ComboFix 14-03-23.01 - Bantas 03/23/2014 12:25:47.4.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1211 [GMT -4:00] Running from: c:\users\Bantas\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2014-02-23 to 2014-03-23 ))))))))))))))))))))))))))))))) . . 2014-03-23 16:34 . 2014-03-23 16:34 -------- d-----w- c:\users\Public\AppData\Local\temp 2014-03-23 16:34 . 2014-03-23 16:34 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-03-23 16:05 . 2014-03-23 16:05 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A4A8F3EF-6396-44D5-B7CA-64D2F27450BF}\offreg.dll 2014-03-23 15:08 . 2014-03-23 15:08 -------- d-----w- c:\windows\Migration 2014-03-21 14:53 . 2014-03-17 14:16 7969936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A4A8F3EF-6396-44D5-B7CA-64D2F27450BF}\mpengine.dll 2014-03-19 13:25 . 2014-03-23 15:34 -------- d-----w- c:\windows\system32\wbem\repository 2014-03-19 13:10 . 2014-03-19 13:10 -------- d-----w- c:\program files\Common Files\Skype 2014-03-19 13:10 . 2014-03-19 13:10 -------- d-----r- c:\program files\Skype 2014-03-19 12:22 . 2014-03-19 12:22 -------- d-----w- C:\found.001 2014-03-19 11:42 . 2014-02-07 10:38 2050560 ----a-w- c:\windows\system32\win32k.sys 2014-03-19 11:42 . 2014-02-03 10:37 505344 ----a-w- c:\windows\system32\qedit.dll 2014-03-19 11:41 . 2014-01-30 07:46 876032 ----a-w- c:\windows\system32\wer.dll 2014-03-19 11:41 . 2013-11-13 00:30 2048 ----a-w- c:\windows\system32\tzres.dll 2014-03-09 12:38 . 2014-03-09 12:38 -------- d-----w- c:\program files\VUDUToGo(78) 2014-03-02 23:24 . 2014-03-02 23:24 -------- d-----w- c:\program files\iPod 2014-03-02 23:23 . 2014-03-02 23:25 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1 2014-03-02 23:23 . 2014-03-02 23:25 -------- d-----w- c:\program files\iTunes . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-03-19 11:32 . 2012-08-01 21:04 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2014-03-19 11:32 . 2012-08-01 21:04 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744] "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864] "VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 180224] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 17920] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-21 1862144] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824] "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704] "Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-12-18 1304296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848] "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768] "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888] "dcmsvc"="c:\program files\dcmsvc\dcmsvc.exe" [2009-04-07 30440] "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-21 50688] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [1999-2-17 65588] SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2007-8-21 679936] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder . 2014-03-23 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-01 11:32] . 2014-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-08-01 21:30] . 2014-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-08-01 21:30] . 2014-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2179227837-3419367426-1334409123-1000Core.job - c:\users\Bantas\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-01 20:20] . 2014-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2179227837-3419367426-1334409123-1000UA.job - c:\users\Bantas\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-01 20:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm TCP: DhcpNameServer = 192.168.1.1 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2014-03-23 12:34 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice] @Denied: (2) (LocalSystem) "Progid"="YMP.Media" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(4532) c:\program files\SetPoint\lgscroll.dll . Completion time: 2014-03-23 12:41:18 ComboFix-quarantined-files.txt 2014-03-23 16:40 ComboFix2.txt 2014-03-19 17:33 ComboFix3.txt 2014-03-19 12:34 ComboFix4.txt 2014-03-17 20:21 ComboFix5.txt 2014-03-23 16:23 . Pre-Run: 42,021,912,576 bytes free Post-Run: 41,911,271,424 bytes free . - - End Of File - - 0E404338A0FAF5EA114BF7C139330E87 5C616939100B85E558DA92B899A0FC36