Scribd Logo
Upload

Welcome to Scribd!

  • Combo Fix 4

    Uploaded by

    kavitha raj
    20 views5 pages
    2

    Original Title

    ComboFix4

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    2

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views5 pages

    Combo Fix 4

    Uploaded by

    kavitha raj
    2

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    ComboFix 13-03-17.01 - User 19/03/2013 7:44.5.

    2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2012.1182 [GMT 8:00]
    Running from: c:\temp\ComboFix.exe
    AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-
    8DC619EFD8BF}
    FW: Symantec Endpoint Protection *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-02-18 to 2013-03-
    18 )))))))))))))))))))))))))))))))
    .
    .
    2013-03-18 23:50 . 2013-03-18 23:50 -------- d-----w-
    c:\windows\system32\config\systemprofile\AppData\Local\temp
    2013-03-18 23:50 . 2013-03-18 23:50 -------- d-----w-
    c:\users\Public\AppData\Local\temp
    2013-03-18 23:50 . 2013-03-18 23:50 -------- d-----w-
    c:\users\Default\AppData\Local\temp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M
    Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-03-13 02:51 . 2012-07-10 02:31 73432 ----a-w-
    c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-03-13 02:51 . 2012-07-10 02:31 693976 ----a-w-
    c:\windows\system32\FlashPlayerApp.exe
    2013-03-11 01:30 . 2013-03-11 01:30 263064 ----a-w- c:\program files\mozilla
    firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading
    Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program
    files\Yahoo!\Companion\Installs\cpn2\yt.dll" [2012-06-11 1524056]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-
    08FBA6BD249D}]
    2010-12-09 04:51 3911776 ----a-w- c:\program
    files\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program
    files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
    09-05 406944]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    [2011-03-30 39408]
    "SDP"="c:\program files\FilesFrog Update Checker\update_checker.exe" [2012-05-31
    200784]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23
    56928]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
    [2006-12-05 54832]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
    [2006-10-26 31016]
    "CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
    09-05 406944]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-05-09
    273544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
    9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03
    946352]
    .
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft
    Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    Servieca.vbs [2012-10-10 0]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security
    center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\SyDvCtrl32.sys [x]
    S0 SymDS;Symantec Data
    Store;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMDS.SYS [x]
    S0 SymEFA;Symantec Extended File
    Attributes;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMEFA.SYS [x]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Data\Definitions\BASHDefs\20130301.011\BHDrvx86.sys
    [x]
    S1 IDSVix86;IDSVix86;c:\programdata\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Data\Definitions\IPSDefs\20130312.001\IDSvix86.sys [x]
    S1 SymIRON;Symantec Iron
    Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\Ironx86.SYS [x]
    S1 SYMNETS;Symantec Network Security WFP
    Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMNETS.SYS [x]
    S2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec
    Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec
    Shared\EENGINE\EraserUtilRebootDrv.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-18 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-10
    02:51]
    .
    2013-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
    .
    2013-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
    .
    2013-03-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
    353509924-1001Core.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
    .
    2013-03-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
    353509924-1001UA.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?
    inid=biz_SR_sep_V12_1_MR_1
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: 111222.cn\list1
    Trusted Zone: pps.tv\kan
    Trusted Zone: pps.tv\list1
    Trusted Zone: pps.tv\tvguide
    Trusted Zone: pps.tv\vodguide
    Trusted Zone: ppstream.com\list1
    Trusted Zone: ppstream.com\notice
    Trusted Zone: ppstream.com\xml1
    Trusted Zone: ppstream.com\xml2
    Trusted Zone: ppstream.com\xml3
    Trusted Zone: ppstream.net\list1
    Trusted Zone: ppstv.com\list1
    Trusted Zone: ppstv.net\list1
    Trusted Zone: security_PPStream.exe
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath -
    c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3q3mfbpl.default\
    FF - prefs.js: browser.search.defaulturl -
    hxxp://www.bigseekpro.com/search/toolbar/howfytdl/{C77FB054-4053-6396-0B27-
    D48440A72C5A}?q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/howfytdl/
    {C77FB054-4053-6396-0B27-D48440A72C5A}?q=
    FF - user.js: extensions.BabylonToolbar_i.id - 68f1dd0e0000000000006cf0494e8530
    FF - user.js: extensions.BabylonToolbar_i.hardId - 68f1dd0e0000000000006cf0494e8530
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15384
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1710:38
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=090212_ctrl
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
    "ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\"
    /m \"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\sms.dll\" /prefetch:1"
    --
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
    "ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\Smc.exe\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{5ED60779-
    4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "scansk"=hex(0):fc,be,c9,98,74,f9,e9,42,03,90,db,ed,48,de,09,06,4c,10,ee,8b,bf,
    ed,59,4c,0a,aa,a1,ea,a9,39,ea,53,f1,05,e3,9a,25,22,64,ea,00,00,00,00,00,00,\
    .
    [HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{ce10180e-
    8f19-460c-a519-41a2273dcf48}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "Model"=dword:00000011
    "Therad"=dword:0000001e
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,75,07,18,dd,fb,11,42,94,27,b7,99,0d,2a,ba,05,1a,a2,02,c9,3e,9b,f9,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_18
    0_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(2436)
    c:\progra~1\WINZIP\WZSHLSTB.DLL
    c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
    c:\windows\System32\NLSLexicons0009.dll
    .
    Completion time: 2013-03-19 07:53:48
    ComboFix-quarantined-files.txt 2013-03-18 23:53
    ComboFix2.txt 2013-02-25 01:29
    ComboFix3.txt 2013-01-16 05:46
    ComboFix4.txt 2013-01-15 04:29
    .
    Pre-Run: 85,384,798,208 bytes free
    Post-Run: 85,233,471,488 bytes free
    .
    - - End Of File - - 0CA74ABF378827CE57B375C7E5ED5948

    You might also like