ComboFix 13-09-30.02 - User 02/10/2013 12:38:00.8.

2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2012.1040 [GMT 8:00]
Running from: c:\users\User\Desktop\combofix\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-
8DC619EFD8BF}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other
Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\User\AppData\Local\Google\Chrome\User Data\Default\Preferences
.
.
((((((((((((((((((((((((( Files Created from 2013-09-02 to 2013-10-
02 )))))))))))))))))))))))))))))))
.
.
2013-10-02 04:44 . 2013-10-02 04:44 -------- d-----w-
c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-10-02 04:44 . 2013-10-02 04:44 -------- d-----w-
c:\users\Public\AppData\Local\temp
2013-10-02 04:44 . 2013-10-02 04:44 -------- d-----w-
c:\users\Default\AppData\Local\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M
Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-21 03:44 . 2012-07-10 02:31 71048 ----a-w-
c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-21 03:44 . 2012-07-10 02:31 692616 ----a-w-
c:\windows\system32\FlashPlayerApp.exe
2013-09-07 00:50 . 2013-08-02 23:43 88840 ----a-w-
c:\windows\system32\drivers\avgntflt.sys
2013-08-22 00:00 . 2013-08-19 23:35 66144 ----a-w-
c:\windows\system32\drivers\avnetflt.sys
2013-08-22 00:00 . 2013-08-02 23:43 136672 ----a-w-
c:\windows\system32\drivers\avipbb.sys
2013-08-02 23:42 . 2013-08-02 23:43 37352 ----a-w-
c:\windows\system32\drivers\avkmgr.sys
2013-07-23 02:27 . 2013-07-23 02:27 42760 ----a-w-
c:\windows\system32\certsentry.dll
2013-07-23 02:26 . 2013-07-23 02:26 1060864 ----a-w-
c:\windows\system32\mfc71.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2013-04-26 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . .
c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . .
c:\windows\erdnt\cache\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . .
c:\windows\winsxs\x86_microsoft-windows-
user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading
Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program
files\Yahoo!\Companion\Installs\cpn2\yt.dll" [2012-06-11 1524056]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-
08FBA6BD249D}]
2010-12-09 04:51 3911776 ----a-w- c:\program
files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program
files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
09-05 406944]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[2011-03-30 39408]
"SDP"="c:\program files\FilesFrog Update Checker\update_checker.exe" [2012-05-31
200784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23
56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
[2006-12-05 54832]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
[2006-10-26 31016]
"CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
09-05 406944]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-05-09
273544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03
946352]
"ApnTBMon"="c:\program files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
[2013-07-17 1558480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-08-21 347192]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft
Office\Office12\ONENOTEM.EXE /tsr [2006-10-26 98632]
Servieca.vbs [2012-10-10 0]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint
Protection\12.1.1000.157.105\Bin\SyDvCtrl32.sys [2012-01-17 23984]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2013-04-26
1343400]
R4 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir
Desktop\AVWEBGRD.EXE [2013-08-21 815160]
S0 SymDS;Symantec Data
Store;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMDS.SYS [2012-01-17
340088]
S0 SymEFA;Symantec Extended File
Attributes;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMEFA.SYS [2012-
01-17 758904]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-08-02 37352]
S1 BHDrvx86;BHDrvx86;c:\programdata\Symantec\Symantec Endpoint
Protection\12.1.1000.157.105\Data\Definitions\BASHDefs\20130913.014\BHDrvx86.sys
[2013-09-13 1002072]
S1 IDSVix86;IDSVix86;c:\programdata\Symantec\Symantec Endpoint
Protection\12.1.1000.157.105\Data\Definitions\IPSDefs\20130927.001\IDSvix86.sys
[2012-09-01 386720]
S1 SymIRON;Symantec Iron
Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\Ironx86.SYS [2012-01-
17 137336]
S1 SYMNETS;Symantec Network Security WFP
Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMNETS.SYS [2012-01-
17 299640]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir
Desktop\sched.exe [2013-08-22 84024]
S2 APNMCP;Ask Update Service;c:\program files\AskPartnerNetwork\Toolbar\apnmcp.exe
[2013-07-17 168400]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program
files\Comodo\Dragon\dragon_updater.exe [2012-12-24 1868432]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec
Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe [2012-01-17 137224]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec
Shared\EENGINE\EraserUtilRebootDrv.sys [2013-08-29 108120]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-
07-13 139776]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-10
03:44]
.
2013-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
.
2013-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
.
2013-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
353509924-1001Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
.
2013-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
353509924-1001UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?
inid=biz_SR_sep_V12_1_MR_1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
Trusted Zone: 111222.cn\list1
Trusted Zone: pps.tv\kan
Trusted Zone: pps.tv\list1
Trusted Zone: pps.tv\tvguide
Trusted Zone: pps.tv\vodguide
Trusted Zone: ppstream.com\list1
Trusted Zone: ppstream.com\notice
Trusted Zone: ppstream.com\xml1
Trusted Zone: ppstream.com\xml2
Trusted Zone: ppstream.com\xml3
Trusted Zone: ppstream.net\list1
Trusted Zone: ppstv.com\list1
Trusted Zone: ppstv.net\list1
Trusted Zone: security_PPStream.exe
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath -
c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3q3mfbpl.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.bigseekpro.com/search/toolbar/howfytdl/{C77FB054-4053-6396-0B27-
D48440A72C5A}?q={searchTerms}
FF - prefs.js: browser.startup.homepage - about:home
FF - user.js: extensions.BabylonToolbar_i.id - 68f1dd0e0000000000006cf0494e8530
FF - user.js: extensions.BabylonToolbar_i.hardId - 68f1dd0e0000000000006cf0494e8530
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15384
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1710:38
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=090212_ctrl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
Protection\12.1.1000.157.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\"
/m \"c:\program files\Symantec\Symantec Endpoint
Protection\12.1.1000.157.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
Protection\12.1.1000.157.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{5ED60779-
4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):fc,be,c9,98,74,f9,e9,42,03,90,db,ed,48,de,09,06,4c,10,ee,8b,bf,
ed,59,4c,0a,aa,a1,ea,a9,39,ea,53,f1,05,e3,9a,25,22,64,ea,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{ce10180e-
8f19-460c-a519-41a2273dcf48}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000011
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,75,07,18,dd,fb,11,42,94,27,b7,99,0d,2a,ba,05,1a,a2,02,c9,3e,9b,f9,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_17
5_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-10-02 12:47:34
ComboFix-quarantined-files.txt 2013-10-02 04:47
ComboFix2.txt 2013-07-12 02:48
ComboFix3.txt 2013-03-18 23:53
ComboFix4.txt 2013-02-25 01:29
ComboFix5.txt 2013-10-02 04:36
.
Pre-Run: 82,151,899,136 bytes free
Post-Run: 82,279,723,008 bytes free
.
- - End Of File - - EBEA24AD0FE1E13BCA13ED5BF99040BF
A36C5E4F47E84449FF07ED3517B43A31