ComboFix 12-07-27.03 - lford 07/27/2012 9:04.1.2 - x86 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.2165 [GMT -5:00] Running from: c:\users\lford\Desktop\ComboFix.exe AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855} FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E} SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\Microsoft c:\users\lford\g2mdlhlpx.exe c:\windows\system32\test . Infected copy of c:\windows\system32\Services.exe was found and disinfected Restored copy from - c:\combofix\HarddiskVolumeShadowCopy2_!Windows!winsxs!x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b!services.exe . . ((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 ))))))))))))))))))))))))))))))) . . 2012-07-27 14:12 . 2012-07-27 14:17 -------- d-----w- c:\users\lford\AppData\Local\temp 2012-07-27 14:12 . 2012-07-27 14:12 -------- d-----w- c:\users\JB\AppData\Local\temp 2012-07-27 14:12 . 2012-07-27 14:12 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-27 14:12 . 2012-07-27 14:12 -------- d-----w- c:\users\administrator\AppData\Local\temp 2012-07-27 13:40 . 2012-07-27 13:40 -------- d-----w- C:\_OTL 2012-07-24 20:17 . 2012-07-24 20:17 -------- d-----w- c:\users\lford\AppData\Roaming\FixZeroAccess 2012-07-23 18:02 . 2012-07-23 18:02 -------- d-----w- c:\program files\AVG 2012-07-23 17:58 . 2012-07-23 17:59 -------- d-----w- c:\programdata\MFAData 2012-07-23 17:58 . 2012-07-23 17:58 -------- d--h--w- c:\programdata\Common Files 2012-07-23 17:33 . 2012-07-23 17:33 -------- d-----w- c:\program files\CCleaner 2012-07-23 14:24 . 2012-07-23 14:24 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-07-12 01:01 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys 2012-07-11 11:22 . 2012-06-02 04:45 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2012-07-11 11:22 . 2012-06-02 04:40 369336 ----a-w- c:\windows\system32\drivers\cng.sys 2012-07-11 11:22 . 2012-06-02 04:45 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-07-11 11:22 . 2012-06-02 04:40 225280 ----a-w- c:\windows\system32\schannel.dll 2012-07-11 11:22 . 2012-06-02 04:39 219136 ----a-w- c:\windows\system32\ncrypt.dll 2012-07-11 11:22 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\system32\msxml6.dll 2012-07-11 11:22 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\system32\msxml3.dll 2012-07-11 11:22 . 2010-06-26 03:24 2048 ----a-w- c:\windows\system32\msxml3r.dll 2012-07-11 11:21 . 2012-06-06 05:05 143360 ----a-w- c:\program files\Common Files\System\ado\msjro.dll 2012-07-11 11:21 . 2012-06-06 05:05 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll 2012-07-11 11:21 . 2012-06-06 05:05 57344 ----a-w- c:\program files\Common Files\System\ado\msador15.dll 2012-07-11 11:21 . 2012-06-06 05:05 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll 2012-07-11 11:21 . 2012-06-06 05:05 212992 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll 2012-07-11 11:21 . 2012-06-06 05:05 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll 2012-07-11 11:21 . 2012-06-06 05:03 805376 ----a-w- c:\windows\system32\cdosys.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-27 14:16 . 2010-09-03 14:30 0 ----a-w- c:\users\lford\AppData\Local\WavXMapDrive.bat 2012-07-26 23:10 . 2012-04-05 15:40 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-26 23:10 . 2011-05-31 20:34 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-12 14:32 . 2010-09-10 13:38 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2012-07-12 14:32 . 2010-09-10 13:38 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2012-07-12 14:32 . 2010-09-10 13:38 30624 ----a-w- c:\windows\system32\LMIport.dll 2012-07-12 14:32 . 2010-09-10 13:38 87456 ----a-w- c:\windows\system32\LMIinit.dll 2012-07-03 18:46 . 2010-10-27 15:16 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-02 22:19 . 2012-06-21 01:19 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-21 01:19 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-21 01:19 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-21 01:19 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-21 01:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-21 01:19 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-21 01:19 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 20:19 . 2012-06-21 01:18 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 20:12 . 2012-06-21 01:18 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-21 16:50 . 2010-09-10 13:38 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak 2012-05-21 16:50 . 2010-09-10 13:38 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak 2012-05-15 03:03 . 2012-06-12 22:31 981504 ----a-w- c:\windows\system32\wininet.dll 2012-05-01 04:44 . 2012-06-12 22:30 164352 ----a-w- c:\windows\system32\profsvc.dll 2012-07-13 19:43 . 2012-07-13 19:43 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\lford\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\lford\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\lford\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay] @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}" [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}] 2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay] @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}" [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}] 2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-22 39408] "MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl.exe" [2009-08-26 2691072] "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-07-21 147840] "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-06-22 34232] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-14 115560] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-08 421776] . c:\users\lford\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\lford\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840] Monitor Ink Alerts - HP Officejet Pro 8600.lnk - c:\windows\system32\RunDll32.exe [2009-7-13 44544] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2010-9-3 25214] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584] SmartCapture.lnk - c:\program files\Seiko Instruments USA Inc\Smart Label Printer 6.9.2\slpcap.exe [2009-11-23 75136] TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 132456] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceStartMenuLogOff"= 1 (0x1) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp Authentication Packages REG_MULTI_SZ msv1_0 wvauth . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x] S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [x] S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x] S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x] S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-07-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 23:10] . 2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-03 15:36] . 2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-03 15:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ig uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm Trusted Zone: motorola.com\businessonline TCP: DhcpNameServer = 192.168.168.6 DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab FF - ProfilePath - c:\users\lford\AppData\Roaming\Mozilla\Firefox\Profiles\wqtu6x5o.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) SafeBoot-Symantec Antvirus . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(592) c:\windows\system32\wvauth.DLL . - - - - - - - > 'Explorer.exe'(4812) c:\users\lford\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll c:\windows\system32\btmmhook.dll c:\windows\system32\btncopy.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\windows\system32\nvvsvc.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\windows\system32\taskhost.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\program files\TeamViewer\Version7\TeamViewer.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\TeamViewer\Version7\tv_w32.exe c:\windows\system32\WUDFHost.exe c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\windows\system32\conhost.exe c:\windows\servicing\TrustedInstaller.exe c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe c:\windows\system32\conhost.exe c:\windows\system32\sppsvc.exe c:\program files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** . Completion time: 2012-07-27 09:21:42 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-27 14:21 . Pre-Run: 203,147,948,032 bytes free Post-Run: 203,037,908,992 bytes free . - - End Of File - - C937E13296858499AD84B831E0048C64