ComboFix 11-05-27.02 - BigHead 05/29/2011 11:11:44.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1233 [GMT -4:00]
Running from: c:\users\BigHead\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\29941496.exe
c:\programdata\HeypPtdMGKlWj.exe
C:\readme.txt
c:\users\BigHead\AppData\Roaming\360SE
c:\users\BigHead\AppData\Roaming\360SE\360SE.ini
c:\users\BigHead\AppData\Roaming\360SE\data\backup\1.dat
c:\users\BigHead\AppData\Roaming\360SE\data\backup\backup.ini
c:\users\BigHead\AppData\Roaming\360SE\data\bookmarks.dat
c:\users\BigHead\AppData\Roaming\360SE\data\history.dat
c:\users\BigHead\AppData\Roaming\360SE\data\ico\avc.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\cn.bing.com.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\cz.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\ddt.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\dgcs.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\dh.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\farm.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\hao.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\hero.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\mcsd.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\me.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\plsm.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\poker.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\reg.ucjoy.com.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\se.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\search8.taobao.com.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\www.baidu.com.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\www.bing.com.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\www.google.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\www.qihoo.com.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\www.sogou.com.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\www.youdao.com.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\wxfy.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\yahoo.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\ico\zqjl.wan.360.cn.ico
c:\users\BigHead\AppData\Roaming\360SE\data\user.dat
c:\users\BigHead\AppData\Roaming\360SE\extensions\ExtAddons\ExtStats.ini
c:\users\BigHead\AppData\Roaming\360SE\extensions\ExtAddons\ExtStats.ini.cfg
c:\users\BigHead\AppData\Roaming\360SE\extensions\ExtAddons\ganzhi.ini
c:\users\BigHead\AppData\Roaming\360SE\extensions\ExtProxy\proxy.ini
c:\users\BigHead\AppData\Roaming\360SE\extensions\Favorites\Log\20100610.log
c:\users\BigHead\AppData\Roaming\360SE\extensions\Favorites\OnlineFav.ini
c:\users\BigHead\AppData\Roaming\360SE\extensions\SafeCentral\esimple.ini
c:\users\BigHead\AppData\Roaming\360SE\extensions\SafeCentral\SafeCentral.ini
c:\users\BigHead\AppData\Roaming\360SE\extensions\SafeCentral\SafeProtect.dat
c:\users\BigHead\AppData\Roaming\360SE\extensions\SafeCentral\sc.ini
c:\users\BigHead\AppData\Roaming\360SE\extensions\SafeCentral\urllib.dat
c:\users\BigHead\AppData\Roaming\360SE\NowLogin.ini
c:\users\BigHead\AppData\Roaming\360SE\stat.ini
c:\users\BigHead\g2mdlhlpx.exe
c:\windows\system32\ReadMe.txt
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SAFEBOXKRNL
-------\Service_SafeBoxKrnl
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-29 )))))))))))))))))))))))))))))))
.
.
2011-05-29 15:00 . 2011-05-29 15:00 -------- d-----w- C:\32788R22FWJFW
2011-05-27 11:31 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{50615128-5746-4EEF-86E7-50C962AC7BA2}\mpengine.dll
2011-05-20 11:31 . 2011-05-20 11:31 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-05-20 11:31 . 2011-05-20 11:31 -------- d-----w- c:\program files\Common Files\xing shared
2011-05-20 11:30 . 2011-05-20 11:30 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-05-20 11:30 . 2011-05-20 11:30 105472 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-05-17 03:49 . 2011-05-17 04:09 -------- d-----w- c:\program files\TradeStation 9.0
2011-05-17 03:12 . 2011-05-17 03:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-20 11:30 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-03-03 15:40 . 2011-05-17 11:37 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-05-17 11:37 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-05-17 11:37 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-05-17 11:37 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"QvodPlayer"="c:\program files\QvodPlayer\QvodTerminal.exe" [2010-06-04 562568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SnapfishMediaDetector"="c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 1441792]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-10 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-10 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-10 88608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-05-20 273544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]
.
c:\users\BigHead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-16 805392]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^BigHead^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PPS.lnk]
path=c:\users\BigHead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk
backup=c:\windows\pss\PPS.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-09-10 12:10 171448 ----a-w- c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-05-10 29696]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2009-10-12 526848]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-09 108289]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896]
S2 Realtek11nSU;Realtek11nSU;c:\program files\Realtek\11n USB Wireless LAN Utility\RtlService.exe [2009-07-10 36864]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2010-04-08 117288]
S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2010-04-08 117288]
S2 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2010-04-08 154152]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-04-09 959104]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212974082-3204700311-4242020185-1001Core.job
- c:\users\BigHead\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-04 14:47]
.
2011-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212974082-3204700311-4242020185-1001UA.job
- c:\users\BigHead\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-04 14:47]
.
2011-05-29 c:\windows\Tasks\User_Feed_Synchronization-{76382577-CDE2-4523-BD31-6D0A7AFB7F97}.job
- c:\windows\system32\msfeedssync.exe [2008-07-22 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: °Ù¶ÈÒ»ÏÂËùÑ¡ÎÄ×Ö (&B) - c:\program files\Common Files\Baidu\Baidu.html
IE: ʹÓÃiTudouÏÂÔؽÚÄ¿ - c:\program files\Tudou\iTudou\iTudou_Link.HTM
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: 89F5242A-1C1E-4AA9-ACB4-9DCBD93F9927 - hxxp://conf.subway.com//Downloads/cmW32client.cab
DPF: {EC0978ED-24E3-403C-AB7A-060E388553E6} - hxxp://www.17bobo.com/Software/BoBo_ActiveX_V3.ocx
FF - ProfilePath - c:\users\BigHead\AppData\Roaming\Mozilla\Firefox\Profiles\64qhmm0l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Move Media Player: [email protected] - c:\users\BigHead\AppData\Roaming\Move Networks
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{DD662A0C-12FE-4B38-BA53-247F7EC82F46} - (no file)
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-TudouVAStart - c:\program files\Tudou\·ÉËÙTudou\TudouVa.exe
AddRemove-Move Networks Player - IE - c:\users\BigHead\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Realtek\11n USB Wireless LAN Utility\RtWlan.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conime.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2011-05-29 11:53:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-29 15:53
.
Pre-Run: 13,470,556,160 bytes free
Post-Run: 17,835,114,496 bytes free
.
- - End Of File - - D77B9AC527F218B1B0788EED1942BA27