Hi
1. My PC has been running fine!
2. The contents of 3 files are copied below.
Combofix.txt
------------------------
ComboFix 12-08-08.01 - Christian 1/2012 Sat 12:29:25.4.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.949.82.1033.18.3569.2090 [GMT -4:00]
Running from: c:\users\Christian\Desktop\ComboFix.exe
Command switches used :: c:\users\Christian\Desktop\CFScript.txt
AV: SymantecAntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: SymantecAntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))
.
.
2012-08-11 16:34 . 2012-08-11 16:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-11 16:34 . 2012-08-11 16:34 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-08-11 16:34 . 2012-08-11 16:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-09 01:12 . 2012-08-11 16:34 -------- d-----w- c:\users\Christian\AppData\Local\temp
2012-08-09 01:01 . 2012-08-09 01:01 -------- d-----w- c:\users\Christian\AppData\Local\{BCEDC268-E1BD-11E1-8270-B8AC6F996F26}
2012-08-09 00:05 . 2009-04-11 03:28 279552 ----a-w- c:\windows\system32\services.exe
2012-08-06 23:30 . 2012-08-06 23:30 -------- d-----w- C:\FRST
2012-07-26 21:25 . 2012-07-26 21:25 53248 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-07-26 21:24 . 2012-07-26 21:24 -------- d-----w- c:\program files\Logitech
2012-07-26 21:06 . 2012-07-26 21:06 -------- d-----w- c:\programdata\Logitech
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-02 21:28 . 2010-06-02 02:16 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-07-03 17:46 . 2010-01-20 01:06 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-23 15:32 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 15:32 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 15:32 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 15:32 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 15:32 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 15:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 15:32 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-23 15:32 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-23 15:32 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"Copernic Desktop Search - Home"="e:\copernic desktop search - home\DesktopSearchService.exe" [2011-11-22 1648600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-09-16 136080]
"TrkMonitor"="c:\program files\Canon Electronics\DR1210C\TrkMonitor.exe" [2008-01-29 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PPort11reminder"="e:\scansoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"pdfFactory Pro Dispatcher v3"="c:\windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-08-01 565248]
"PaperPort PTD"="e:\scansoft\PaperPort\pptd40nt.exe" [2008-04-30 29984]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"Jomantha"="c:\program files\n52te\n52teHid.exe" [2008-06-13 159744]
"IndexSearch"="e:\scansoft\PaperPort\IndexSearch.exe" [2008-04-30 46368]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2004-08-25 442368]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-04 115560]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-10-08 23552]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Christian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Christian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4167628224-1300899903-4152363779-1000]
"EnableNotificationsRef"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ERASERUTILDRV11220
*Deregistered* - EraserUtilDrv11220
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 21:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 15:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
IE: E&xport to Microsoft Excel - d:\micros~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: johnshopkins.edu\sslconnect
TCP: Interfaces\{9694FFD1-60EC-4AA6-8D10-80EEDB11D9D9}: NameServer = 75.75.75.75,75.75.76.76
DPF: {283A7932-A386-496A-9AB0-E8DBFACFF1E5} - hxxp://ondisk.co.kr/setup/OnDiskWebControl.cab
DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} - hxxp://touch.imbc.com/ActiveX/iMBCOnlineService.cab
FF - ProfilePath - c:\users\Christian\AppData\Roaming\Mozilla\Firefox\Profiles\9vb1f7xa.default\
FF - prefs.js: browser.search.selectedEngine - Arccosine
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.arccosine.com/search.php?q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-08-11 12:34
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4167628224-1300899903-4152363779-1000\Software\SecuROM\License information*]
"datasecu"=hex:f7,e7,0f,c7,c8,6c,f2,13,ef,2d,07,46,88,4c,ca,6d,dd,99,73,7f,11,
a4,52,ce,59,4d,ea,70,f4,c7,45,f9,0c,fe,96,88,5a,c9,6c,53,1d,75,3a,11,d1,83,\
"rkeysecu"=hex:25,6e,26,75,92,ce,4f,64,cb,53,79,fc,02,ed,22,d1
.
Completion time: 2012-08-11 12:36:27
ComboFix-quarantined-files.txt 2012-08-11 16:36
ComboFix2.txt 2012-08-09 01:29
.
Pre-Run: 42,097,360,896 bytes free
Post-Run: 42,510,159,872 bytes free
.
- - End Of File - - 88FFA98D71B35E72DF086DAE1602D329
MBAM.log
-------------------------
Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.11.03
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Christian :: CHRISTIAN-PC [administrator]
Protection: Disabled
8/11/2012 12:42:14 PM
mbam-log-2012-08-11 (12-42-14).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215239
Time elapsed: 4 minute(s), 4 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
ESSET scan result
---------------------
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f81310442e554c438fd4d1ffd815f6b1
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-11 07:07:06
# local_time=2012-08-11 03:07:06 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 14068025 181311628 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=248751
# found=13
# cleaned=13
# scan_time=8053
C:\FRST\Quarantine\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\{2b182635-1dee-bc28-bed3-3f868e4a6e27}\n Win32/Sirefef.EV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Christian\AppData\Roaming\lanat.dll.vir a variant of Win32/Medfos.CE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Christian\AppData\Roaming\unapt.dll.vir a variant of Win32/Medfos.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\AppData\Local\{BCEDC268-E1BD-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\1290de77-15235afe Java/Exploit.CVE-2011-3544.F trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\6387dfbd-116208cd multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Desktop\My Doc\1-Old\My Job\mangrovejackwp.exe multiple threats (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Desktop\Steff\UmileEncoder_v2.2.1.0.exe multiple threats (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\dolphinaw(2).exe probably a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\dolphinaw(3).exe probably a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\dolphinaw(4).exe probably a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\dolphinaw.exe probably a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Christian\Downloads\waterscenes.exe a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C