 . 2008-03-05 20:03 238088 ----a-w- c:\windows\SysWow64\xactengine3_0.dll 2012-08-09 01:21 . 2006-03-31 16:41 3927248 ----a-w- c:\windows\system32\d3dx9_30.dll 2012-08-09 01:21 . 2006-02-03 12:42 355536 ----a-w- c:\windows\system32\xactengine2_0.dll 2012-08-09 01:21 . 2006-02-03 12:41 16592 ----a-w- c:\windows\system32\x3daudio1_0.dll 2012-08-09 01:21 . 2006-02-03 12:43 3830992 ----a-w- c:\windows\system32\d3dx9_29.dll 2012-08-09 01:21 . 2005-05-26 19:34 3767504 ----a-w- c:\windows\system32\d3dx9_26.dll 2012-08-09 01:21 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\SysWow64\d3dx9_26.dll 2012-08-09 01:21 . 2005-03-18 21:19 3823312 ----a-w- c:\windows\system32\d3dx9_25.dll 2012-08-09 01:21 . 2005-02-05 23:45 3544272 ----a-w- c:\windows\system32\d3dx9_24.dll 2012-08-08 23:39 . 2012-08-08 23:39 -------- d-----w- c:\program files (x86)\Common Files\Steam 2012-08-08 23:39 . 2012-08-23 11:28 -------- d-----w- c:\program files (x86)\Steam 2012-08-04 13:07 . 2012-08-04 13:07 -------- d-----w- c:\users\Administrator 2012-07-31 21:17 . 2012-07-31 21:17 -------- d-----w- c:\programdata\Battle.net 2012-07-30 21:52 . 2012-07-30 21:52 103904 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-15 00:27 . 2012-05-10 23:19 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-08-15 00:27 . 2011-05-21 04:29 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-08-03 08:27 . 2010-06-26 12:58 62134624 ----a-w- c:\windows\system32\MRT.exe 2012-07-03 17:46 . 2010-01-21 23:07 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-07 00:59 . 2012-06-07 00:59 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX 2012-06-02 22:19 . 2012-06-19 11:18 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-19 11:18 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:19 . 2012-06-19 11:18 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-19 11:18 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-19 11:18 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:15 . 2012-06-19 11:18 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:15 . 2012-06-19 11:18 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 19:19 . 2012-06-19 11:18 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 19:15 . 2012-06-19 11:18 36864 ----a-w- c:\windows\system32\wuapp.exe . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2010-11-20 . E107F960D82DC2780C45982ACC8C5984 . 857600 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll [7] 2010-11-20 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll [7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll . ((((((((((((((((((((((((((((( SnapShot@2012-08-22_23.32.44 ))))))))))))))))))))))))))))))))))))))))) . - 2012-08-19 15:13 . 2012-08-22 22:48 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat + 2012-08-19 15:13 . 2012-08-23 11:27 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat + 2012-06-25 12:04 . 2012-08-23 11:25 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat - 2012-06-25 12:04 . 2012-08-19 20:42 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat + 2012-08-23 10:52 . 2012-08-23 11:27 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012082320120824\index.dat + 2012-08-23 11:27 . 2012-08-23 11:27 83968 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{911C5102-ED15-11E1-AC7B-001060F0A7C9}.dat + 2012-08-23 10:52 . 2012-08-23 10:52 25600 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{990546E7-ED10-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 10:58 . 2012-08-23 10:59 40960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7E1CBFBA-ED11-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 11:20 . 2012-08-23 11:20 10240 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{77530DD9-ED14-11E1-AC7B-001060F0A7C9}.dat + 2012-08-23 11:20 . 2012-08-23 11:20 56832 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{77530DD7-ED14-11E1-AC7B-001060F0A7C9}.dat + 2012-08-23 10:58 . 2012-08-23 10:58 12800 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{669FAFFC-ED11-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 10:57 . 2012-08-23 10:58 61952 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{669FAFFA-ED11-11E1-8C64-001060F0A7C9}.dat + 2012-06-24 13:54 . 2012-08-23 11:25 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat - 2012-06-24 13:54 . 2012-08-22 23:09 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat + 2010-03-27 15:40 . 2012-08-23 10:52 51210 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin + 2010-04-03 16:17 . 2012-08-23 10:46 11086 c:\windows\system32\wdi\ERCQueuedResolutions.dat + 2009-07-14 05:10 . 2012-08-23 10:52 48404 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin + 2010-03-27 15:20 . 2012-08-23 10:52 13956 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4233454332-3810385758-2920334761-1000_UserData.bin + 2012-08-22 21:51 . 2012-08-23 11:27 3584 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{82B65B2C-ECA3-11E1-AC9C-001060F0A7C9}.dat - 2012-08-22 21:51 . 2012-08-22 22:49 3584 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{82B65B2C-ECA3-11E1-AC9C-001060F0A7C9}.dat + 2012-08-23 10:54 . 2012-08-23 10:58 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E2EC3F37-ED10-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 10:54 . 2012-08-23 10:58 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DEAAFB25-ED10-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 11:15 . 2012-08-23 11:20 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DE584858-ED13-11E1-AC7B-001060F0A7C9}.dat + 2012-08-23 10:52 . 2012-08-23 10:52 5120 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{990546E6-ED10-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 10:58 . 2012-08-23 10:58 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7E1CBFB9-ED11-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 11:25 . 2012-08-23 11:25 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4E40CE2B-ED15-11E1-AC7B-001060F0A7C9}.dat + 2012-08-23 11:16 . 2012-08-23 11:16 6144 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F01F8F61-ED13-11E1-AC7B-001060F0A7C9}.dat + 2012-08-23 10:52 . 2012-08-23 10:52 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ADDEFDF3-ED10-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 10:52 . 2012-08-23 10:52 6144 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A4EF1E4C-ED10-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 11:18 . 2012-08-23 11:19 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4FD9F40E-ED14-11E1-AC7B-001060F0A7C9}.dat + 2012-08-23 10:56 . 2012-08-23 10:58 8192 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{21293732-ED11-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 10:56 . 2012-08-23 10:58 8192 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{21293730-ED11-11E1-8C64-001060F0A7C9}.dat - 2010-03-27 07:24 . 2012-08-22 23:30 3641 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat + 2010-03-27 07:24 . 2012-08-23 11:10 3641 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat + 2012-08-23 11:11 . 2012-08-23 11:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-08-22 23:31 . 2012-08-22 23:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-08-22 23:31 . 2012-08-22 23:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2012-08-23 11:11 . 2012-08-23 11:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2012-08-19 02:30 . 2012-08-23 11:25 851968 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat + 2011-05-06 02:18 . 2012-08-23 11:27 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat - 2011-05-06 02:18 . 2012-08-22 23:09 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat + 2009-07-14 04:54 . 2012-08-23 11:27 245760 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2009-07-14 04:54 . 2012-08-22 23:09 245760 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2012-08-23 10:54 . 2012-08-23 10:58 144896 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DEAAFB26-ED10-11E1-8C64-001060F0A7C9}.dat + 2012-08-23 11:20 . 2012-08-23 11:20 128512 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{77530DD5-ED14-11E1-AC7B-001060F0A7C9}.dat + 2012-08-23 11:25 . 2012-08-23 11:29 333824 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4E40CE2C-ED15-11E1-AC7B-001060F0A7C9}.dat + 2010-03-27 14:23 . 2012-08-23 10:29 416510 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin + 2009-07-14 05:01 . 2012-08-23 11:10 498836 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat - 2009-07-14 05:01 . 2012-08-22 23:30 498836 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat - 2009-07-14 04:54 . 2012-08-22 23:09 1572864 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2009-07-14 04:54 . 2012-08-23 11:27 1572864 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2009-07-14 04:54 . 2012-08-23 11:25 1409024 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2010-10-31 18:31 . 2012-08-23 11:10 3344272 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4233454332-3810385758-2920334761-1000-12288.dat + 2012-08-19 21:04 . 2012-08-23 11:10 1891688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat + 2012-08-17 21:23 . 2012-08-17 21:23 7945216 c:\windows\Installer\e2de45.msi . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 163328] "NVIDIA nTune"="c:\program files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-09-29 145408] "RMClock"="c:\program files (x86)\RMClock\RMClockLauncher.exe" [2008-02-29 61440] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584] "Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-08-08 1353080] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008] "BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-09-04 75048] "RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2009-04-17 87336] "LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2009-04-17 62760] "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] [BU] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x] R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-09 135664] R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2010-03-29 288112] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056] R3 dump_wmimmc;dump_wmimmc;c:\gpotato\LunaPlus\GameGuard\dump_wmimmc.sys [x] R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-03-27 1038088] R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-09 135664] R3 LeapFrog-USBLAN;LeapFrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys [2009-10-10 40320] R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-08-02 22528] R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992] R3 RivaTuner64;RivaTuner64;c:\program files (x86)\RivaTuner v2.20\RivaTuner64.sys [2009-01-24 19952] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-06 1255736] R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2008-02-06 54480] S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2009-08-14 517632] S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-01-08 47104] S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] Hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-08-23 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-10 00:27] . 2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-09 01:44] . 2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-09 01:44] . 2012-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4233454332-3810385758-2920334761-1000Core.job - c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-28 15:14] . 2012-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4233454332-3810385758-2920334761-1000UA.job - c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-28 15:14] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2007-09-10 23:35 3380736 ----a-w- c:\program files\Protector Suite QL\farchns.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2007-09-10 23:35 3380736 ----a-w- c:\program files\Protector Suite QL\farchns.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RAVCpl64.exe" [2007-06-13 5178368] "Skytel"="Skytel.exe" [2007-05-28 1826816] "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808] "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uStart Page = hxxp://www.google.com/ mLocal Page = c:\windows\system32\blank.htm uInternet Settings,ProxyOverride = *.local IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.254 DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab . - - - - ORPHANS REMOVED - - - - . Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) Toolbar-Locked - (no file) WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}] "ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=hex:51,66,7a,6c,4c,1d,38,12,57,36,90, 43,f7,9e,4b,04,e0,be,4b,59,e7,b4,e8,87 "{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4, 91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27 "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47, 2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85 "{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e, 51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11 "{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16, fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17 "{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9, b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b "{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54, 07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75 "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc, 1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7 "{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}"=hex:51,66,7a,6c,4c,1d,38,12,81,2d,20, 35,ad,85,e1,00,d0,fd,90,4e,9f,38,f2,ae "{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1, 38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4 "{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63, 57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96, 76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07, 72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57 "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23, 94,30,02,d1,0f,f1,da,12,24,73,56,27,d2 "{AE7CD045-E861-484F-8273-0445EE161910}"=hex:51,66,7a,6c,4c,1d,38,12,2b,d3,6f, aa,53,a6,21,0d,fd,65,47,05,eb,48,5d,04 "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd "{ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7}"=hex:51,66,7a,6c,4c,1d,38,12,19,c7,a0, e8,38,54,d3,01,c4,41,3b,b9,ea,bd,0b,b3 "{F4971EE7-DAA0-4053-9964-665D8EE6A077}"=hex:51,66,7a,6c,4c,1d,38,12,89,1d,84, f0,92,94,3d,05,e6,72,25,1d,8b,b8,e4,63 "{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec, fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42 . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:92,93,ac,b9,1c,7e,cd,01 . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4a,26,b6,98,61,4b,32,40,b7,a4,c3,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4a,26,b6,98,61,4b,32,40,b7,a4,c3,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version] "Version"=hex:15,d6,43,7a,1c,60,82,23,65,ec,ca,a9,ff,41,4d,c2,9f,d5,41,27,93, c7,41,e7,ca,8c,18,a0,ef,8f,8e,f6,b0,94,c9,42,d2,7c,e2,a1,e5,83,17,dc,4f,da,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\ %W*%H"] "Successes"=dword:e0000000 "Failures"=dword:e0000001 "{B31CF903-CFC8-46BF-B492-A79A51B70DB9}"=hex:00,1a,70,54,38,fe . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,26,e1,e7,22,f5,07,4b,b0,72,09,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,26,e1,e7,22,f5,07,4b,b0,72,09,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version] "Version"=hex:15,d6,43,7a,1c,60,82,23,65,ec,ca,a9,ff,41,4d,c2,9f,d5,41,27,93, c7,41,e7,ca,8c,18,a0,ef,8f,8e,f6,b0,94,c9,42,d2,7c,e2,a1,e5,83,17,dc,4f,da,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe c:\program files (x86)\Common Files\Motive\McciCMService.exe c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe . ************************************************************************** . Completion time: 2012-08-23 07:33:11 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-23 11:33 ComboFix2.txt 2012-08-22 23:39 . Pre-Run: 187,503,038,464 bytes free Post-Run: 187,155,865,600 bytes free . - - End Of File - - AA4BE7FE2A7B37F181A673EF1FC1028A