ComboFix 13-02-23.01 - Prz3mek 25/02/2013 20:57:06.4.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3034.1298 [GMT 0:00] Running from: c:\users\Prz3mek\AppData\Local\Opera\Opera\temporary_downloads\ComboFix.exe SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\auth.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\burnlib.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\dsp_sps.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\enc_fhgaac.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\enc_flac.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\enc_lame.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\enc_vorbis.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\enc_wav.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\enc_wma.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_classicart.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_crasher.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_ff.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_find_on_disk.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_hotkeys.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_jumpex.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_ml.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_nopro.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_orgler.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_skinmanager.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_timerestore.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_tray.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\gen_undo.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_avi.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_cdda.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_dshow.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_flac.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_flv.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_linein.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_midi.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_mkv.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_mod.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_mp3.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_mp4.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_nsv.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_swf.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_vorbis.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_wav.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_wave.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_wm.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\in_wv.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_addons.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_autotag.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_bookmarks.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_devices.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_disc.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_downloads.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_enqplay.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_history.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_impex.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_local.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_nowplaying.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_online.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_orb.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_playlists.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_plg.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_pmp.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_rg.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_transcode.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ml_wire.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\ombrowser.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\out_disk.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\out_ds.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\out_wave.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\playlist.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\pmp_activesync.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\pmp_android.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\pmp_ipod.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\pmp_njb.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\pmp_p4s.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\pmp_usb.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\pmp_wifi.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\tagz.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\vis_avs.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\vis_milk2.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\vis_nsfs.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\winamp.lng c:\users\Prz3mek\AppData\Local\Temp\WLZDF32.tmp\winampa.lng c:\windows\Installer\{1DCA40DA-93F2-4A81-FA97-47C7DA59A60A}\syshost.exe . ---- Previous Run ------- . c:\programdata\ODJvPpaotTb c:\programdata\ODJvPpaotTb.exe c:\users\Prz3mek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair\System Repair.lnk c:\users\Prz3mek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair\Uninstall System Repair.lnk c:\windows\system32\drivers\3906761a936742d4.sys . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_3906761a936742d4 -------\Service_3906761a936742d4 . . ((((((((((((((((((((((((( Files Created from 2013-01-25 to 2013-02-25 ))))))))))))))))))))))))))))))) . . 2013-02-25 21:33 . 2013-02-25 21:33 -------- d-----w- c:\users\Public\AppData\Local\temp 2013-02-25 21:33 . 2013-02-25 21:33 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-02-25 06:16 . 2013-02-25 06:16 -------- d-----w- c:\users\Prz3mek\AppData\Local\Wajam 2013-02-25 06:16 . 2013-02-25 06:16 -------- d-----w- c:\program files\Wajam 2013-02-25 06:15 . 2013-02-25 06:15 -------- d-----w- c:\program files\Delta 2013-02-25 06:15 . 2013-02-25 06:15 -------- d-----w- c:\users\Prz3mek\AppData\Roaming\Delta 2013-02-24 21:42 . 2013-02-24 21:42 110080 ----a-r- c:\users\Prz3mek\AppData\Roaming\Microsoft\Installer\{0AC0F1B2-61C7-4B6E-ACEF-58FCC0B94835}\IconF7A21AF7.exe 2013-02-24 21:42 . 2013-02-24 21:42 110080 ----a-r- c:\users\Prz3mek\AppData\Roaming\Microsoft\Installer\{0AC0F1B2-61C7-4B6E-ACEF-58FCC0B94835}\IconD7F16134.exe 2013-02-24 21:42 . 2013-02-24 21:42 110080 ----a-r- c:\users\Prz3mek\AppData\Roaming\Microsoft\Installer\{0AC0F1B2-61C7-4B6E-ACEF-58FCC0B94835}\IconCF33A0CE.exe 2013-02-24 21:42 . 2013-02-24 21:44 -------- d-----w- C:\sh4ldr 2013-02-24 21:42 . 2013-02-24 21:42 -------- d-----w- c:\program files\Enigma Software Group 2013-02-24 21:38 . 2013-02-24 21:42 -------- d-----w- c:\windows\0AC0F1B261C74B6EACEF58FCC0B94835.TMP 2013-02-24 21:38 . 2013-02-24 21:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2013-02-24 14:07 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7EC960AE-16EE-4BC3-9626-AF6E816E6FCD}\mpengine.dll 2013-02-24 13:52 . 2013-02-25 21:36 -------- d-----w- c:\users\Prz3mek\AppData\Local\temp 2013-02-19 11:22 . 2013-02-19 11:22 -------- d--h--w- c:\users\Prz3mek\AppData\Roaming\RealNetworks 2013-02-15 11:25 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll 2013-02-15 11:25 . 2013-02-15 11:25 -------- d-----w- c:\program files\Alwil Software 2013-02-07 23:22 . 2013-02-07 23:22 16365936 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2098-01-01 02:00 . 2012-07-31 18:55 398416 ----a-w- c:\windows\system\VBRUN300.DLL 2013-02-07 23:22 . 2012-07-16 18:18 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-02-07 23:22 . 2012-07-16 18:18 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-01-17 01:28 . 2012-07-14 14:36 232336 ------w- c:\windows\system32\MpSigStub.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2012-12-17 19:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}] 2012-12-17 19:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2012-12-17 19:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2012-12-17 19:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2011-08-16 1379840] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] "ODJvPpaotTb.exe"="c:\programdata\ODJvPpaotTb.exe" [BU] "Browser Infrastructure Helper"="c:\users\Prz3mek\AppData\Local\Smartbar\Application\QuickShare.exe" [2013-02-10 13824] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-11-18 483420] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-11 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-11 178712] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-11 154136] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-17 3810304] "O2DA"="c:\program files\O2 Assistant\bin\sprtcmd.exe" [2011-09-15 206120] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-01 200704] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2012-10-04 115032] "Sweetpacks Communicator"="c:\program files\SweetIM\Communicator\SweetPacksUpdateManager.exe" [2012-08-15 231768] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-07-19 296096] . c:\users\Prz3mek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ StrongVaultApp.exe [2012-9-7 359424] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~2\BROWSE~1\261095~1.52\{C16C1~1\BrowserProtect.dll c:\progra~2\BROWSE~1\261095~1.52\{C16C1~1\BrowserProtect.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter] 2010-03-25 02:50 2516296 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx] 2010-04-02 09:18 1185112 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2012-07-13 12:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2012-07-19 20:57 296096 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2012-06-28 15:40 74752 ----a-w- c:\program files\Winamp\winampa.exe . S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_ae0b52e0\aestsrv.exe [x] . . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-02-02 08:54 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-02-25 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 23:22] . 2013-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-07-16 18:32] . 2013-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-07-16 18:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.delta-search.com/?affID=121240&babsrc=HP_ss&mntrId=621ff50400000000000000256449a2a4 mStart Page = hxxp://www.v9.com/?utm_source=b&utm_medium=idd&from=idd&uid=5VC4X2PJ_ST9160314AS&ts=1351202013 uSearchAssistant = hxxp://feed.snap.do/?publisher=QuickOB&dpid=QuickOB&co=GB&userid=eed2ff79-5fcf-4d0f-89b5-07da542a89d5&searchtype=ds&q={searchTerms}&installDate=01/01/1970 TCP: DhcpNameServer = 192.168.1.254 . Supplementary scan did not complete! . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-02-25 21:36 Windows 6.0.6001 Service Pack 1 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(3712) c:\program files\SweetIM\Messenger\mgAdaptersProxy.dll c:\windows\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll . ------------------------ Other Running Processes ------------------------ . c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe c:\programdata\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe c:\program files\Canon\IJPLM\IJPLMSVC.EXE c:\windows\system32\schtasks.exe c:\program files\O2 Assistant\bin\sprtsvc.exe c:\program files\O2 Assistant\bin\tgsrvc.exe c:\windows\system32\RUNDLL32.EXE c:\windows\system32\WUDFHost.exe c:\program files\Enigma Software Group\SpyHunter\Spyhunter4.exe c:\programdata\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe c:\windows\system32\conime.exe c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\StrongVaultApp.exe c:\windows\system32\igfxsrvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\DellTPad\ApMsgFwd.exe c:\program files\DellTPad\HidFind.exe c:\program files\DellTPad\Apntex.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\servicing\TrustedInstaller.exe c:\windows\system32\werfault.exe . ************************************************************************** . Completion time: 2013-02-25 21:45:51 - machine was rebooted ComboFix-quarantined-files.txt 2013-02-25 21:45 ComboFix2.txt 2013-02-24 11:31 ComboFix3.txt 2013-01-24 23:19 . Pre-Run: 14,661,537,792 bytes free Post-Run: 14,569,787,392 bytes free . - - End Of File - - F1C26AE83A3E21257C9F31C922809573