ComboFix 10-01-14.01 - jus 14/01/2010 23:35:02.2.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2814.1468 [GMT 1:00] Running from: c:\users\jus\Desktop\ComboFix.exe Command switches used :: c:\users\jus\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\224402.dll c:\windows\system32\tqflcgss c:\windows\system32\tqflcgss\AES256.dll c:\windows\system32\tqflcgss\ATIDLL64_rdfgruq.dll c:\windows\system32\tqflcgss\atisvc_lakfefn.exe c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\124_918050_1.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\2452_70106_1.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\2832_193269_1.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\2952_1517374_5.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\2952_437130_1.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\2952_617217_2.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\2952_797243_3.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\2952_977299_4.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\3280_163816_1.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\3412_4495012_1.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\3412_4675084_2.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\3412_4855109_3.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\3412_5036086_4.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\3412_5396121_5.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\3412_5576208_6.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\3412_8276352_7.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\3412_8276383_8.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\5568_345058_2.cdf c:\windows\system32\tqflcgss\Cache\S-1-5-21-201826326-512491684-3688635294-1001\Default\6024_266402_1.cdf c:\windows\system32\tqflcgss\CatDB.dic c:\windows\system32\tqflcgss\CatVerDB.dic c:\windows\system32\tqflcgss\ccp_wbfcbfp.dll c:\windows\system32\tqflcgss\Config.dat c:\windows\system32\tqflcgss\database.sdf c:\windows\system32\tqflcgss\Director_zoegecc.dll c:\windows\system32\tqflcgss\dprx_hgyslaa.dll c:\windows\system32\tqflcgss\ffe_lffynsi.dll c:\windows\system32\tqflcgss\ffe3_xrebfkf.dll c:\windows\system32\tqflcgss\ffe35_bbujccy.dll c:\windows\system32\tqflcgss\LiteUnzip.dll c:\windows\system32\tqflcgss\mcapp_svmzxqs.dll c:\windows\system32\tqflcgss\mcff_qcgpdwn.dll c:\windows\system32\tqflcgss\mcgc_ocwlbdt.dll c:\windows\system32\tqflcgss\mcie_lxctjfi.dll c:\windows\system32\tqflcgss\mck_irnmomt.dll c:\windows\system32\tqflcgss\mclmd_vsirhkf.dll c:\windows\system32\tqflcgss\mco_nybuwnf.dll c:\windows\system32\tqflcgss\mcoexp_gzwxafa.dll c:\windows\system32\tqflcgss\mcsc_nfxcimy.dll c:\windows\system32\tqflcgss\proxy.dll c:\windows\system32\tqflcgss\Settings.dat c:\windows\system32\tqflcgss\Settings20355.dat c:\windows\system32\tqflcgss\svcsetup.exe c:\windows\system32\tqflcgss\ve.dll c:\windows\system32\tqflcgss\WindowsAccessBridge.dll c:\windows\system32\tqflcgss\wpsapi-vista.dll c:\windows\system32\tqflcgss\wpsapi-xp.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_atisvc_lakfefn ((((((((((((((((((((((((( Files Created from 2009-12-14 to 2010-01-14 ))))))))))))))))))))))))))))))) . 2010-01-14 22:41 . 2010-01-14 22:47 -------- d-----w- c:\users\jus\AppData\Local\temp 2010-01-14 22:41 . 2010-01-14 22:41 -------- d-----w- c:\users\Public\AppData\Local\temp 2010-01-14 22:41 . 2010-01-14 22:41 -------- d-----w- c:\users\Jade\AppData\Local\temp 2010-01-14 22:41 . 2010-01-14 22:41 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-01-14 20:37 . 2010-01-14 20:37 -------- d-----w- c:\program files\Sophos 2010-01-14 20:22 . 2010-01-14 20:22 -------- d-----w- c:\program files\Trend Micro 2010-01-14 20:06 . 2010-01-14 20:23 -------- d-----w- C:\HJT 2010-01-14 19:21 . 2010-01-14 19:21 -------- d-----w- c:\users\jus\AppData\Roaming\Malwarebytes 2010-01-14 19:21 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-14 19:21 . 2010-01-14 19:21 -------- d-----w- c:\programdata\Malwarebytes 2010-01-14 19:21 . 2010-01-14 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-14 19:21 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-14 18:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-01-14 18:19 . 2009-05-01 15:26 56065 ----a-w- c:\programdata\nvModes.dat 2009-12-21 22:55 . 2009-12-13 12:14 2066200 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll 2009-12-11 20:14 . 2009-12-11 19:32 -------- d-----w- c:\program files\Sony 2009-12-11 19:33 . 2009-12-11 19:30 -------- d-----w- c:\users\jus\AppData\Roaming\Sony 2009-12-11 19:32 . 2009-12-11 19:32 -------- d-----w- c:\program files\Common Files\Sony Shared 2009-12-11 19:32 . 2009-12-11 19:32 10134 ----a-r- c:\users\jus\AppData\Roaming\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe 2009-12-11 19:32 . 2009-12-11 19:32 -------- d-----w- c:\programdata\Sony Corporation 2009-12-11 19:30 . 2009-12-11 19:30 -------- d-----w- c:\users\jus\AppData\Roaming\Sony Setup 2009-12-11 19:30 . 2009-12-11 19:30 -------- d-----w- c:\program files\Sony Setup 2009-12-09 08:17 . 2007-07-25 10:51 -------- d-----w- c:\programdata\Microsoft Help 2009-12-04 09:20 . 2009-12-04 09:20 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll 2009-11-28 13:05 . 2008-08-24 19:21 680 ----a-w- c:\users\jus\AppData\Local\d3d9caps.dat 2009-11-17 19:01 . 2009-11-17 19:01 -------- d-----w- c:\program files\Mp3 File Editor 2009-11-17 19:01 . 2009-11-17 19:01 286720 ----a-w- c:\windows\iun506.exe 2009-11-09 13:34 . 2009-12-09 08:17 24064 ----a-w- c:\windows\system32\nshhttp.dll 2009-11-09 13:30 . 2009-12-09 08:17 31232 ----a-w- c:\windows\system32\httpapi.dll 2009-11-09 11:17 . 2009-12-09 08:17 396800 ----a-w- c:\windows\system32\drivers\http.sys 2009-11-03 13:19 . 2009-07-08 08:28 680 ----a-w- c:\users\Jade\AppData\Local\d3d9caps.dat 2009-11-02 19:42 . 2009-10-03 07:24 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-29 07:59 . 2009-11-26 09:10 2048 ----a-w- c:\windows\system32\tzres.dll 2009-10-27 15:05 . 2009-12-08 22:25 832512 ----a-w- c:\windows\system32\wininet.dll 2009-10-27 15:01 . 2009-12-08 22:25 56320 ----a-w- c:\windows\system32\iesetup.dll 2009-10-27 15:01 . 2009-12-08 22:25 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-10-27 15:01 . 2009-12-08 22:25 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll 2009-10-27 14:59 . 2009-12-08 22:25 72704 ----a-w- c:\windows\system32\admparse.dll 2009-10-27 12:27 . 2009-12-08 22:25 26624 ----a-w- c:\windows\system32\ieUnatt.exe 2009-10-27 10:56 . 2009-12-08 22:25 48128 ----a-w- c:\windows\system32\mshtmler.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 12:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440] "Acer Tour Reminder"="" [BU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-07-25 1006264] "RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216] "eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144] "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-08-15 772616] "PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744] "Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552] "WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-13 2043160] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13556256] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-03 92704] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-22 136600] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-7-25 535336] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiSpywareOverride"=dword:00000001 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [27/12/2008 18:12 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [04/02/2009 14:39 108552] R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [12/03/2008 12:18 13560] R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [25/07/2007 12:19 50688] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [27/12/2008 18:12 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/12/2008 18:12 297752] R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [25/07/2007 10:08 32256] S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [06/11/2009 16:11 54632] S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864] S3 PCAMp50;PCAMp50 NDIS Protocol Driver;c:\windows\System32\drivers\PCAMp50.sys [05/07/2008 13:00 28224] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder 2010-01-14 c:\windows\Tasks\User_Feed_Synchronization-{82D23A66-1FEC-4D50-B86B-3223966422A5}.job - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/calendar/render?hl=en_GB&gsessionid=sGIcoRvY3VnEKg45U7qLlQ mStart Page = hxxp://en.uk.acer.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-14 23:46 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\A3FC.tmp" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}] "ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(5504) c:\windows\system32\MsnChatHook.dll c:\windows\system32\ShowErrMsg.dll c:\windows\system32\sysenv.dll c:\windows\system32\BatchCrypto.dll c:\windows\system32\CryptoAPI.dll c:\windows\system32\keyManager.dll c:\windows\system32\eDStoolbar.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll c:\windows\system32\ActiveToolBand.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\windows\servicing\TrustedInstaller.exe c:\windows\system32\rundll32.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\acer\Empowering Technology\eDataSecurity\eDSService.exe c:\acer\Empowering Technology\eLock\Service\eLockServ.exe c:\acer\Empowering Technology\eNet\eNet Service.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\acer\Mobility Center\MobilityService.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\system32\DRIVERS\xaudio.exe c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe c:\acer\Empowering Technology\eSettings\Service\capuserv.exe c:\windows\system32\WUDFHost.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\acer\Empowering Technology\ePower\ePowerSvc.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\RtHDVCpl.exe c:\program files\Launch Manager\LManager.exe c:\program files\AVG\AVG8\avgtray.exe c:\windows\System32\rundll32.exe c:\acer\Empowering Technology\ENET\ENMTRAY.EXE c:\windows\ehome\ehmsas.exe c:\program files\Apoint2K\ApMsgFwd.exe c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE c:\program files\Apoint2K\Apntex.exe c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE c:\users\jus\AppData\Local\Temp\RtkBtMnt.exe c:\program files\iPod\bin\iPodService.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe . ************************************************************************** . Completion time: 2010-01-14 23:54:39 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-14 22:54 ComboFix2.txt 2010-01-14 19:56 Pre-Run: 13,471,285,248 bytes free Post-Run: 13,239,607,296 bytes free - - End Of File - - E8CF93232C5847622A80054FFEAF93E0