ComboFix.txt ComboFix 12-09-15.02 - Sleep 09/16/2012 0:49.7.2 - x86 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2013.1353 [GMT -4:00] Running from: c:\users\Sleep\Downloads\ComboFix.exe Command switches used :: c:\users\Sleep\Desktop\CFScript.txt SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . FILE :: "c:\windows\system32\temp.000" "c:\windows\system32\temp.001" "c:\windows\system32\temp.002" "c:\windows\system32\temp.003" "c:\windows\system32\temp.004" "c:\windows\system32\temp.005" "c:\windows\system32\temp.006" "c:\windows\system32\temp.007" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\temp.000 c:\windows\system32\temp.001 c:\windows\system32\temp.002 c:\windows\system32\temp.003 c:\windows\system32\temp.004 c:\windows\system32\temp.005 c:\windows\system32\temp.006 c:\windows\system32\temp.007 . . ((((((((((((((((((((((((( Files Created from 2012-08-16 to 2012-09-16 ))))))))))))))))))))))))))))))) . . 2012-09-16 04:55 . 2012-09-16 04:55 -------- d-----w- c:\users\TEMP\AppData\Local\temp 2012-09-16 04:55 . 2012-09-16 04:55 -------- d-----w- c:\users\Public\AppData\Local\temp 2012-09-16 04:55 . 2012-09-16 04:55 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-09-16 04:55 . 2012-09-16 04:55 -------- d-----w- c:\users\Administrator\AppData\Local\temp 2012-09-14 23:52 . 2012-09-14 23:52 -------- d-----w- c:\users\Sleep\AppData\Roaming\Task Scheduler 2012-09-06 15:12 . 2012-09-16 04:57 -------- d-----w- c:\users\Sleep\AppData\Local\temp 2012-09-02 21:26 . 2012-09-02 21:26 -------- d-----w- c:\users\Sleep\AppData\Roaming\Nitro PDF 2012-09-02 21:18 . 2012-07-16 09:13 27144 ----a-w- c:\windows\system32\nitrolocalmon2.dll 2012-09-02 21:18 . 2012-07-16 09:13 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll 2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\programdata\Nitro PDF 2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Nitro PDF 2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\program files\Common Files\Nitro PDF 2012-09-02 21:17 . 2012-09-02 21:17 -------- d-----w- c:\users\Sleep\AppData\Roaming\Downloaded Installations 2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\users\Sleep\AppData\Roaming\.mono 2012-08-30 01:15 . 2012-08-30 01:15 -------- d-----w- c:\programdata\.mono 2012-08-29 19:09 . 2000-12-06 02:00 109248 ----a-w- c:\windows\system32\MSWINSCK.OCX 2012-08-29 19:09 . 1999-06-03 12:51 381712 ----a-w- c:\windows\system32\MSWLESS.OCX 2012-08-29 19:09 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL 2012-08-29 19:09 . 1997-07-19 17:55 1347344 ----a-w- c:\windows\system32\MSVBVM50.DLL 2012-08-29 19:09 . 2000-05-22 02:00 115920 ----a-w- c:\windows\system32\MSINET.OCX 2012-08-29 19:09 . 1998-06-24 02:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX 2012-08-22 15:35 . 2012-08-22 17:30 -------- d-----w- c:\programdata\HitmanPro 2012-08-22 10:31 . 2012-08-22 10:31 -------- d-----w- c:\users\Sleep\AppData\Local\{88B67A84-EC44-11E1-8270-B8AC6F996F26} 2012-08-19 07:01 . 2012-08-19 07:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2012-08-18 11:38 . 2012-08-18 11:38 -------- d-----w- c:\users\Sleep\AppData\Local\IsolatedStorage 2012-08-18 11:38 . 2012-08-18 11:38 -------- d-----w- c:\users\Sleep\AppData\Local\C3C_Software 2012-08-18 11:23 . 2012-09-15 06:11 -------- d-----w- c:\program files\Final Impression 2012-08-17 15:21 . 2012-08-18 19:18 -------- d-----w- c:\users\Sleep\AppData\Roaming\FileZilla 2012-08-17 09:51 . 1999-05-15 04:24 97280 ----a-w- c:\windows\system32\vspell32.ocx . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-09-07 21:04 . 2012-04-05 23:14 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-08-22 16:59 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe 2012-08-22 10:32 . 2012-04-05 03:36 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-08-22 10:32 . 2011-06-10 13:05 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-08-01 18:13 . 2012-08-01 18:13 35560 ----a-w- c:\windows\system32\drivers\hssdrv6.sys 2012-08-01 18:13 . 2012-08-01 18:13 33512 ----a-w- c:\windows\system32\drivers\taphss.sys 2012-07-18 17:10 . 2012-08-15 04:15 2344448 ----a-w- c:\windows\system32\win32k.sys 2012-07-16 09:14 . 2012-07-16 09:14 69640 ----a-w- c:\windows\system32\NLSSRV32.EXE 2012-07-04 21:23 . 2012-08-15 04:15 41472 ----a-w- c:\windows\system32\browcli.dll 2012-07-04 21:23 . 2012-08-15 04:15 102912 ----a-w- c:\windows\system32\browser.dll 2012-06-29 00:16 . 2012-08-15 07:01 1800704 ----a-w- c:\windows\system32\jscript9.dll 2012-06-29 00:09 . 2012-08-15 07:01 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-06-29 00:08 . 2012-08-15 07:01 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-06-29 00:04 . 2012-08-15 07:01 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-06-29 00:00 . 2012-08-15 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-07-14 00:17 . 2012-08-12 15:56 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768] . c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ HUD 3.6.0.lnk - c:\program files\Fonality\HUD3.6\HUD3.exe [2011-6-7 315392] OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^Users^Sleep^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Task Scheduler.lnk] path=c:\users\Sleep\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Scheduler.lnk backup=c:\windows\pss\Task Scheduler.lnk.Startup backupExtension=.Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] 2008-07-10 04:05 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2009-07-26 22:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] 2008-07-10 04:07 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder] 2007-08-31 14:01 328992 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task Scheduler] 2012-09-14 23:52 129024 ----a-w- c:\users\Sleep\AppData\Roaming\Task Scheduler\Task Scheduler.exe . R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x] R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys [x] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x] R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] S0 nlem32nt;nlem32nt; [x] S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x] S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x] S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [x] S2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [x] S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [x] S2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe [x] S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NLSSRV32.EXE [x] S3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [x] S3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x] S3 VIACRX86;VIACRX86;c:\windows\system32\DRIVERS\viacr.sys [x] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs pinetmgr sscdbus NWSLP procexp90 WacomVKHid usb_rndisx lhidusb winpowerrmi TSHWMDTCP w200mdfl radclock cebdaldr dm1service fasttrackinstallerservice se27unic ups ma_cmidi_installerservice tosrfsnd GoToAssist . Contents of the 'Scheduled Tasks' folder . 2012-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 10:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mWindow Title = uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.2.1 FF - ProfilePath - c:\users\Sleep\AppData\Roaming\Mozilla\Firefox\Profiles\zhni10w2.default\ FF - prefs.js: network.proxy.type - 0 . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,54,b3,07,38,b7,c2,43,97,80,7b,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLANExt.exe c:\windows\system32\conhost.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Hotspot Shield\HssWPR\hsssrv.exe c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe c:\program files\Hotspot Shield\bin\openvpntray.exe c:\windows\system32\sppsvc.exe . ************************************************************************** . Completion time: 2012-09-16 01:00:11 - machine was rebooted ComboFix-quarantined-files.txt 2012-09-16 05:00 ComboFix2.txt 2012-09-15 14:12 ComboFix3.txt 2012-09-06 15:17 ComboFix4.txt 2012-09-02 02:34 . Pre-Run: 261,048,311,808 bytes free Post-Run: 263,015,075,840 bytes free . - - End Of File - - 051C1DF8AC7ECD674342D7E320D9D930 FRST.txt Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-09-2012 02 Ran by SYSTEM at 16-09-2012 01:20:15 Running from F:\ Windows 7 Home Premium (X86) OS Language: English(US) The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.) HKLM\...\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1159168 2009-05-26] (Brother Industries, Ltd.) HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.) HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.) HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation) HKU\TEMP\...\Run: [RESTART_STICKY_NOTES] C:\Windows\system32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation) Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 Startup: C:\Users\Sleep\Start Menu\Programs\Startup\HUD 3.6.0.lnk ShortcutTarget: HUD 3.6.0.lnk -> C:\Program Files\Fonality\HUD3.6\HUD3.exe () Startup: C:\Users\Sleep\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) ==================== Services (Whitelisted) =================== 2 GoToAssist; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation) 2 hshld; C:\Program Files\Hotspot Shield\bin\openvpnas.exe [476016 2012-08-02] () 2 HssSrv; C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe [408944 2012-08-02] (AnchorFree Inc.) 3 HssTrayService; C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE [78072 2012-08-02] () 2 HssWd; C:\Program Files\Hotspot Shield\bin\hsswd.exe [387440 2012-08-02] () 2 ma_cmidi_installerservice; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation) 3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [113120 2012-07-13] (Mozilla Foundation) 2 NitroDriverReadSpool2; "C:\Program Files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe" [184840 2012-07-16] (Nitro PDF Software) 2 MSSQL$MSSMLBIZ; "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [x] 4 MSSQLServerADHelper; "c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" [x] 2 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x] 2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x] ==================== Drivers (Whitelisted) ==================== 3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2009-07-16] (Broadcom Corporation) 1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [35560 2012-08-01] (AnchorFree Inc.) 0 nlem32nt; C:\Windows\System32\Drivers\nlem32nt.sys [69656 2009-12-01] () 0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [45648 2010-07-12] (Sonic Solutions) 3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [33512 2012-08-01] (AnchorFree Inc) 3 VIACRX86; C:\Windows\System32\DRIVERS\viacr.sys [59392 2009-07-13] (VIA Technologies, Inc. ) 3 catchme; \??\C:\ComboFix\catchme.sys [x] 0 TfFsMon; C:\Windows\System32\drivers\TfFsMon.sys [x] 3 TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [x] 0 TFSysMon; C:\Windows\System32\drivers\TfSysMon.sys [x] ==================== NetSvcs (Whitelisted) =================== NETSVC: pinetmgr -> No Registry Path. NETSVC: sscdbus -> No Registry Path. NETSVC: NWSLP -> No Registry Path. NETSVC: procexp90 -> No Registry Path. NETSVC: WacomVKHid -> No Registry Path. NETSVC: usb_rndisx -> No Registry Path. NETSVC: lhidusb -> No Registry Path. NETSVC: winpowerrmi -> No Registry Path. NETSVC: TSHWMDTCP -> No Registry Path. NETSVC: w200mdfl -> No Registry Path. NETSVC: radclock -> No Registry Path. NETSVC: cebdaldr -> No Registry Path. NETSVC: dm1service -> No Registry Path. NETSVC: fasttrackinstallerservice -> No Registry Path. NETSVC: se27unic -> No Registry Path. NETSVC: ups -> No Registry Path. NETSVC: ma_cmidi_installerservice -> No Registry Path. NETSVC: tosrfsnd -> No Registry Path. NETSVC: GoToAssist -> No Registry Path. ==================== One Month Created Files and Folders ======== 2012-09-15 21:13 - 2012-09-16 01:20 - 00000000 ____D C:\FRST 2012-09-15 21:13 - 2012-09-15 21:13 - 00904140 ____A (Farbar) C:\Users\Sleep\Downloads\FRST.exe 2012-09-15 21:00 - 2012-09-15 21:00 - 00013366 ____A C:\ComboFix.txt 2012-09-15 06:04 - 2012-09-15 20:46 - 04754503 ____R (Swearware) C:\Users\Sleep\Downloads\ComboFix.exe 2012-09-14 21:58 - 2012-09-14 22:00 - 00002247 ____A C:\Users\Sleep\Desktop\New Text Document.txt 2012-09-14 18:06 - 2012-09-14 18:06 - 00540921 ____A C:\Users\Sleep\Downloads\Autoruns.zip 2012-09-14 15:52 - 2012-09-14 15:52 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\Task Scheduler 2012-09-03 15:11 - 2012-09-15 20:56 - 00002528 ____A C:\Windows\PFRO.log 2012-09-03 15:11 - 2012-09-03 15:11 - 00448984 ____A C:\Windows\System32\FNTCACHE.DAT 2012-09-02 13:26 - 2012-09-02 13:26 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\Nitro PDF 2012-09-02 13:18 - 2012-07-16 01:13 - 00027144 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalmon2.dll 2012-09-02 13:18 - 2012-07-16 01:13 - 00018440 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalui2.dll 2012-09-02 13:17 - 2012-09-02 13:17 - 00002019 ____A C:\Users\Public\Desktop\Nitro Pro 7.lnk 2012-09-02 13:17 - 2012-09-02 13:17 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\Downloaded Installations 2012-09-02 13:17 - 2012-09-02 13:17 - 00000000 ____D C:\Users\All Users\Nitro PDF 2012-09-02 13:17 - 2012-09-02 13:17 - 00000000 ____D C:\Program Files\Nitro PDF 2012-09-02 13:17 - 2012-09-02 13:17 - 00000000 ____D C:\Program Files\Common Files\Nitro PDF 2012-09-01 21:00 - 2012-09-15 21:02 - 00002240 ____A C:\Windows\setupact.log 2012-09-01 21:00 - 2012-09-01 21:00 - 00000000 ____A C:\Windows\setuperr.log 2012-09-01 18:22 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe 2012-09-01 18:22 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe 2012-09-01 18:22 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe 2012-09-01 18:22 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe 2012-09-01 18:22 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe 2012-09-01 18:22 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe 2012-09-01 18:22 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe 2012-09-01 18:22 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe 2012-09-01 18:21 - 2012-09-15 21:00 - 00000000 ____D C:\Qoobox 2012-09-01 09:59 - 2012-09-01 09:59 - 00124872 ____A C:\Users\Sleep\AppData\Local\GDIPFONTCACHEV1.DAT 2012-09-01 07:52 - 2012-09-01 07:52 - 02322184 ____A (ESET) C:\Users\Sleep\Downloads\esetsmartinstaller_enu.exe 2012-08-30 18:59 - 2012-08-30 18:59 - 00000000 ____D C:\Users\Sleep\Documents\OneNote Notebooks 2012-08-30 14:17 - 2012-08-30 14:17 - 10900795 ____A ( ) C:\Users\Sleep\Downloads\nemopdfconverter.exe 2012-08-29 17:15 - 2012-08-29 17:15 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\.mono 2012-08-29 17:15 - 2012-08-29 17:15 - 00000000 ____D C:\Users\All Users\.mono 2012-08-29 17:06 - 2012-08-29 17:09 - 05505024 ____A (Wheels4Deals, LLC ) C:\Users\Sleep\Downloads\wheels4_setup.exe 2012-08-29 11:18 - 2012-08-29 11:18 - 00001222 ____A C:\Users\Administrator\Desktop\Craigs List & eBay Export.lnk 2012-08-29 11:09 - 2000-12-05 18:00 - 00109248 ____A (Microsoft Corporation) C:\Windows\System32\MSWINSCK.OCX 2012-08-29 11:09 - 2000-05-21 18:00 - 00115920 ____A (Microsoft Corporation) C:\Windows\System32\MSINET.OCX 2012-08-29 11:09 - 1999-06-03 04:51 - 00381712 ____A (Microsoft Corporation) C:\Windows\System32\MSWLESS.OCX 2012-08-29 11:09 - 1998-06-23 18:00 - 00137000 ____A (Microsoft Corporation) C:\Windows\System32\MSMAPI32.OCX 2012-08-29 11:09 - 1998-06-17 21:00 - 00089360 ____A (Microsoft Corporation) C:\Windows\System32\VB5DB.DLL 2012-08-29 11:09 - 1997-07-19 09:55 - 01347344 ____A (Microsoft Corporation) C:\Windows\System32\MSVBVM50.DLL 2012-08-29 11:01 - 2012-08-29 11:01 - 07642472 ____A (PrimaSoft PC, Inc. ) C:\Users\Sleep\Downloads\cardealp.exe 2012-08-29 10:57 - 2012-08-29 11:02 - 60743063 ____A C:\Users\Sleep\Downloads\DS5_Setup.exe 2012-08-22 07:36 - 2012-08-22 07:36 - 07758424 ____A (SurfRight B.V.) C:\Users\Sleep\Downloads\HitmanPro36.exe 2012-08-22 07:35 - 2012-08-22 09:30 - 00000000 ____D C:\Users\All Users\HitmanPro 2012-08-22 02:32 - 2012-09-15 20:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-08-22 02:31 - 2012-08-22 02:31 - 00000000 ____D C:\Users\Sleep\AppData\Local\{88B67A84-EC44-11E1-8270-B8AC6F996F26} 2012-08-18 23:01 - 2012-08-18 23:01 - 00000000 ____D C:\Users\Default\AppData\Local\Microsoft Help 2012-08-18 23:01 - 2012-08-18 23:01 - 00000000 ____D C:\Users\Default User\AppData\Local\Microsoft Help 2012-08-18 03:38 - 2012-08-18 03:38 - 00000000 ____D C:\Users\Sleep\AppData\Local\IsolatedStorage 2012-08-18 03:38 - 2012-08-18 03:38 - 00000000 ____D C:\Users\Sleep\AppData\Local\C3C_Software 2012-08-18 03:23 - 2012-09-14 22:11 - 00000000 ____D C:\Program Files\Final Impression 2012-08-18 03:23 - 2012-08-18 03:38 - 00000000 ____D C:\Users\Sleep\Documents\Final Impression 2012-08-18 03:22 - 2012-09-14 22:10 - 11375074 ____A ( ) C:\Users\Sleep\Downloads\fisetup.exe 2012-08-17 22:02 - 2012-08-17 22:02 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia 2012-08-17 07:21 - 2012-08-18 11:18 - 00000000 ____D C:\Users\Sleep\AppData\Roaming\FileZilla 2012-08-17 01:57 - 2012-08-17 07:16 - 00000025 ____A C:\Windows\.prj 2012-08-17 01:51 - 2012-08-17 01:51 - 07209190 ____A C:\Users\Sleep\Downloads\pgbreeze.exe 2012-08-17 01:51 - 1999-05-14 20:24 - 00097280 ____A (Visual Components, Inc.) C:\Windows\System32\vspell32.ocx ==================== 3 Months Modified Files ================== 2012-09-15 21:14 - 2012-07-13 02:04 - 01311349 ____A C:\Windows\WindowsUpdate.log 2012-09-15 21:13 - 2012-09-15 21:13 - 00904140 ____A (Farbar) C:\Users\Sleep\Downloads\FRST.exe 2012-09-15 21:11 - 2010-01-28 15:35 - 00845612 ____A C:\Windows\System32\PerfStringBackup.INI 2012-09-15 21:10 - 2009-07-13 20:34 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-09-15 21:10 - 2009-07-13 20:34 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-09-15 21:02 - 2012-09-01 21:00 - 00002240 ____A C:\Windows\setupact.log 2012-09-15 21:02 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-09-15 21:00 - 2012-09-15 21:00 - 00013366 ____A C:\ComboFix.txt 2012-09-15 20:57 - 2012-08-22 02:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2012-09-15 20:57 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini 2012-09-15 20:56 - 2012-09-03 15:11 - 00002528 ____A C:\Windows\PFRO.log 2012-09-15 20:46 - 2012-09-15 06:04 - 04754503 ____R (Swearware) C:\Users\Sleep\Downloads\ComboFix.exe 2012-09-15 18:49 - 2011-01-29 04:53 - 00000426 ____A C:\Windows\BRWMARK.INI 2012-09-14 22:10 - 2012-08-18 03:22 - 11375074 ____A ( ) C:\Users\Sleep\Downloads\fisetup.exe 2012-09-14 22:00 - 2012-09-14 21:58 - 00002247 ____A C:\Users\Sleep\Desktop\New Text Document.txt 2012-09-14 18:06 - 2012-09-14 18:06 - 00540921 ____A C:\Users\Sleep\Downloads\Autoruns.zip 2012-09-08 13:30 - 2011-11-29 10:16 - 00050551 ____A C:\Users\Sleep\Documents\ANAG Books '11.xlsx 2012-09-07 13:04 - 2012-04-05 15:14 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-09-03 15:11 - 2012-09-03 15:11 - 00448984 ____A C:\Windows\System32\FNTCACHE.DAT 2012-09-02 13:17 - 2012-09-02 13:17 - 00002019 ____A C:\Users\Public\Desktop\Nitro Pro 7.lnk 2012-09-01 21:00 - 2012-09-01 21:00 - 00000000 ____A C:\Windows\setuperr.log 2012-09-01 09:59 - 2012-09-01 09:59 - 00124872 ____A C:\Users\Sleep\AppData\Local\GDIPFONTCACHEV1.DAT 2012-09-01 07:52 - 2012-09-01 07:52 - 02322184 ____A (ESET) C:\Users\Sleep\Downloads\esetsmartinstaller_enu.exe 2012-08-30 19:04 - 2011-04-12 13:44 - 00000000 ____A C:\Users\Sleep\Documents\Nuance Image Printer Writer Port 2012-08-30 14:17 - 2012-08-30 14:17 - 10900795 ____A ( ) C:\Users\Sleep\Downloads\nemopdfconverter.exe 2012-08-29 17:09 - 2012-08-29 17:06 - 05505024 ____A (Wheels4Deals, LLC ) C:\Users\Sleep\Downloads\wheels4_setup.exe 2012-08-29 11:18 - 2012-08-29 11:18 - 00001222 ____A C:\Users\Administrator\Desktop\Craigs List & eBay Export.lnk 2012-08-29 11:02 - 2012-08-29 10:57 - 60743063 ____A C:\Users\Sleep\Downloads\DS5_Setup.exe 2012-08-29 11:01 - 2012-08-29 11:01 - 07642472 ____A (PrimaSoft PC, Inc. ) C:\Users\Sleep\Downloads\cardealp.exe 2012-08-22 08:59 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe 2012-08-22 07:36 - 2012-08-22 07:36 - 07758424 ____A (SurfRight B.V.) C:\Users\Sleep\Downloads\HitmanPro36.exe 2012-08-22 02:32 - 2012-04-04 19:36 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2012-08-22 02:32 - 2011-06-10 05:05 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl 2012-08-19 23:05 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini 2012-08-17 07:16 - 2012-08-17 01:57 - 00000025 ____A C:\Windows\.prj 2012-08-17 01:51 - 2012-08-17 01:51 - 07209190 ____A C:\Users\Sleep\Downloads\pgbreeze.exe 2012-08-16 11:26 - 2012-08-16 11:26 - 00009235 ____A C:\Users\Sleep\Downloads\2004_converted.html 2012-08-16 10:48 - 2012-08-16 10:48 - 03626414 ____A (Word-Pdf-Convert Software, Inc. ) C:\Users\Sleep\Downloads\free_all_to_image_jpg_jpeg_bmp_tiff_png_converter.exe 2012-08-14 23:02 - 2011-11-24 08:48 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-08-14 06:57 - 2012-08-14 06:57 - 00001110 ____A C:\Users\Public\Desktop\Hotspot Shield Launch.lnk 2012-08-14 06:56 - 2012-08-14 06:56 - 00000000 ____A C:\Windows\System32\cd.dat 2012-08-12 07:56 - 2012-08-12 07:56 - 00001094 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk 2012-08-10 08:33 - 2012-08-10 08:33 - 00001755 ____A C:\Users\Public\Desktop\iTunes.lnk 2012-08-01 10:13 - 2012-08-01 10:13 - 00035560 ____A (AnchorFree Inc.) C:\Windows\System32\Drivers\hssdrv6.sys 2012-08-01 10:13 - 2012-08-01 10:13 - 00033512 ____A (AnchorFree Inc) C:\Windows\System32\Drivers\taphss.sys 2012-07-30 00:20 - 2009-07-13 20:53 - 00032640 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2012-07-20 06:47 - 2010-12-24 09:38 - 00079106 ____A C:\Users\Sleep\Documents\Client List.xlsx 2012-07-19 08:39 - 2012-01-09 20:27 - 00171381 ____A C:\Users\Sleep\Documents\Client List '11.xlsx 2012-07-19 08:38 - 2011-01-29 04:57 - 00128947 ____A C:\Users\Sleep\Documents\Books '11.xlsx 2012-07-18 09:10 - 2012-08-14 20:15 - 02344448 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-07-16 01:14 - 2012-07-16 01:14 - 00069640 ____A (Nalpeiron Ltd.) C:\Windows\System32\NLSSRV32.EXE 2012-07-16 01:13 - 2012-09-02 13:18 - 00027144 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalmon2.dll 2012-07-16 01:13 - 2012-09-02 13:18 - 00018440 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalui2.dll 2012-07-15 06:42 - 2011-02-08 07:02 - 02055429 ____A C:\Windows\System32\Drivers\Cat.DB 2012-07-13 02:16 - 2012-07-13 02:16 - 00000000 ____A C:\Windows\System32\SM.lock 2012-07-13 00:43 - 2012-07-13 00:43 - 00000009 ____A C:\END 2012-07-04 13:26 - 2012-08-14 20:15 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll 2012-07-04 13:23 - 2012-08-14 20:15 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll 2012-07-04 13:23 - 2012-08-14 20:15 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll 2012-06-28 16:52 - 2012-08-14 23:01 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-06-28 16:27 - 2012-08-14 23:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-06-28 16:16 - 2012-08-14 23:01 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-06-28 16:09 - 2012-08-14 23:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-06-28 16:09 - 2012-08-14 23:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-06-28 16:08 - 2012-08-14 23:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-06-28 16:07 - 2012-08-14 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-06-28 16:06 - 2012-08-14 23:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-06-28 16:04 - 2012-08-14 23:01 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-06-28 16:04 - 2012-08-14 23:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-06-28 16:01 - 2012-08-14 23:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-06-28 16:01 - 2012-08-14 23:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-06-28 16:00 - 2012-08-14 23:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-06-28 15:57 - 2012-08-14 23:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll ZeroAccess: C:\Windows\Installer\{02003428-8fdc-7a58-9377-f7b03ed8a90e} C:\Windows\Installer\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\L C:\Windows\Installer\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\U ZeroAccess: C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e} C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\L C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\Threat Expert C:\Users\Sleep\AppData\Local\{02003428-8fdc-7a58-9377-f7b03ed8a90e}\U ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2012-08-24 23:45:03 Restore point made on: 2012-08-29 11:03:53 Restore point made on: 2012-08-29 11:09:06 Restore point made on: 2012-08-29 22:12:47 Restore point made on: 2012-08-29 22:14:01 Restore point made on: 2012-09-01 08:42:27 Restore point made on: 2012-09-02 13:17:28 Restore point made on: 2012-09-02 15:59:39 Restore point made on: 2012-09-06 07:07:04 Restore point made on: 2012-09-13 17:25:23 Restore point made on: 2012-09-15 20:47:37 ==================== Memory info =========================== Percentage of memory in use: 21% Total physical RAM: 2012.8 MB Available physical RAM: 1572.44 MB Total Pagefile: 2012.8 MB Available Pagefile: 1576.58 MB Total Virtual: 2047.88 MB Available Virtual: 1965.62 MB ==================== Partitions ============================= 1 Drive c: (OS) (Fixed) (Total:283.4 GB) (Free:244.88 GB) NTFS 3 Drive f: () (Removable) (Total:3.76 GB) (Free:3.76 GB) FAT32 4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 5 Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:10.94 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 298 GB 0 B Disk 1 Online 3854 MB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 OEM 39 MB 31 KB Partition 2 Primary 14 GB 40 MB Partition 3 Primary 283 GB 14 GB ========================================================= Disk: 0 Partition 1 Type : DE Hidden: Yes Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 4 FAT Partition 39 MB Healthy Hidden ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y RECOVERY NTFS Partition 14 GB Healthy ========================================================= Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C OS NTFS Partition 283 GB Healthy ========================================================= Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 3853 MB 31 KB ========================================================= Disk: 1 Partition 1 Type : 0C Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 F FAT32 Removable 3853 MB Healthy ========================================================= Last Boot: 2012-09-05 20:01 ==================== End Of Log ============================