ComboFix 09-06-29.07 - Jelena 30.06.2009 20:49.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1250.381.1033.18.2046.1115 [GMT 2:00] Running from: c:\users\Jelena\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\config\S-1-5-21-1482476501-1644491937-682003330-1013 c:\config\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini c:\system\S-3-7-89-2225458569-9856321456-454423558-8896 c:\system\S-3-7-89-2225458569-9856321456-454423558-8896\Desktop.ini c:\users\Jelena\AppData\Local\Temp\ppcrlui_4572_2 . ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 ))))))))))))))))))))))))))))))) . 2009-06-27 23:50 . 2009-06-27 23:51 -------- d-----w- C:\rsit 2009-06-27 23:50 . 2009-06-27 23:51 -------- d-----w- c:\program files\trend micro 2009-06-25 15:31 . 2009-06-25 15:31 -------- d-----w- c:\users\Jelena\AppData\Local\AVG Security Toolbar 2009-06-25 14:49 . 2009-06-25 14:48 832144 ----a-w- c:\programdata\avg8\update\backup\AVGToolbarInstall.exe 2009-06-25 14:49 . 2009-06-25 14:49 -------- d-----w- c:\programdata\AVG Security Toolbar 2009-06-25 14:40 . 2009-06-12 11:29 1452312 ----a-w- c:\programdata\avg8\update\backup\avgupd.dll 2009-06-22 19:00 . 2009-06-22 19:00 -------- d-----w- c:\users\Jelena\AppData\Local\Mozilla 2009-06-15 21:32 . 2009-06-15 23:19 581632 ----a-w- c:\programdata\PlayFirst\Games\dreamchronicles\adapter.exe 2009-06-15 21:32 . 2009-06-15 21:32 249856 ----a-w- c:\programdata\PlayFirst\Games\components\pfMultiplayer.dll 2009-06-15 21:31 . 2009-06-15 21:32 466944 ----a-w- c:\programdata\PlayFirst\Games\pfHarness\pfHarness.dll 2009-06-15 17:34 . 2009-04-14 15:58 139264 ----a-w- c:\programdata\PlayFirst\Games\PlayFirst.EXE 2009-06-13 12:08 . 2009-06-13 12:09 -------- d-----w- c:\users\Jelena\AppData\Roaming\HuruBeachParty 2009-06-13 00:45 . 2009-06-13 00:45 -------- d-----w- c:\programdata\Sandlot Games 2009-06-12 22:03 . 2009-06-12 22:03 4096 ----a-w- c:\windows\d3dx.dat 2009-06-11 18:47 . 2009-04-23 12:56 696832 ----a-w- c:\windows\system32\localspl.dll 2009-06-11 18:24 . 2009-04-21 12:04 2028032 ----a-w- c:\windows\system32\win32k.sys 2009-06-02 19:27 . 2009-06-26 22:27 -------- d--h--w- C:\$AVG8.VAULT$ 2009-06-02 00:50 . 2009-06-02 00:50 -------- d-----w- c:\users\Jelena\AppData\Roaming\Playrix Entertainment 2009-06-02 00:34 . 2009-06-02 00:34 -------- d-----w- c:\programdata\MumboJumbo 2009-05-31 20:52 . 2009-06-16 17:00 -------- d-----w- c:\programdata\PlayFirst . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-25 14:48 . 2009-05-24 15:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-25 14:48 . 2009-05-24 15:12 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-25 14:48 . 2008-06-05 07:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-16 17:00 . 2009-05-31 14:10 -------- d-----w- c:\users\Jelena\AppData\Roaming\PlayFirst 2009-06-12 11:22 . 2008-06-23 22:35 -------- d-----w- c:\programdata\FLEXnet 2009-06-11 23:25 . 2009-05-31 17:18 19 ----a-w- c:\windows\popcinfo.dat 2009-06-01 22:25 . 2009-05-31 14:03 -------- d-----w- c:\users\Jelena\AppData\Roaming\GetRightToGo 2009-05-31 18:28 . 2009-05-31 18:28 -------- d-----w- c:\program files\ReflexiveArcade 2009-05-31 17:50 . 2009-05-31 17:50 -------- d-----w- c:\programdata\Trymedia 2009-05-24 15:13 . 2009-05-24 15:13 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-24 15:12 . 2009-05-24 15:12 -------- d-----w- c:\programdata\avg8 2009-05-24 15:12 . 2009-05-24 15:12 -------- d-----w- c:\program files\AVG 2009-05-14 10:41 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2009-04-24 16:22 . 2009-06-11 18:51 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-24 16:14 . 2009-06-11 18:51 56320 ----a-w- c:\windows\system32\iesetup.dll 2009-04-24 16:14 . 2009-06-11 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-24 16:11 . 2009-06-11 18:51 72704 ----a-w- c:\windows\system32\admparse.dll 2009-04-24 13:53 . 2009-06-11 18:51 26624 ----a-w- c:\windows\system32\ieUnatt.exe 2009-04-24 12:25 . 2009-06-11 18:51 48128 ----a-w- c:\windows\system32\mshtmler.dll 2009-04-23 13:01 . 2009-06-11 18:51 788992 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-14 14:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-08-12 1232896] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-03 154392] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-03 133912] "KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 34352] "SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 438272] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192] "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416] "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-04-03 509496] "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744] "Desktop SMS"="c:\program files\IDM\Desktop SMS\DesktopSMS.exe" [2007-06-18 1507328] "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 413696] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 204800] "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-02-19 571024] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-03 4702208] "NDSTray.exe"="NDSTray.exe" [BU] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048] AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-8-30 11000] Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-2-27 2756608] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4086645655-3751511630-4275358094-1000] "EnableNotificationsRef"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{91271B42-BAE6-4977-A740-592C7C9B2EFB}"= UDP:3703:Adobe Version Cue CS3 Server "{82687EC3-01D7-44A6-AADF-7B64DE0D1F26}"= UDP:3704:Adobe Version Cue CS3 Server "{F9062C84-66E1-433A-B0C1-36F9BF7D6BEE}"= UDP:50900:Adobe Version Cue CS3 Server "{3FCD2091-77D1-4592-BD61-EA2607CA7323}"= UDP:50901:Adobe Version Cue CS3 Server "{5C6A475E-679E-4680-AE06-A25C9D7E5EC6}"= UDP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server "{9C24E31F-CFD7-4AE8-8A7B-7AEA441028E2}"= TCP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server "{E231400E-888E-4771-A82C-ED8B5B6EEE5D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{8589BF3A-E1E2-4C1F-8C4C-930EA09F2679}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{BA3E6186-6325-422E-A7FB-837B3C76A1C3}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{9F1D4262-E237-47C6-AA07-0CC9446B56F8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{9D91492C-D862-4CE9-8739-481DA4EAD587}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{3F7A95A9-509A-48FC-A02D-F3FCF650EE13}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe "{238B8616-8A38-4A60-BE61-6491B019B58F}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe "{93AEAD00-0A6E-4B8A-A7EC-8B562682FDEB}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe "TCP Query User{1828B6E2-3CF8-4E72-A505-F771E53042A4}c:\\program files\\gamehouse\\feedingfrenzy\\feedingfrenzy.exe"= UDP:c:\program files\gamehouse\feedingfrenzy\feedingfrenzy.exe:Feeding Frenzy "UDP Query User{4296DC41-549D-430D-A62F-0998D0DBA62C}c:\\program files\\gamehouse\\feedingfrenzy\\feedingfrenzy.exe"= TCP:c:\program files\gamehouse\feedingfrenzy\feedingfrenzy.exe:Feeding Frenzy [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [24.5.2009 17:12 327688] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [24.5.2009 17:13 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [24.5.2009 17:12 906520] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [24.5.2009 17:12 298776] S4 CplIR;Embedded IR Driver;c:\windows\System32\drivers\CplIR.sys [6.3.2007 16:01 14848] . - - - - ORPHANS REMOVED - - - - HKCU-Run-TOSCDSPD - TOSCDSPD.EXE HKLM-Run-IgfxTray - c:\windows\system32\igfxtray.exe HKLM-Run-HWSetup - \HWSetup.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk uInternet Settings,ProxyOverride = *.local IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home IE: {{C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN FF - ProfilePath - c:\users\Jelena\AppData\Roaming\Mozilla\Firefox\Profiles\uctlznqo.default\ FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-30 20:56 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . Completion time: 2009-06-30 21:00 ComboFix-quarantined-files.txt 2009-06-30 19:00 Pre-Run: 51.685.449.728 bytes free Post-Run: 54.707.159.040 bytes free 180 --- E O F --- 2009-06-29 23:33