ComboFix 11-01-08.05 - AndIrm 09/01/2011 20:29:50.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1070 [GMT 0:00] Running from: c:\users\AndIrm\Downloads\ComboFix.exe AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308} SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\AndIrm\AppData\Roaming\mkp.exe c:\windows\system32\KBL.LOG . ((((((((((((((((((((((((( Files Created from 2010-12-09 to 2011-01-09 ))))))))))))))))))))))))))))))) . 2011-01-09 20:40 . 2011-01-09 20:40 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-01-09 19:37 . 2011-01-09 19:37 709456 ----a-w- c:\windows\isRS-000.tmp 2011-01-09 18:12 . 2011-01-09 18:12 -------- d-----w- c:\programdata\gOgGl01829 2011-01-07 07:35 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{80081C4D-98DC-41B8-91A5-9790CB41492F}\mpengine.dll 2011-01-06 20:27 . 2011-01-09 19:10 -------- d-----w- c:\users\AndIrm\AppData\Roaming\AIMP 2011-01-06 20:26 . 2011-01-06 20:26 -------- d-----w- c:\program files\AIMP2 2010-12-18 20:47 . 2010-12-18 20:47 -------- d-----w- c:\programdata\Webroot . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-31 20:06 . 2010-07-17 13:58 38848 ----a-w- c:\windows\avastSS.scr 2010-12-31 20:06 . 2010-01-27 17:56 188216 ----a-w- c:\windows\system32\aswBoot.exe 2010-12-31 20:00 . 2010-01-27 17:57 293968 ----a-w- c:\windows\system32\drivers\aswSP.sys 2010-12-31 19:59 . 2010-01-27 17:57 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-12-31 19:56 . 2010-01-27 17:57 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-12-31 19:56 . 2010-01-27 17:57 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2010-12-31 19:56 . 2010-01-27 17:57 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2010-12-20 18:09 . 2010-11-30 18:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-20 18:08 . 2010-11-30 18:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-10-19 10:41 . 2010-01-28 19:18 222080 ------w- c:\windows\system32\MpSigStub.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904] "OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320] "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-12-31 3395600] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoWinKeys"= 1 (0x1) HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebrootTrayApp [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserChoice] 2010-02-12 10:32 293376 ----a-w- c:\windows\System32\browserchoice.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray] 2010-01-27 21:06 258134 ----a-w- c:\program files\IVT Corporation\BlueSoleil\BtTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax] 2010-03-01 14:00 9216928 ----a-w- c:\program files\Innovative Solutions\DriverMax\devices.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax_RESTART] 2010-03-01 14:00 9216928 ----a-w- c:\program files\Innovative Solutions\DriverMax\devices.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu 10] 2010-10-07 08:04 12661344 ----a-w- c:\program files\Gadu-Gadu 10\gg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2006-10-27 00:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPLA!] 2010-02-02 21:45 14252952 ----a-w- c:\program files\ipla\ipla.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl] 2010-07-28 17:23 9398888 ----a-w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] 2009-10-26 14:46 1458176 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe] 2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ehTray.exe"=c:\windows\ehome\ehTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [x] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\users\AndIrm\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys [x] R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 14904] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-27 716272] S1 aswSP;aswSP; [x] S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312] S2 aswFsBlk;aswFsBlk; [x] S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-12-31 51280] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-12-20 363344] S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008] S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-01-19 1043784] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-20 20952] S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2010-05-31 6638080] S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064] S4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-20 38224] --- Other Services/Drivers In Memory --- *NewlyCreated* - MBAMSWISSARMY [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.pl/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=laptop IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-01-09 20:41 Windows 6.0.6002 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}] "ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.bmp" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.dib" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.emf" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.eps" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.fpx" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.gif" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice] @Denied: (2) (S-1-5-21-384771458-2233442930-2946382022-1000) @Denied: (2) (LocalSystem) "Progid"="Winamp.File.iff" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.jfif" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.jpe" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.jpeg" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.jpg" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.png" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice] @Denied: (2) (S-1-5-21-384771458-2233442930-2946382022-1000) @Denied: (2) (LocalSystem) "Progid"="Winamp.File.raw" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.rle" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.tif" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.tiff" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.ttc" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.ttf" [HKEY_USERS\S-1-5-21-384771458-2233442930-2946382022-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice] @Denied: (2) (LocalSystem) "Progid"="ACDSee Photo Manager 2009.wmf" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . Completion time: 2011-01-09 20:45:24 ComboFix-quarantined-files.txt 2011-01-09 20:45 Pre-Run: 6,746,001,408 bytes free Post-Run: 6,547,107,840 bytes free Current=1 Default=1 Failed=0 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11 - - End Of File - - E1929ED354D4E08C447B9605F7ED9DE6