ComboFix 12-04-04.01 - Storey 04/05/2012 6:46.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1013.450 [GMT -7:00]
Running from: c:\users\Storey\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Storey\AppData\Roaming\Remote
c:\users\Storey\AppData\Roaming\Remote\dllx4.dll
c:\users\Storey\AppData\Roaming\Remote\dllx4_shrd
c:\users\Storey\AppData\Roaming\Remote\ffcd
c:\users\Storey\AppData\Roaming\Remote\kkjt
c:\users\Storey\AppData\Roaming\Remote\mxd1.txt
c:\users\Storey\AppData\Roaming\Remote\n.dat
c:\users\Storey\AppData\Roaming\Remote\r.dat
c:\windows\$NtUninstallKB60346$
c:\windows\$NtUninstallKB60346$\279706385\L\ogejidap
c:\windows\system32\AKSIFDH.dll
c:\windows\system32\anbmservice.dll
c:\windows\system32\anydvd.dll
c:\windows\system32\areschatserver.dll
c:\windows\system32\avsvcmonitor.dll
c:\windows\system32\axinstsv.dll
c:\windows\system32\BCM43XV.dll
c:\windows\system32\bits.dll
c:\windows\system32\cdrbsvsd.dll
c:\windows\system32\config\systemprofile\26aceaad-5762.exe
c:\windows\system32\config\systemprofile\5c7bd209-5689.exe
c:\windows\system32\ctsfm2k.dll
c:\windows\system32\CX23880.dll
c:\windows\system32\datunidr.dll
c:\windows\system32\DcCam.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\e1000.dll
c:\windows\system32\el90xbc.dll
c:\windows\system32\idebusdr.dll
c:\windows\system32\idsvc.dll
c:\windows\system32\ino_fltr.dll
c:\windows\system32\isapisearch.dll
c:\windows\system32\k750mdfl.dll
c:\windows\system32\kservice.dll
c:\windows\system32\l8042pr2.dll
c:\windows\system32\LEX_AS_NIC_SERVICE_YNOS.dll
c:\windows\system32\LMIRfsDriver.dll
c:\windows\system32\mcpromgr.dll
c:\windows\system32\mcshield.dll
c:\windows\system32\mindretrieve.dll
c:\windows\system32\mssql$microsoftbcm.dll
c:\windows\system32\mssql$sqlexpress.dll
c:\windows\system32\nhcDriverDevice.dll
c:\windows\system32\NICSer_WPC54G.dll
c:\windows\system32\NVENET.dll
c:\windows\system32\O2SCBUS.dll
c:\windows\system32\OEM02Afx.dll
c:\windows\system32\pcidrv.dll
c:\windows\system32\qbfcservice.dll
c:\windows\system32\qmofiltr.dll
c:\windows\system32\rasacd.dll
c:\windows\system32\rbfilter.dll
c:\windows\system32\retroexplauncher.dll
c:\windows\system32\s125bus.dll
c:\windows\system32\se58mdm.dll
c:\windows\system32\Slntamr.dll
c:\windows\system32\snpstd2.dll
c:\windows\system32\sp_clamsrv.dll
c:\windows\system32\StillCam.dll
c:\windows\system32\symids.dll
c:\windows\system32\tosrfusb.dll
c:\windows\system32\trcboot.dll
c:\windows\system32\tsdhd.dll
c:\windows\system32\tsircsrv.dll
c:\windows\system32\umpusbxp.dll
c:\windows\system32\update.dll
c:\windows\system32\zpaction.dll
.
Infected copy of c:\windows\system32\drivers\dfsc.sys was found and disinfected
Restored copy from - The cat found it
c:\windows\system32\drivers\i8042prt.sys was missing
Restored copy from - c:\windows\System32\DriverStore\FileRepository\msmouse.inf_f4514c17\i8042prt.sys
.
c:\windows\system32\drivers\tdx.sys was missing
Restored copy from - c:\windows\SoftwareDistribution\Download\c91af43e301542f65a88d59517636d32\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-03-05 to 2012-04-05 )))))))))))))))))))))))))))))))
.
.
2012-04-05 13:57 . 2012-04-05 14:01 -------- dc----w- c:\users\Storey\AppData\Local\temp
2012-04-05 13:57 . 2012-04-05 13:57 -------- dc----w- c:\users\Default\AppData\Local\temp
2012-04-05 13:57 . 2008-01-19 05:55 71680 -c--a-w- c:\windows\system32\drivers\tdx.sys
2012-04-05 13:57 . 2011-09-10 11:16 54784 -c--a-w- c:\windows\system32\drivers\i8042prt.sys
2012-04-05 05:52 . 2012-04-05 12:46 -------- dc----w- C:\FRST
2012-04-03 18:20 . 2012-04-03 19:27 87552 -c--a-w- c:\windows\clipmmc.dll
2012-03-29 17:27 . 2012-03-29 17:27 -------- dc----w- C:\_OTL
2012-03-27 04:58 . 2012-03-27 04:58 -------- d-----w- C:\found.000
2012-03-25 01:05 . 2012-03-25 01:05 56200 -c--a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{63AF0E0A-6338-45AF-BB76-16D467273EAA}\offreg.dll
2012-03-22 15:14 . 2012-03-22 15:14 90624 -c--a-w- c:\windows\system32\clipmmc.dll
2012-03-22 05:18 . 2012-02-08 06:03 6552120 -c--a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{63AF0E0A-6338-45AF-BB76-16D467273EAA}\mpengine.dll
2012-03-22 04:16 . 2012-03-22 04:16 -------- dc-h--w- c:\users\Storey\AppData\Roaming\SUPERAntiSpyware.com
2012-03-22 04:13 . 2012-03-22 04:16 -------- dc----w- c:\program files\SUPERAntiSpyware
2012-03-22 04:13 . 2012-03-22 04:13 -------- dc-h--w- c:\programdata\SUPERAntiSpyware.com
2012-03-20 04:24 . 2012-04-05 13:21 -------- dc----w- C:\TDSSKiller_Quarantine
2012-03-19 21:25 . 2012-03-19 21:25 -------- dc----w- C:\_OTM
2012-03-18 22:41 . 2012-03-18 22:41 592824 -c--a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-18 22:41 . 2012-03-18 22:41 44472 -c--a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-17 01:27 . 2009-09-10 21:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-05 13:23 . 2011-09-10 11:16 495160 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-04-05 13:23 . 2006-11-02 08:57 66048 ----a-w- c:\windows\system32\drivers\smb.sys
2012-02-23 17:18 . 2011-09-09 21:27 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-02-23 01:25 . 2011-09-08 16:29 138545903 ----a-w- c:\windows\DUMP3cf0.tmp
2012-02-13 08:38 . 2012-02-13 08:38 10344 -c--a-w- c:\windows\system32\drivers\symlcbrd.sys
2012-03-18 22:41 . 2011-09-09 21:09 97208 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2011-09-10 1232896]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 107112]
"IS CfgWiz"="c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2006-11-21 46728]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-11-21 22696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-25 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-25 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-25 138008]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-16 768520]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-17 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10w_Plugin.exe" [2011-09-09 243360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R0 48730295;48730295;c:\windows\system32\drivers\24050098.sys [x]
R2 5689;5689;c:\windows\TEMP\5689.sys [x]
R2 5762;5762;c:\windows\TEMP\5762.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dcpflics
smservauth
SE2Bmdfl
FVNETusb
bc_tdi_f
askernel
RR2Ctrl
nsm1serd
acpiec
ipsecmon
ntpr_nic_service2
dmboot
BASFND
raysatxsi5_0server
CTSBLFX.DLL
aslm75
ftdisk
sshrmd
lxbu_device
btnhnd
lockmgr
netw4x32
WNIPROT5
V0070VID
McciCMService
BUFADPT
eliservice
iaantmon
pdlnslea
scanwscs
SecureStorageService
cpuidlep
pinetmgr
fsssvc
tosrfhid
HIDSwvd
vmware
zppinger
sf
vsapint
giveio
citrixwmiservice
CTSYN
snpstd2
se2Dnd5
FireTDI
dlaboiom
SMPLSCSI
usbsermptxp
sqlagent$sony_mediamgr
SABSVC
z800mdm
bcm43xx
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Storey\AppData\Roaming\Mozilla\Firefox\Profiles\xlmh055o.default\
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.http.accept-encoding -
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Acer Tour Reminder - (no file)
HKCU-Run-lpc - c:\users\Storey\AppData\Roaming\Remote\dllx4.dll
HKLM-Run-Acer Tour - (no file)
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-MuhNyVLeVoL.exe - c:\programdata\MuhNyVLeVoL.exe
HKLM-Run-IjtjvlPnQVXOTsL.exe - c:\programdata\IjtjvlPnQVXOTsL.exe
HKLM-Run-JiKJGqSIsOjjAl.exe - c:\programdata\JiKJGqSIsOjjAl.exe
SafeBoot-48730295.sys
SafeBoot-Wdf01000.sys
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Smb]
"ImagePath"="system32\drivers\tskF15D.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Wdf01000]
"ImagePath"="system32\drivers\tskFF82.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3308)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\WerCon.exe
c:\windows\system32\lpremove.exe
c:\windows\system32\lpksetup.exe
.
**************************************************************************
.
Completion time: 2012-04-05 07:17:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-05 14:17
.
Pre-Run: 13,975,908,352 bytes free
Post-Run: 13,933,948,928 bytes free
.
- - End Of File - - 12C5F1EFB55D1A41C805935A15E582CA
Edited by kyn, 05 April 2012 - 08:24 AM.