ComboFix 13-08-09.02 - Peter . 08. 2013 12:25:50.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.421.1051.18.3070.1613 [GMT 2:00]
Running from: c:\users\Peter\Downloads\ComboFix.exe
Command switches used :: c:\users\Peter\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
SP: Kaspersky Anti-Virus *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\windows\system32\DRIVERS\33367102.sys
file zipped: c:\windows\system32\DRIVERS\5499943drv.sys
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\DRIVERS\33367102.sys
c:\windows\system32\DRIVERS\5499943drv.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_33367102
-------\Service_33367102
-------\Service_5499943drv
.
.
((((((((((((((((((((((((( Files Created from 2013-07-10 to 2013-08-10 )))))))))))))))))))))))))))))))
.
.
2013-08-10 10:33 . 2013-08-10 10:35 -------- d-----w- c:\users\Peter\AppData\Local\temp
2013-08-10 10:33 . 2013-08-10 10:33 -------- d-----w- c:\users\USER\AppData\Local\temp
2013-08-10 10:33 . 2013-08-10 10:33 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-08-09 06:19 . 2013-07-02 06:54 7143960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8BA7257B-0238-437D-B3F1-3B7E06A4968D}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-18 09:54 . 2012-06-08 10:38 44000 ----a-w- c:\windows\system32\drivers\kltdi.sys
2013-06-11 20:39 . 2012-07-21 08:07 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-11 20:39 . 2011-06-08 15:09 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-04 01:50 . 2013-07-11 00:22 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-06-01 04:06 . 2013-07-11 00:22 505344 ----a-w- c:\windows\system32\qedit.dll
2013-05-29 01:50 . 2013-07-11 01:11 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-05-29 01:41 . 2013-07-11 01:11 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-29 01:41 . 2013-07-11 01:11 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-05-29 01:37 . 2013-07-11 01:11 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-29 01:36 . 2013-07-11 01:11 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-29 01:33 . 2013-07-11 01:11 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-07-31 17:31 . 2012-07-31 17:31 8001536 ----a-w- c:\program files\PICVideoMJPEG4.msi
2009-07-01 19:49 . 2013-07-03 14:21 110592 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-07-03 13:39 222832 ----a-w- c:\users\Peter\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-07-03 13:39 222832 ----a-w- c:\users\Peter\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-07-03 13:39 222832 ----a-w- c:\users\Peter\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SkyDrive"="c:\users\Peter\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2013-07-03 257136]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-04-19 18678376]
"KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2013-04-23 1561968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11 SE DVD\uvPL.exe" [2007-04-12 341488]
"ioCentre"="c:\genius\ioCentre\gTaskBar.exe" [2007-12-17 61440]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe" [2012-11-14 356376]
"WD Drive Unlocker"="c:\program files\Western Digital\WD Apps\WDDriveAutoUnlock.exe" [2011-12-16 1687968]
"WD Quick View"="c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe" [2011-12-15 3998616]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2013-04-23 311152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-09 169312]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 12:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-21 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://
www.google.sk/
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: tatrabanka.sk\moja
TCP: DhcpNameServer = 192.168.1.1
DPF: {4C3CEE0B-4F2F-44C3-9586-4368F3200143} - hxxps://moja.tatrabanka.sk/ibanking/ICApki.dll
FF - ProfilePath - c:\users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\a30emazl.default\
FF - prefs.js: browser.startup.homepage - hxxp://
www.google.sk/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-08-10 12:38
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(7772)
c:\users\Peter\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Western Digital\WD SmartWare\WDDMService.exe
c:\program files\Western Digital\WD Drive Manager\WDDriveService.exe
c:\program files\Western Digital\WD SmartWare\WDRulesEngine.exe
c:\program files\Western Digital\WD SmartWare\WDFME.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Google\Update\GoogleUpdate.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\genius\ioCentre\gMouseTask.exe
c:\genius\ioCentre\gKbdTask.exe
c:\genius\ioCentre\gAutoPan.exe
c:\genius\ioCentre\gAutoScroll.exe
c:\genius\ioCentre\gZoom.exe
c:\genius\ioCentre\gIMMgm.exe
c:\genius\ioCentre\gKbStatus.exe
c:\genius\ioCentre\gDeskMgm.exe
c:\genius\ioCentre\gTaskSwitch.exe
c:\windows\ehome\ehmsas.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-08-10 12:43:59 - machine was rebooted
ComboFix-quarantined-files.txt 2013-08-10 10:43
ComboFix2.txt 2013-08-10 09:48
.
Pre-Run: 32 880 779 264 bytes free
Post-Run: 32 352 395 264 bytes free
.
- - End Of File - - CF0B0068F26CE220EEEB68B3A2579260
5C616939100B85E558DA92B899A0FC36
Upload was successful
