ComboFix 13-11-27.01 - Paul 30/11/2013 19:15:33.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.892 [GMT 0:00] Running from: c:\users\Paul\Downloads\ComboFix.exe AV: Kaspersky Internet Security *Disabled/Updated* {179979E8-273D-D14E-0543-2861940E4886} FW: Kaspersky Internet Security *Disabled* {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD} SP: Kaspersky Internet Security *Disabled/Updated* {ACF8980C-0107-DEC0-3FF3-1313EF89023B} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\pt c:\windows\system32\pt\toscdspd.cpl.mui . . ((((((((((((((((((((((((( Files Created from 2013-10-28 to 2013-11-30 ))))))))))))))))))))))))))))))) . . 2013-11-30 19:25 . 2013-11-30 19:26 -------- d-----w- c:\users\Paul\AppData\Local\temp 2013-11-30 19:25 . 2013-11-30 19:25 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-11-30 19:25 . 2013-11-30 19:25 -------- d-----w- c:\users\Guest\AppData\Local\temp 2013-11-29 18:46 . 2013-11-29 18:46 -------- d-----w- C:\FRST 2013-11-29 18:26 . 2013-11-29 18:26 -------- d-----w- c:\windows\ERUNT 2013-11-29 11:15 . 2013-11-08 01:15 7772552 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C9DE4A6F-BA5D-405B-859B-ABA09AF70F11}\mpengine.dll 2013-11-22 23:30 . 2013-11-22 23:30 -------- d-----w- c:\program files\SpeedFan . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-11-11 05:50 . 2009-11-25 06:56 230048 ------w- c:\windows\system32\MpSigStub.exe 2013-11-07 09:25 . 2013-05-06 08:22 135776 ----a-w- c:\windows\system32\drivers\kl1.sys 2013-10-10 17:03 . 2013-05-05 21:42 25696 ----a-w- c:\windows\system32\drivers\klmouflt.sys 2013-10-10 17:03 . 2013-06-10 11:27 25696 ----a-w- c:\windows\system32\drivers\klim6.sys 2013-10-10 17:03 . 2013-05-05 21:42 25696 ----a-w- c:\windows\system32\drivers\klkbdflt.sys 2013-09-15 16:57 . 2013-09-15 16:59 8192 ----a-w- c:\windows\system32\E_DCINST.DLL 2013-09-15 16:57 . 2013-09-15 16:59 81408 ----a-w- c:\windows\system32\E_FD4BHAE.DLL 2013-09-15 16:57 . 2013-09-14 16:05 95232 ----a-w- c:\windows\system32\E_FLBHAE.DLL . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn4\yt.dll" [2013-08-07 1561880] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-05-25 6595928] "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112] "Facebook Update"="c:\users\Paul\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096] "EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATIHAE.EXE" [2013-09-15 249440] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400] "RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208] "NDSTray.exe"="NDSTray.exe" [BU] "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192] "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416] "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744] "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-19 623960] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328] . c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Deskjet 1000 J110 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN11621GYY05D2;CONNECTION=USB;MONITOR=1; [2006-11-2 44544] OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048] Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872] WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536] WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe View=show_in_tray . View=show_in_tray [2009-11-13 9117504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048] . . Contents of the 'Scheduled Tasks' folder . 2013-11-30 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-04 01:55] . 2013-11-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1954790308-1874760727-124245015-1005Core.job - c:\users\Paul\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-08 20:38] . 2013-11-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1954790308-1874760727-124245015-1005UA.job - c:\users\Paul\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-08 20:38] . 2013-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 22:36] . 2013-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 22:36] . 2013-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1954790308-1874760727-124245015-1005Core.job - c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-29 04:48] . 2013-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1954790308-1874760727-124245015-1005UA.job - c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-29 04:48] . 2013-11-30 c:\windows\Tasks\User_Feed_Synchronization-{5B3F6DD2-6757-4ECD-A96C-3046CF43A301}.job - c:\windows\system32\msfeedssync.exe [2013-11-14 08:26] . . ------- Supplementary Scan ------- . uStart Page = hxxp://uk.yahoo.com mStart Page = hxxp://uk.yahoo.com IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{f4e6547e-325b-403c-a3bb-ad29ed37a92f} - (no file) c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ekiga.lnk - c:\program files\Ekiga\ekiga.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-11-30 19:26 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2013-11-30 19:29:42 ComboFix-quarantined-files.txt 2013-11-30 19:29 . Pre-Run: 23,666,458,624 bytes free Post-Run: 26,533,343,232 bytes free . - - End Of File - - 43C83D85024BD80B6FE7E299CC7DBAFF 5C616939100B85E558DA92B899A0FC36