voila!
ComboFix 10-02-18.05 - u 02/18/2010 19:23:37.1.2 - x86 MINIMAL
Microsoft
Windows Vista
Home Premium 6.0.6000.0.1252.1.1033.18.1014.665 [GMT -5:00]
Running from: c:\users\u\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1887481080-508804646-1125826050-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3090746094-3283488223-3727284219-500
c:\program files\INSTALL.LOG
.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.
2010-02-19 00:28 . 2010-02-19 00:29 -------- d-----w- c:\users\u\AppData\Local\temp
2010-02-19 00:28 . 2010-02-19 00:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-18 23:36 . 2010-02-18 23:37 78184 ----a-w- c:\users\u\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-15 06:55 . 2010-02-15 06:55 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-02-15 06:55 . 2010-02-15 06:55 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-02-15 06:55 . 2010-02-15 06:55 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-02-15 06:55 . 2010-02-15 06:55 83968 ----a-w- c:\windows\system32\mscories.dll
2010-02-15 06:55 . 2010-02-15 06:55 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-02-15 06:18 . 2010-02-15 06:18 2855424 ----a-w- c:\windows\system32\mf.dll
2010-02-15 06:18 . 2010-02-15 06:18 98816 ----a-w- c:\windows\system32\mfps.dll
2010-02-15 06:18 . 2010-02-15 06:18 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2010-02-15 06:18 . 2010-02-15 06:18 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-02-15 06:18 . 2010-02-15 06:18 2048 ----a-w- c:\windows\system32\mferror.dll
2010-02-15 06:18 . 2010-02-15 06:18 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2010-02-15 06:18 . 2010-02-15 06:18 94720 ----a-w- c:\windows\system32\logagent.exe
2010-02-15 06:17 . 2010-02-15 06:17 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-02-15 06:16 . 2010-02-15 06:16 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2010-02-15 06:16 . 2010-02-15 06:16 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-02-15 06:15 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-02-15 06:14 . 2010-02-15 06:14 274432 ----a-w- c:\windows\system32\raschap.dll
2010-02-15 06:14 . 2010-02-15 06:14 232960 ----a-w- c:\windows\system32\rastls.dll
2010-02-15 06:13 . 2010-02-15 06:13 321536 ----a-w- c:\windows\system32\WSDApi.dll
2010-02-15 06:11 . 2010-02-15 06:11 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-15 06:11 . 2010-02-15 06:11 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-15 06:11 . 2010-02-15 06:11 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-15 06:11 . 2010-02-15 06:11 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-02-15 06:11 . 2010-02-15 06:11 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-15 06:11 . 2010-02-15 06:11 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-02-15 06:11 . 2010-02-15 06:11 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-15 06:11 . 2010-02-15 06:11 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-15 06:11 . 2010-02-15 06:11 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-15 06:11 . 2010-02-15 06:11 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-15 06:10 . 2010-02-15 06:10 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-02-15 06:09 . 2010-02-15 06:09 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-15 06:09 . 2010-02-15 06:09 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-15 05:13 . 2010-02-15 05:13 -------- d-----w- c:\users\u\AppData\Roaming\PeerNetworking
2010-02-12 04:25 . 2010-02-12 04:25 -------- d-----w- c:\program files\Free PDF to Word Doc Converter
2010-02-09 03:05 . 2010-02-09 03:05 -------- d-----w- c:\programdata\Norton
2010-01-27 03:57 . 2010-01-27 03:57 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2010-01-22 17:08 . 2010-01-22 17:08 -------- d-----w- c:\program files\ConvertHelper
2010-01-22 17:06 . 2010-01-22 17:06 -------- d-----w- c:\users\u\dwhelper
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 20:51 . 2010-01-01 20:36 211893 ----a-w- c:\windows\system32\drivers\IsDrv122.sys
2010-02-14 03:36 . 2009-07-27 21:16 -------- d-----w- c:\program files\Warcraft III
2010-01-31 17:31 . 2010-01-01 08:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 04:43 . 2008-05-09 18:43 -------- d-----w- c:\users\u\AppData\Roaming\Corel
2010-01-07 23:12 . 2010-01-07 23:12 -------- d-----w- c:\users\u\AppData\Roaming\Red Alert 3
2010-01-07 20:53 . 2010-01-07 20:53 -------- d-----w- c:\program files\Electronic Arts
2010-01-07 04:05 . 2010-01-07 02:57 -------- d-----w- c:\users\u\AppData\Roaming\Steinberg
2010-01-07 02:59 . 2010-01-07 02:57 -------- d-----w- c:\program files\Steinberg
2010-01-07 02:57 . 2010-01-07 02:55 -------- d-----w- c:\program files\Syncrosoft
2010-01-07 02:57 . 2010-01-07 02:57 -------- d-----w- c:\programdata\Syncrosoft
2010-01-07 02:57 . 2010-01-07 02:57 2892 ----a-w- c:\windows\system32\audcon.sys
2010-01-01 21:57 . 2010-01-01 08:11 -------- d-----w- c:\users\u\AppData\Roaming\QuickScan
2010-01-01 08:06 . 2010-01-01 08:06 -------- d-----w- c:\users\u\AppData\Roaming\Malwarebytes
2010-01-01 08:06 . 2010-01-01 08:06 -------- d-----w- c:\programdata\Malwarebytes
2009-12-31 11:37 . 2008-11-07 01:19 1330 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp7411.tmp\cur.scr
2009-12-14 14:01 . 2008-11-07 01:19 1407 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\tmp7411.tmp\hub.scr
2009-11-30 05:47 . 2009-09-22 04:47 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AutoLaunch.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-11-17 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-05 4317184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-23 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-23 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-23 81920]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-13 118784]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-01-23 321656]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-22 520024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
c:\users\u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-5-31 256000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-4-14 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-02-13 23:19 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IsDrv122.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^u^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\users\u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-01-10 04:59 115816 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickBooks Simple Start]
2007-01-31 04:59 371712 ----a-w- c:\program files\Intuit\SimpleStartEntice\entice.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-02-24 17:34 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2008-01-30 00:38 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSecurity]
2006-11-28 22:30 2150400 ----a-w- c:\program files\Sony\VAIO Security Center\VSC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2006-12-07 00:08 577536 ----a-w- c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [6/22/2009 11:47 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1028432]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080617.001\IDSvix86.sys [6/17/2008 9:18 PM 261680]
S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1/31/2007 9:08 AM 28933976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/19/2008 12:41 PM 109616]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [1/9/2007 4:32 PM 38200]
S3 SynasUSB;SynasUSB;c:\windows\System32\drivers\synasUSB.sys [1/6/2010 9:56 PM 18432]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\System32\drivers\tascusb2.sys [1/6/2010 9:28 PM 367616]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\System32\drivers\tscusb2m.sys [7/25/2008 7:18 PM 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\System32\drivers\tscusb2a.sys [7/25/2008 7:18 PM 33792]
S3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [2/24/2008 11:57 AM 807424]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [4/14/2008 4:54 PM 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [4/14/2008 4:54 PM 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [4/14/2008 4:54 PM 1089536]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
*NewlyCreated* - ECACHE
.
Contents of the 'Scheduled Tasks' folder
2010-02-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:47]
2010-02-16 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - u.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 08:09]
2008-12-30 c:\windows\Tasks\Vaio Service Utility.job
- c:\program files\Sony\Vaio Service Utility\VAIO-SU.exe [2007-02-16 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.sony.com/vaiopeopleIE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\u\AppData\Roaming\Mozilla\Firefox\Profiles\8mmbyxhp.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-nyiyuvpn - c:\users\u\AppData\Local\atyaft\lsvgsysguard.exe
HKCU-Run-hlqfhbuk - c:\users\u\AppData\Local\yavpsl\jexjsftav.exe
HKLM-Run-masqform.exe - c:\program files\PureEdge\Viewer 6.5\masqform.exe
HKLM-RunOnce-
- (no file)
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire\Corel PhotoDownloader.exe
MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
AddRemove-Axis and Allies - c:\program files\Hasbro Interactive\Axis and Allies\Uninst.isu
AddRemove-GOM Player - c:\program files\GRETECH\GomPlayer\Uninstall.exe
AddRemove-Warcraft III Demo - c:\windows\W3DemoUnin.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 19:29
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3090746094-3283488223-3727284219-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:26,c4,81,60,e4,93,81,b5,88,1c,95,10,85,11,26,0b,fe,b6,97,47,ed,06,b7,
9d,a1,24,cd,5b,60,5f,65,34,bd,c5,25,d7,c4,a4,2c,d1,da,44,30,83,4e,d9,7f,cf,\
"??"=hex:28,ce,cb,36,3b,0c,e9,95,36,1a,07,a1,20,6d,17,94
[HKEY_USERS\S-1-5-21-3090746094-3283488223-3727284219-1005\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:10,74,23,8d,e9,fb,e0,d3,3d,21,65,7d,a9,d3,ea,2d,11,f6,da,a6,20,
01,3b,c4,65,6f,15,b7,68,d3,78,75,eb,e9,65,05,e3,ef,fd,25,60,27,03,66,d7,c6,\
"rkeysecu"=hex:c0,9b,d7,2c,bf,40,3c,41,f8,6a,7e,75,aa,ab,fb,84
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-18 19:30:47
ComboFix-quarantined-files.txt 2010-02-19 00:30
Pre-Run: 39,801,516,032 bytes free
Post-Run: 40,719,749,120 bytes free
- - End Of File - - AAE0CE263935B1B6CD5650A123A32D42