Scribd Logo
Carica

Benvenuto in Scribd!

  • Combo Fix 5

    Caricato da

    kavitha raj
    12 visualizzazioni17 pagine
    1

    Titolo originale

    ComboFix5

    Copyright

    © © All Rights Reserved

    Formati disponibili

    TXT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    1

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    12 visualizzazioni17 pagine

    Combo Fix 5

    Caricato da

    kavitha raj
    1

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 17

    ComboFix 13-01-14.01 - User 01/15/2013 12:19:21.1.

    2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2012.1108 [GMT 8:00]
    Running from: c:\temp\ComboFix.exe
    AV: Kaspersky Anti-Virus *Enabled/Outdated* {AE1D740B-8F0F-D137-211D-873D44B3F4AE}
    FW: Kaspersky Anti-Virus *Disabled* {9626F52E-C560-D06F-0A42-2E08BA60B3D5}
    SP: Kaspersky Anti-Virus *Enabled/Updated* {157C95EF-A935-DEB9-1BAD-BC4F3F34BE13}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other
    Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\100
    c:\programdata\Amazon.ico
    c:\users\User\AppData\Local\Minibar
    c:\users\User\AppData\Local\Minibar\chrome\background.html
    c:\users\User\AppData\Local\Minibar\chrome\cached_http_request.js
    c:\users\User\AppData\Local\Minibar\chrome\extension_info.json
    c:\users\User\AppData\Local\Minibar\chrome\icons\icon128.png
    c:\users\User\AppData\Local\Minibar\chrome\icons\icon19.png
    c:\users\User\AppData\Local\Minibar\chrome\icons\icon32.png
    c:\users\User\AppData\Local\Minibar\chrome\icons\icon48.png
    c:\users\User\AppData\Local\Minibar\chrome\includes\content.js
    c:\users\User\AppData\Local\Minibar\chrome\includes\content_kango.js
    c:\users\User\AppData\Local\Minibar\chrome\includes\content_menu.js
    c:\users\User\AppData\Local\Minibar\chrome\includes\content_messaging.js
    c:\users\User\AppData\Local\Minibar\chrome\includes\content_pageutils.js
    c:\users\User\AppData\Local\Minibar\chrome\includes\content_popup.js
    c:\users\User\AppData\Local\Minibar\chrome\includes\content_toolbar.js
    c:\users\User\AppData\Local\Minibar\chrome\includes\content_toolbar_customfixes.js
    c:\users\User\AppData\Local\Minibar\chrome\includes\content_userscript.js
    c:\users\User\AppData\Local\Minibar\chrome\initial_config.json
    c:\users\User\AppData\Local\Minibar\chrome\kango-ui\button.js
    c:\users\User\AppData\Local\Minibar\chrome\kango-ui\toolbar.js
    c:\users\User\AppData\Local\Minibar\chrome\kango-ui\ui.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\browser.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\console.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\event_listener.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\initialize.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\io.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\jsonstorage.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\kango.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\lang.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\messaging.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\userscript_engine.js
    c:\users\User\AppData\Local\Minibar\chrome\kango\xhr.js
    c:\users\User\AppData\Local\Minibar\chrome\main.js
    c:\users\User\AppData\Local\Minibar\chrome\manifest.json
    c:\users\User\AppData\Local\Minibar\chrome\minibar\actions.js
    c:\users\User\AppData\Local\Minibar\chrome\minibar\cachedxhr.js
    c:\users\User\AppData\Local\Minibar\chrome\minibar\config.js
    c:\users\User\AppData\Local\Minibar\chrome\minibar\macros.js
    c:\users\User\AppData\Local\Minibar\chrome\minibar\minibar.js
    c:\users\User\AppData\Local\Minibar\chrome\MinibarPlugin.dll
    c:\users\User\AppData\Local\Minibar\chrome\popup.html
    c:\users\User\AppData\Local\Minibar\chrome\popup.js
    c:\users\User\AppData\Local\Minibar\chrome\tab.html
    c:\users\User\AppData\Local\Minibar\chrome\tab.js
    c:\users\User\AppData\Local\Minibar\chrome_installer.js
    c:\users\User\AppData\Local\Minibar\common.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome.manifest
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\content.xul
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\extension_info.json
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\icons\icon128.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\icons\icon19.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\icons\icon32.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\icons\icon48.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\initial_config.json
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-ui\button.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-ui\popup.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-ui\popup_window.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\popup_window.xul
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\bottom-left.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\bottom-middle.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\bottom-right.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\middle-left.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\middle-right.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\style.css
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\tail-bottom.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\tail-left.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\tail-right.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\tail-top.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\top-left.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\top-middle.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\theme\bubble\top-right.png
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-ui\toolbar.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-
    ui\toolbar_stub.html
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango-ui\ui.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\browser.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\console.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\event_listener.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\initialize.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\io.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\jsonstorage.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\kango.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\lang.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\messaging.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\storage.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\uninstall_observer
    .js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\userscript_engine.
    js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\kango\xhr.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\main.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\minibar\actions.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\minibar\cachedxhr.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\minibar\config.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\minibar\homepage_helper.
    js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\minibar\macros.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\minibar\minibar.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\minibar\search_helper.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\minibar\search_hook.js
    c:\users\User\AppData\Local\Minibar\firefox\chrome\content\minibar\tabpage_helper.j
    s
    c:\users\User\AppData\Local\Minibar\firefox\install.rdf
    c:\users\User\AppData\Local\Minibar\firefox\plugins\npMinibarPlugin.dll
    c:\users\User\AppData\Local\Minibar\firefox_installer.js
    c:\users\User\AppData\Local\Minibar\ie_installer.js
    c:\users\User\AppData\Local\Minibar\install.json
    c:\users\User\AppData\Local\Minibar\minibar.crx
    c:\users\User\AppData\Local\Minibar\minibar.xpi
    c:\users\User\AppData\Local\Minibar\SettingsHelper.exe
    c:\users\User\AppData\Local\Minibar\Uninstall.exe
    E:\install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-15 to 2013-01-
    15 )))))))))))))))))))))))))))))))
    .
    .
    2013-01-15 04:25 . 2013-01-15 04:25 -------- d-----w-
    c:\users\Default\AppData\Local\temp
    2013-01-10 06:32 . 2013-01-10 06:32 -------- d-----w- c:\programdata\Avira
    2013-01-10 06:31 . 2013-01-10 06:31 -------- d-----w- c:\program files\Avira
    2013-01-07 23:28 . 2012-10-10 01:16 4560 ---ha-w-
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start
    Menu\Programs\Startup\Servieca.vbs
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M
    Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-09 02:44 . 2012-07-10 02:31 74248 ----a-w-
    c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-01-09 02:44 . 2012-07-10 02:31 697864 ----a-w-
    c:\windows\system32\FlashPlayerApp.exe
    2013-01-11 04:22 . 2013-01-11 04:22 262704 ----a-w- c:\program files\mozilla
    firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading
    Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program
    files\Yahoo!\Companion\Installs\cpn2\yt.dll" [2012-06-11 1524056]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-
    08FBA6BD249D}]
    2010-12-09 04:51 3911776 ----a-w- c:\program
    files\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program
    files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconove
    rlayidentifiers\IDM Shell Extension]
    @="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
    [HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
    2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download
    Manager\IDMShellExt.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
    09-05 406944]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    [2011-03-30 39408]
    "SDP"="c:\program files\FilesFrog Update Checker\update_checker.exe" [2012-05-31
    200784]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-10-26 3540416]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23
    56928]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
    [2006-12-05 54832]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
    [2006-10-26 31016]
    "CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
    09-05 406944]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-05-09
    273544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
    9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03
    946352]
    .
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft
    Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    Servieca.vbs [2012-10-10 4560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security
    center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\SyDvCtrl32.sys [x]
    S0 SymDS;Symantec Data
    Store;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMDS.SYS [x]
    S0 SymEFA;Symantec Extended File
    Attributes;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMEFA.SYS [x]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Data\Definitions\BASHDefs\20130107.011\BHDrvx86.sys
    [x]
    S1 IDSVix86;IDSVix86;c:\programdata\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Data\Definitions\IPSDefs\20130113.001\IDSvix86.sys [x]
    S1 SymIRON;Symantec Iron
    Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\Ironx86.SYS [x]
    S1 SYMNETS;Symantec Network Security WFP
    Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMNETS.SYS [x]
    S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
    S2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec
    Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec
    Shared\EENGINE\EraserUtilRebootDrv.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-01-15 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-10
    02:44]
    .
    2013-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
    .
    2013-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
    .
    2013-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
    353509924-1001Core.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
    .
    2013-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
    353509924-1001UA.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.bigseekpro.com/howfytdl/{C77FB054-4053-6396-0B27-
    D48440A72C5A}
    IE: Download all links with IDM - c:\program files\Internet Download
    Manager\IEGetAll.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: 111222.cn\list1
    Trusted Zone: pps.tv\kan
    Trusted Zone: pps.tv\list1
    Trusted Zone: pps.tv\tvguide
    Trusted Zone: pps.tv\vodguide
    Trusted Zone: ppstream.com\list1
    Trusted Zone: ppstream.com\notice
    Trusted Zone: ppstream.com\xml1
    Trusted Zone: ppstream.com\xml2
    Trusted Zone: ppstream.com\xml3
    Trusted Zone: ppstream.net\list1
    Trusted Zone: ppstv.com\list1
    Trusted Zone: ppstv.net\list1
    Trusted Zone: security_PPStream.exe
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath -
    c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3q3mfbpl.default\
    FF - prefs.js: browser.search.defaulturl -
    hxxp://www.bigseekpro.com/search/toolbar/howfytdl/{C77FB054-4053-6396-0B27-
    D48440A72C5A}?q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/howfytdl/
    {C77FB054-4053-6396-0B27-D48440A72C5A}?q=
    FF - user.js: extensions.BabylonToolbar_i.id - 68f1dd0e0000000000006cf0494e8530
    FF - user.js: extensions.BabylonToolbar_i.hardId - 68f1dd0e0000000000006cf0494e8530
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15384
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1710:38
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=090212_ctrl
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - (no file)
    WebBrowser-{09EC805C-CB2E-4D53-B0D3-A75A428B81C7} - (no file)
    HKCU-Run-PPS Accelerator - e:\pps.tv\PPStream\ppsap.exe
    Notify-SEP - c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\WinLogoutNotifier.dll
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
    "ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\"
    /m \"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\sms.dll\" /prefetch:1"
    --
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
    "ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\Smc.exe\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{5ED60779-
    4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "scansk"=hex(0):fc,be,c9,98,74,f9,e9,42,03,90,db,ed,48,de,09,06,4c,10,ee,8b,bf,
    ed,59,4c,0a,aa,a1,ea,a9,39,ea,53,f1,05,e3,9a,25,22,64,ea,00,00,00,00,00,00,\
    .
    [HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{ce10180e-
    8f19-460c-a519-41a2273dcf48}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "Model"=dword:0000000d
    "Therad"=dword:0000001a
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_14
    6_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-01-15 12:29:11
    ComboFix-quarantined-files.txt 2013-01-15 04:29
    .
    Pre-Run: 88,410,427,392 bytes free
    Post-Run: 89,273,036,800 bytes free
    .
    - - End Of File - - 883020846F1800421FA5FC0675892A9F
    ComboFix 13-01-15.02 - User 01/16/2013 13:38:07.2.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2012.1054 [GMT 8:00]
    Running from: c:\temp\ComboFix.exe
    AV: Kaspersky Anti-Virus *Enabled/Outdated* {AE1D740B-8F0F-D137-211D-873D44B3F4AE}
    FW: Kaspersky Anti-Virus *Disabled* {9626F52E-C560-D06F-0A42-2E08BA60B3D5}
    SP: Kaspersky Anti-Virus *Enabled/Updated* {157C95EF-A935-DEB9-1BAD-BC4F3F34BE13}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-16 to 2013-01-
    16 )))))))))))))))))))))))))))))))
    .
    .
    2013-01-16 05:43 . 2013-01-16 05:43 -------- d-----w-
    c:\windows\system32\config\systemprofile\AppData\Local\temp
    2013-01-16 05:43 . 2013-01-16 05:43 -------- d-----w-
    c:\users\Default\AppData\Local\temp
    2013-01-10 06:32 . 2013-01-10 06:32 -------- d-----w- c:\programdata\Avira
    2013-01-10 06:31 . 2013-01-10 06:31 -------- d-----w- c:\program files\Avira
    2013-01-07 23:28 . 2012-10-10 01:16 4560 ---ha-w-
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start
    Menu\Programs\Startup\Servieca.vbs
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M
    Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-09 02:44 . 2012-07-10 02:31 74248 ----a-w-
    c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-01-09 02:44 . 2012-07-10 02:31 697864 ----a-w-
    c:\windows\system32\FlashPlayerApp.exe
    2013-01-11 04:22 . 2013-01-11 04:22 262704 ----a-w- c:\program files\mozilla
    firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading
    Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program
    files\Yahoo!\Companion\Installs\cpn2\yt.dll" [2012-06-11 1524056]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-
    08FBA6BD249D}]
    2010-12-09 04:51 3911776 ----a-w- c:\program
    files\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program
    files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconove
    rlayidentifiers\IDM Shell Extension]
    @="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
    [HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
    2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download
    Manager\IDMShellExt.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
    09-05 406944]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    [2011-03-30 39408]
    "SDP"="c:\program files\FilesFrog Update Checker\update_checker.exe" [2012-05-31
    200784]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-10-26 3540416]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23
    56928]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
    [2006-12-05 54832]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
    [2006-10-26 31016]
    "CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
    09-05 406944]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-05-09
    273544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
    9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03
    946352]
    .
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft
    Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    Servieca.vbs [2012-10-10 4560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security
    center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\SyDvCtrl32.sys [x]
    S0 SymDS;Symantec Data
    Store;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMDS.SYS [x]
    S0 SymEFA;Symantec Extended File
    Attributes;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMEFA.SYS [x]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Data\Definitions\BASHDefs\20130107.011\BHDrvx86.sys
    [x]
    S1 IDSVix86;IDSVix86;c:\programdata\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Data\Definitions\IPSDefs\20130115.001\IDSvix86.sys [x]
    S1 SymIRON;Symantec Iron
    Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\Ironx86.SYS [x]
    S1 SYMNETS;Symantec Network Security WFP
    Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMNETS.SYS [x]
    S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
    S2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec
    Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec
    Shared\EENGINE\EraserUtilRebootDrv.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-01-16 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-10
    02:44]
    .
    2013-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
    .
    2013-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
    .
    2013-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
    353509924-1001Core.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
    .
    2013-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
    353509924-1001UA.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.bigseekpro.com/howfytdl/{C77FB054-4053-6396-0B27-
    D48440A72C5A}
    IE: Download all links with IDM - c:\program files\Internet Download
    Manager\IEGetAll.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: 111222.cn\list1
    Trusted Zone: pps.tv\kan
    Trusted Zone: pps.tv\list1
    Trusted Zone: pps.tv\tvguide
    Trusted Zone: pps.tv\vodguide
    Trusted Zone: ppstream.com\list1
    Trusted Zone: ppstream.com\notice
    Trusted Zone: ppstream.com\xml1
    Trusted Zone: ppstream.com\xml2
    Trusted Zone: ppstream.com\xml3
    Trusted Zone: ppstream.net\list1
    Trusted Zone: ppstv.com\list1
    Trusted Zone: ppstv.net\list1
    Trusted Zone: security_PPStream.exe
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath -
    c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3q3mfbpl.default\
    FF - prefs.js: browser.search.defaulturl -
    hxxp://www.bigseekpro.com/search/toolbar/howfytdl/{C77FB054-4053-6396-0B27-
    D48440A72C5A}?q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/howfytdl/
    {C77FB054-4053-6396-0B27-D48440A72C5A}?q=
    FF - user.js: extensions.BabylonToolbar_i.id - 68f1dd0e0000000000006cf0494e8530
    FF - user.js: extensions.BabylonToolbar_i.hardId - 68f1dd0e0000000000006cf0494e8530
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15384
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1710:38
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=090212_ctrl
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
    "ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\"
    /m \"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\sms.dll\" /prefetch:1"
    --
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
    "ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\Smc.exe\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{5ED60779-
    4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "scansk"=hex(0):fc,be,c9,98,74,f9,e9,42,03,90,db,ed,48,de,09,06,4c,10,ee,8b,bf,
    ed,59,4c,0a,aa,a1,ea,a9,39,ea,53,f1,05,e3,9a,25,22,64,ea,00,00,00,00,00,00,\
    .
    [HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{ce10180e-
    8f19-460c-a519-41a2273dcf48}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "Model"=dword:0000000e
    "Therad"=dword:0000001b
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_14
    6_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-01-16 13:46:08
    ComboFix-quarantined-files.txt 2013-01-16 05:46
    ComboFix2.txt 2013-01-15 04:29
    .
    Pre-Run: 89,379,778,560 bytes free
    Post-Run: 89,238,671,360 bytes free
    .
    - - End Of File - - 08EA0383E85021BEC32F1365662D4A0F
    ComboFix 13-02-24.01 - User 25/02/2013 9:20.4.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2012.971 [GMT 8:00]
    Running from: c:\temp\ComboFix.exe
    AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-
    8DC619EFD8BF}
    FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-01-25 to 2013-02-
    25 )))))))))))))))))))))))))))))))
    .
    .
    2013-02-25 01:26 . 2013-02-25 01:26 -------- d-----w-
    c:\windows\system32\config\systemprofile\AppData\Local\temp
    2013-02-25 01:26 . 2013-02-25 01:26 -------- d-----w-
    c:\users\Public\AppData\Local\temp
    2013-02-25 01:26 . 2013-02-25 01:26 -------- d-----w-
    c:\users\Default\AppData\Local\temp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M
    Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-17 23:44 . 2012-07-10 02:31 74096 ----a-w-
    c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-02-17 23:44 . 2012-07-10 02:31 697712 ----a-w-
    c:\windows\system32\FlashPlayerApp.exe
    2013-02-05 23:49 . 2013-02-05 23:49 262552 ----a-w- c:\program files\mozilla
    firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading
    Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program
    files\Yahoo!\Companion\Installs\cpn2\yt.dll" [2012-06-11 1524056]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
    [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-
    08FBA6BD249D}]
    2010-12-09 04:51 3911776 ----a-w- c:\program
    files\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program
    files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
    09-05 406944]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    [2011-03-30 39408]
    "SDP"="c:\program files\FilesFrog Update Checker\update_checker.exe" [2012-05-31
    200784]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23
    56928]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
    [2006-12-05 54832]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
    [2006-10-26 31016]
    "CNAP2 Launcher"="c:\windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE" [2007-
    09-05 406944]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-05-09
    273544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
    9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03
    946352]
    .
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft
    Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    Servieca.vbs [2012-10-10 0]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security
    center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\SyDvCtrl32.sys [x]
    S0 SymDS;Symantec Data
    Store;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMDS.SYS [x]
    S0 SymEFA;Symantec Extended File
    Attributes;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMEFA.SYS [x]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Data\Definitions\BASHDefs\20130208.011\BHDrvx86.sys
    [x]
    S1 IDSVix86;IDSVix86;c:\programdata\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Data\Definitions\IPSDefs\20130216.001\IDSvix86.sys [x]
    S1 SymIRON;Symantec Iron
    Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\Ironx86.SYS [x]
    S1 SYMNETS;Symantec Network Security WFP
    Driver;c:\windows\system32\Drivers\SEP\0C0103E8\009D.105\x86\SYMNETS.SYS [x]
    S2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec
    Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec
    Shared\EENGINE\EraserUtilRebootDrv.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-25 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-10
    23:44]
    .
    2013-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
    .
    2013-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 03:46]
    .
    2013-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
    353509924-1001Core.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
    .
    2013-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4294724087-2786420965-
    353509924-1001UA.job
    - c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-24 02:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?
    inid=biz_SR_sep_V12_1_MR_1
    mStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?
    inid=biz_SR_sep_V12_1_MR_1
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: 111222.cn\list1
    Trusted Zone: pps.tv\kan
    Trusted Zone: pps.tv\list1
    Trusted Zone: pps.tv\tvguide
    Trusted Zone: pps.tv\vodguide
    Trusted Zone: ppstream.com\list1
    Trusted Zone: ppstream.com\notice
    Trusted Zone: ppstream.com\xml1
    Trusted Zone: ppstream.com\xml2
    Trusted Zone: ppstream.com\xml3
    Trusted Zone: ppstream.net\list1
    Trusted Zone: ppstv.com\list1
    Trusted Zone: ppstv.net\list1
    Trusted Zone: security_PPStream.exe
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath -
    c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3q3mfbpl.default\
    FF - prefs.js: browser.search.defaulturl -
    hxxp://www.bigseekpro.com/search/toolbar/howfytdl/{C77FB054-4053-6396-0B27-
    D48440A72C5A}?q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/howfytdl/
    {C77FB054-4053-6396-0B27-D48440A72C5A}?q=
    FF - user.js: extensions.BabylonToolbar_i.id - 68f1dd0e0000000000006cf0494e8530
    FF - user.js: extensions.BabylonToolbar_i.hardId - 68f1dd0e0000000000006cf0494e8530
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15384
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1710:38
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=090212_ctrl
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
    "ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\"
    /m \"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\sms.dll\" /prefetch:1"
    --
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
    "ImagePath"="\"c:\program files\Symantec\Symantec Endpoint
    Protection\12.1.1000.157.105\Bin\Smc.exe\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{5ED60779-
    4DE2-4E07-B862-974CA4FF2E9C}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "scansk"=hex(0):fc,be,c9,98,74,f9,e9,42,03,90,db,ed,48,de,09,06,4c,10,ee,8b,bf,
    ed,59,4c,0a,aa,a1,ea,a9,39,ea,53,f1,05,e3,9a,25,22,64,ea,00,00,00,00,00,00,\
    .
    [HKEY_USERS\S-1-5-21-4294724087-2786420965-353509924-1001_Classes\CLSID\{ce10180e-
    8f19-460c-a519-41a2273dcf48}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "Model"=dword:00000011
    "Therad"=dword:0000001e
    "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
    38,95,44,75,07,18,dd,fb,11,42,94,27,b7,99,0d,2a,ba,05,1a,a2,02,c9,3e,9b,f9,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_14
    9_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-
    0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-
    0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(1152)
    c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
    c:\progra~1\WINZIP\WZSHLSTB.DLL
    c:\progra~1\WINZIP\wzshlex1.dll
    c:\progra~1\WINZIP\WZCAB3.DLL
    .
    Completion time: 2013-02-25 09:29:24
    ComboFix-quarantined-files.txt 2013-02-25 01:29
    ComboFix2.txt 2013-01-16 05:46
    ComboFix3.txt 2013-01-15 04:29
    .
    Pre-Run: 81,724,760,064 bytes free
    Post-Run: 81,634,070,528 bytes free
    .
    - - End Of File - - 4A6D6D6C99D322EDA78C4B2CE441756A

    Potrebbero piacerti anche