ComboFix 12-08-25.04 - Hello 08/27/2012 22:22:45.1.1 - x86 Running from: c:\documents and settings\Hello\Desktop\ComboFix.exe * Created a new restore point . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\FunWebProducts c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn-new.htmlx c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.htmlx c:\program files\MyWebSearch c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG c:\program files\MyWebSearch\bar\1.bin\F3CJpeg.dll c:\program files\MyWebSearch\bar\1.bin\F3DTactl.dll c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL c:\program files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR c:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG c:\program files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL c:\program files\MyWebSearch\bar\1.bin\M3DLGHK.DLL c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE c:\program files\MyWebSearch\bar\1.bin\M3HTml.dll c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE c:\program files\MyWebSearch\bar\1.bin\M3MSg.dll c:\program files\MyWebSearch\bar\1.bin\M3OUtlcn.dll c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S c:\program files\MyWebSearch\bar\Cache\000E6B2A c:\program files\MyWebSearch\bar\Cache\000E7DD3.bin c:\program files\MyWebSearch\bar\Cache\000E86BE.bin c:\program files\MyWebSearch\bar\Cache\000E8A94.bin c:\program files\MyWebSearch\bar\Cache\000E8D97.bin c:\program files\MyWebSearch\bar\Cache\000E90FE.bin c:\program files\MyWebSearch\bar\Cache\010CBDE9.bin c:\program files\MyWebSearch\bar\Cache\files.ini c:\program files\MyWebSearch\bar\firefox\CHROME.MANIFEST c:\program files\MyWebSearch\bar\firefox\chrome\M3FFXTBR.JAR c:\program files\MyWebSearch\bar\firefox\INSTALL.RDF c:\program files\MyWebSearch\bar\firefox\NPMYWEBS.DLL c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S c:\program files\MyWebSearch\bar\Game\CHESS.F3S c:\program files\MyWebSearch\bar\Game\REVERSI.F3S c:\program files\MyWebSearch\bar\History\search3 c:\program files\MyWebSearch\bar\icons\CM.ICO c:\program files\MyWebSearch\bar\icons\MFC.ICO c:\program files\MyWebSearch\bar\icons\PSS.ICO c:\program files\MyWebSearch\bar\icons\SMILEY.ICO c:\program files\MyWebSearch\bar\icons\WB.ICO c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO c:\program files\MyWebSearch\bar\Message\COMMON.F3S c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S c:\program files\MyWebSearch\bar\Notifier\DOG.F3S c:\program files\MyWebSearch\bar\Notifier\FISH.F3S c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S c:\program files\MyWebSearch\bar\Notifier\MAID.F3S c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm c:\program files\MyWebSearch\bar\Settings\s_pid.dat c:\windows\system32\438cfa9b.dll c:\windows\system32\64c9965c.dll c:\windows\system32\drivers\etc\hosts.ics c:\windows\system32\f3PSSavr.scr c:\windows\system32\Thumbs.db . c:\windows\system32\drivers\usbehci.sys . . . is missing!! . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_MYWEBSEARCHSERVICE -------\Service_MyWebSearchService . . ((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 ))))))))))))))))))))))))))))))) . . 2012-08-27 21:06 . 2012-08-27 21:06 -------- d-----w- C:\_OTL 2012-08-21 11:00 . 2012-08-21 13:46 -------- d-----w- c:\documents and settings\Hello\Local Settings\Application Data\Google 2012-08-17 16:43 . 2012-08-17 16:43 -------- d-----w- c:\documents and settings\Hello\Local Settings\Application Data\Identities 2012-08-16 21:47 . 2009-06-25 12:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll 2012-08-16 21:37 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll 2012-08-16 21:37 . 2012-08-16 21:37 -------- d-----w- c:\program files\Windows Media Connect 2 2012-08-16 21:35 . 2012-08-16 21:36 -------- d-----w- c:\windows\system32\drivers\UMDF 2012-08-16 08:35 . 2012-08-16 08:35 -------- d-----w- c:\program files\Common Files\Java 2012-08-16 08:35 . 2012-08-16 08:35 73728 ----a-w- c:\windows\system32\javacpl.cpl 2012-08-16 08:35 . 2012-08-16 08:35 477168 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-08-16 08:34 . 2012-08-16 08:34 -------- d-----w- c:\program files\Java 2012-08-16 08:33 . 2012-08-16 08:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-16 08:35 . 2010-09-15 13:58 473072 ----a-w- c:\windows\system32\deployJava1.dll 2009-08-10 22:16 . 2009-08-20 16:26 18015723 ----a-w- c:\program files\vlc-1.0.1-win32.exe 2012-07-14 00:17 . 2012-08-15 16:47 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-01 289072] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "TWCU"="c:\program files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe" [2008-03-26 479412] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-01 198160] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-11-14 286720] "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944] "CTHelper"="CTHELPER.EXE" [2006-08-11 17920] "nwiz"="nwiz.exe" [2007-09-17 1626112] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2012-08-15 2042208] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ RAID Manager.lnk - c:\program files\ITE\ITE IT8212 ATA RAID Controller\RaidMgr.exe [2007-10-2 724992] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-09-10 15:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [10/2/2007 3:26 PM 26112] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/1/2009 8:05 PM 335240] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/1/2009 8:05 PM 297752] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [9/2/2009 6:09 PM 38144] R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [12/30/2002 10:53 AM 12160] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [8/15/2012 5:47 PM 113120] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL *NewlyCreated* - WUAUSERV . Contents of the 'Scheduled Tasks' folder . 2012-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=yjsLMSRPItYTs5udsMbHdg IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.254 FF - ProfilePath - c:\documents and settings\Hello\Application Data\Mozilla\Firefox\Profiles\z2aiiu41.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=yjsLMSRPItYTs5udsMbHdg&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor= . - - - - ORPHANS REMOVED - - - - . Notify-imskdic32 - imskdic32.dll . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-08-27 22:34 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*] "5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(472) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\RUNDLL32.EXE c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2012-08-27 22:36:58 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-27 21:36 . Pre-Run: 33,975,300,096 bytes free Post-Run: 33,879,080,960 bytes free . - - End Of File - - D1E0D18DC5CE0BBF19EE832A90CB5F76