ComboFix 08-12-06.03 - Jon1990 2008-12-06 21:42:38.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.140 [GMT 0:00]
Running from: c:\users\Jon1990\Downloads\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ijl11pro.dll
c:\windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 20:49 --------- d-----w c:\programdata\Symantec
2008-12-06 20:45 --------- d-----w c:\users\Jon1990\AppData\Roaming\Symantec
2008-12-06 20:13 --------- d-----w c:\program files\Norton 360
2008-12-06 19:53 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-06 19:45 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-06 19:45 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-06 19:45 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-06 19:45 --------- d-----w c:\program files\Symantec
2008-12-06 09:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-06 02:10 --------- d-----w c:\users\Jon1990\AppData\Roaming\CyberLink
2008-12-06 02:10 --------- d-----w c:\users\Jon1990\AppData\Roaming\Apple Computer
2008-12-06 02:10 --------- d-----w c:\users\Jon1990\AppData\Roaming\Any Video Converter
2008-12-06 02:10 --------- d-----w c:\users\Jon1990\AppData\Roaming\AdobeUM
2008-12-06 00:32 31 ----a-w c:\users\Jon1990\jagex_runescape_preferences.dat
2008-12-04 00:55 --------- d-----w c:\users\Jon1990\AppData\Roaming\Malwarebytes
2008-12-04 00:55 --------- d-----w c:\programdata\Malwarebytes
2008-12-03 19:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-03 08:03 --------- d-----w c:\users\Jon1990\AppData\Roaming\uTorrent
2008-12-03 01:24 --------- d-----w c:\users\Jon1990\AppData\Roaming\LimeWire
2008-12-01 16:58 --------- d-----w c:\program files\LimeWire
2008-12-01 15:54 --------- d-----w c:\programdata\Microsoft Help
2008-12-01 13:15 --------- d-----w c:\program files\Recuva
2008-11-25 22:54 --------- d-----w c:\program files\MSBuild
2008-11-25 22:47 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-11-25 22:31 --------- d-----w c:\program files\PowerISO
2008-11-10 20:34 930 ----a-w c:\users\Jon1990\AppData\Roaming\wklnhst.dat
2008-11-06 09:46 --------- d-----w c:\program files\Microsoft Works
2008-11-04 21:06 --------- d-----w c:\program files\iTunes
2008-11-04 21:06 --------- d-----w c:\program files\iPod
2008-11-04 21:06 --------- d-----w c:\program files\Apple Software Update
2008-10-16 18:29 --------- d-----w c:\program files\Yahoo!
2008-10-06 15:04 --------- d-----w c:\program files\GamesBar
2008-10-06 15:02 --------- d-----w c:\program files\Acer GameZone
2008-10-06 14:56 --------- d-----w c:\program files\Kontiki
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-07-10 19:05 174 --sha-w c:\program files\desktop.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 08:34 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 08:34 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 08:34 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-29 1232896]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Google Update"="c:\users\Jon1990\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-12 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-05-09 1286144]
"PLFSet"="c:\windows\PLFSet.dll" [2007-03-10 45056]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-04-04 678672]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-11-07 159744]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 c:\windows\RtHDVCpl.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2001-01-10 535336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll eNetHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8E4817E9-E503-4517-8F28-DE700D3253E8}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DBFE675A-D860-49B3-85A6-AEA7488C43B9}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{928B9494-FB9F-43C5-80DA-462C7699811C}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A8D406B1-B62D-443F-9C5A-147959873007}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{227E8868-5E2F-45F1-B5DF-B0C5B5C25AA4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{89ABC98E-9A3B-4DD9-AA8E-E71DC5F8ABCF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{6C8675B4-C083-42EC-A23D-F137846CD292}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{56CAD0E0-7386-40BE-9040-ACA527685BB3}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{583AF4C2-FB84-4E5A-9EBB-C341EE8F6E00}c:\\users\\jon1990\\program files\\utorrent\\utorrent.exe"= UDP:c:\users\jon1990\program files\utorrent\utorrent.exe:utorrent.exe
"UDP Query User{2C986EB5-2670-4355-86C8-3684AB0E8107}c:\\users\\jon1990\\program files\\utorrent\\utorrent.exe"= TCP:c:\users\jon1990\program files\utorrent\utorrent.exe:utorrent.exe
"{59032274-4F8E-4C8E-B081-C13F863AE3D6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{F7F5C184-E7AB-4179-A8EC-95582A3EAB9D}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{D6441B85-2BEE-4A8C-9603-F851D520C8B9}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{2F58DB40-3A5A-4BE7-A96D-60568A5593CE}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{33AAC4DC-805E-480B-BF49-75C558643094}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{DD2025CA-C9FD-4525-B43E-5F60ECBF5F6D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0FD7C7F7-46CC-409D-9E62-B798CE4F4B60}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{06DA669D-A3E5-4734-83EE-A27CA212F0EA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5FE4D6EA-621B-4DB3-B2B9-A0566E09FEC2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{C7EC2655-72A3-4D54-A274-F6888DDFF329}c:\\program files\\secondlife\\slvoice.exe"= UDP:c:\program files\secondlife\slvoice.exe:SLVoice
"UDP Query User{0A597109-EBC2-4997-8D23-D4AB75363279}c:\\program files\\secondlife\\slvoice.exe"= TCP:c:\program files\secondlife\slvoice.exe:SLVoice
"{A4D8061F-1624-46C7-BA32-758162CD3525}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081204.003\IDSvix86.sys [2008-12-06 270384]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\Drivers\avgwfpx.sys [2008-08-30 69128]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2001-01-10 179712]
R3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-13 23888]
R3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2001-01-10 32256]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8ed9651-fde9-11dc-91b3-806e6f6e6963}]
\shell\AutoRun\command - E:\CDStart.Exe
\shell\Install\Command - E:\Stub.exe
*Newly Created Service* - COH_MON
*Newly Created Service* - COMHOST
*Newly Created Service* - ERASERUTILDRVI7
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-12-06 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Jon1990\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-12 21:01]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-WinService32 - c:\program files\System32\svchost.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://en.uk.acer.yahoo.comuSearchMigratedDefaultURL =
hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7mStart Page =
hxxp://en.uk.acer.yahoo.comuInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\users\Jon1990\AppData\Roaming\Mozilla\Firefox\Profiles\3pa1vzvi.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Yahoo!\common\npyaxmpb.dll
FF -: plugin - c:\users\Jon1990\AppData\Local\Google\Update\1.2.131.27\npGoogleOneClick6.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-06 21:46:33
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\eNetHook.dll
- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\eNetHook.dll
.
Completion time: 2008-12-06 21:48:41
ComboFix-quarantined-files.txt 2008-12-06 21:48:36
Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 27,949,641,728 bytes free
205 --- E O F --- 2008-12-01 15:54:33