ComboFix 09-07-21.05 - Valued Customer 07/22/2009 12:10.1.1 - NTFSx86
Microsoft
Windows Vista
Home Basic 6.0.6000.0.1252.1.1033.18.1279.656 [GMT -4:00]
Running from: c:\users\Valued Customer\Desktop\Combo-Fix.exe
AV: Panda Antivirus 2007 *On-access scanning enabled* (Updated) {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}
SP: Panda Antivirus 2007 *enabled* (Updated) {FE6602D3-1E71-4EBB-B4E3-D1C9CBDAF0A1}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Valued Customer\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Panda Antivirus 2007.lnk
c:\windows\Installer\a84ff.msp
.
((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.
2009-07-22 16:18 . 2009-07-22 16:18 -------- d-----w- c:\users\Valued Customer\AppData\Local\temp
2009-07-22 16:18 . 2009-07-22 16:18 -------- d-----w- c:\users\Nancy\AppData\Local\temp
2009-07-22 16:18 . 2009-07-22 16:18 -------- d-----w- c:\users\Billy\AppData\Local\temp
2009-07-22 16:18 . 2009-07-22 16:18 -------- d-----w- c:\users\Bill\AppData\Local\temp
2009-07-22 16:18 . 2009-07-22 16:18 -------- d-----w- c:\users\Amanda\AppData\Local\temp
2009-07-22 15:40 . 2009-07-22 15:40 -------- d-----w- c:\program files\Trend Micro
2009-07-22 14:38 . 2009-07-22 14:38 -------- d-----w- c:\program files\IZArc
2009-07-22 13:34 . 2008-06-20 01:17 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-07-22 13:34 . 2008-06-20 01:18 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-07-22 13:34 . 2008-06-20 01:18 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-07-22 13:34 . 2008-06-20 01:17 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-07-22 13:34 . 2008-06-20 01:17 11264 ----a-w- c:\windows\system32\icardres.dll
2009-07-22 13:34 . 2008-06-20 01:18 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-07-22 13:34 . 2008-06-20 01:18 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-07-22 13:24 . 2008-07-27 18:00 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-07-22 13:24 . 2008-07-27 18:00 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-07-22 13:24 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-07-22 13:24 . 2008-07-27 18:00 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-07-22 13:24 . 2008-07-27 18:00 83968 ----a-w- c:\windows\system32\mscories.dll
2009-07-15 14:24 . 2009-07-15 14:24 -------- d-----w- c:\users\Nancy\AppData\Roaming\Webroot
2009-07-15 13:04 . 2009-06-22 14:58 22016 ----a-w- c:\windows\system32\drivers\Ndisrd.sys
2009-07-15 13:04 . 2009-06-22 14:58 13312 ----a-w- c:\windows\system32\drivers\snetcfg.exe
2009-07-15 13:04 . 2009-07-15 13:04 -------- d-----w- c:\program files\Common Files\Uninstall
2009-07-15 13:04 . 2009-07-22 04:29 -------- d-----w- c:\program files\PersonalAV
2009-07-15 12:43 . 2009-06-15 15:29 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 12:43 . 2009-06-15 15:23 24064 ----a-w- c:\windows\system32\lpk.dll
2009-07-15 12:43 . 2009-06-15 15:22 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 12:43 . 2009-06-15 15:21 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-15 12:43 . 2009-06-15 15:20 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-07-15 12:43 . 2009-06-15 13:03 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-08 17:35 . 2009-07-08 17:35 -------- d-sh--w- C:\found.002
2009-07-07 15:03 . 2009-07-07 15:03 -------- d-----w- c:\windows\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 14:09 . 2007-04-18 22:10 -------- d-----w- c:\users\Amanda\AppData\Roaming\OpenOffice.org2
2009-07-22 13:57 . 2007-05-23 01:39 -------- d-----w- c:\users\Nancy\AppData\Roaming\OpenOffice.org2
2009-07-22 13:48 . 2007-08-22 17:59 -------- d-----w- c:\programdata\Microsoft Help
2009-07-22 11:48 . 2007-05-10 18:33 -------- d-----w- c:\users\Bill\AppData\Roaming\OpenOffice.org2
2009-07-22 03:51 . 2007-04-18 21:59 -------- d-----w- c:\users\Billy\AppData\Roaming\OpenOffice.org2
2009-07-16 12:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-18 13:37 . 2007-07-07 00:56 -------- d-----w- c:\programdata\Apple
2009-06-18 13:33 . 2009-06-18 13:33 -------- d-----w- c:\program files\Bonjour
2009-06-17 21:10 . 2008-04-01 01:32 -------- d-----w- c:\users\Bill\AppData\Roaming\Yahoo!
2009-06-09 12:42 . 2009-06-09 12:42 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb7DE7.tmp.exe
2009-06-05 15:42 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 15:42 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-01 17:06 . 2007-07-07 02:30 -------- d-----w- c:\users\Amanda\AppData\Roaming\Apple Computer
2009-05-09 05:50 . 2009-06-11 11:39 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 11:39 71680 ----a-w- c:\windows\system32\iesetup.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"?????????"="??????????????e" [?]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-09-13 3054592]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-04-27 50736]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 234856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-19 1006264]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-11-23 319488]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-04 1261568]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"PCMService"="c:\acer\Empowering Technology\eMode\PCM\PCMService.exe" [2006-11-25 151552]
"APVXDWIN"="c:\program files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" [2007-01-25 321072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"Performance Center"="c:\program files\Ascentive\Performance Center\APCMain.exe" [2008-03-13 3239936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-09 3784704]
c:\users\Amanda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]
c:\users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]
c:\users\Billy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]
c:\users\Nancy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]
c:\users\Valued Customer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Billminder.lnk - c:\program files\Quicken\billmind.exe [2002-7-30 36864]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-12-14 528384]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-7-30 53248]
Quicken Startup.lnk - c:\program files\Quicken\QWDLLS.EXE [2002-7-30 36864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2006-07-14 17:46 45056 ----a-w- c:\windows\System32\avldr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0F1D6248-B04F-46A3-99BE-1B9D0B0663E8}"= UDP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program
"{D8C7DEEA-9782-45BA-84BF-6B7589CD9BC0}"= TCP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program
"{D6D09B60-3E73-409E-B668-0844A1F92D93}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{AE2C8B79-DEEF-4D53-82CE-3990974B8A6F}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C2C4A612-DDAE-4443-9EA0-E7ACA50D3835}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AF97FDDD-6CDB-4110-A208-37BDBA43335A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9AE270E0-FCCD-490D-A8C6-A95671FEBFEE}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D8F24A23-DCF1-499A-BCA8-281CEDA4E9D5}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0C84F794-5090-4F04-90B9-E0AE21736049}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{8984C49D-0675-42D5-BFBA-56894B3B2BE2}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F4F78ACF-6F31-4AB4-BE78-DA1092A0D1B2}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C27AEB3A-6E4E-421D-BFCB-4E64957373BF}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2D55FE09-97C3-4DB7-BE14-D9C302869109}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{93B249FE-20E9-4D30-806A-DA0044BD3687}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{889332F4-49FE-40BC-BE7F-7ED2C7B9EE3D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{06848E48-15DD-4E08-A49F-3738A9E49C68}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{021CC322-1AC9-41EB-BFCB-B413FF5AF564}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption
R2 AmFSM;Panda Anti-Virus Filesystem Minifilter;c:\windows\System32\drivers\amm8660.sys [3/13/2007 2:24 PM 34816]
R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Software\Panda Antivirus 2007\psksvc.exe [3/13/2007 2:20 PM 27184]
R3 NdisrdMP;NdisrdMP;c:\windows\System32\drivers\Ndisrd.sys [7/15/2009 9:04 AM 22016]
S3 Ndisrd;WinpkFilter Service;c:\windows\System32\drivers\Ndisrd.sys [7/15/2009 9:04 AM 22016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/?fr=fp-yie8uSearchMigratedDefaultURL =
hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7mStart Page =
hxxp://en.us.acer.yahoo.comuInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\panda software\panda antivirus 2007\pavlsp.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-07-22 12:18
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-07-22 12:22
ComboFix-quarantined-files.txt 2009-07-22 16:22
Pre-Run: 35,366,428,672 bytes free
Post-Run: 37,173,272,576 bytes free
195 --- E O F --- 2009-07-22 13:50