good morning!
ComboFix 11-11-27.02 - Kohen Family 11/28/2011 7:34.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.2530 [GMT -5:00]
Running from: c:\users\Kohen Family\Desktop\ComboFix.exe
Command switches used :: c:\users\Kohen Family\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\is-820P7.exe"
"c:\windows\system32\76A0.tmp"
"c:\windows\system32\9D14.tmp"
"c:\windows\system32\drivers\azwqdmsl.sys"
"c:\windows\system32\drivers\durolbsl.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\C55A6
c:\users\Kohen Family\AppData\Roaming\867C5
c:\users\Kohen Family\AppData\Roaming\867C5\55A6.67C
c:\users\Kohen Family\AppData\Roaming\Bbp5JEf9XUlrPy1
c:\users\Kohen Family\AppData\Roaming\Bbp5JEf9XUlrPy1\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\dHHH66dWK7fR9gX
c:\users\Kohen Family\AppData\Roaming\djYCekIVrOtAuSi
c:\users\Kohen Family\AppData\Roaming\djYCekIVrOtAuSi\AV Security 2012.ico
c:\users\Kohen Family\AppData\Roaming\DonG4amH6W7E8Tq
c:\users\Kohen Family\AppData\Roaming\ES2ibD3pn4Q6W
c:\users\Kohen Family\AppData\Roaming\ES2ibD3pn4Q6W\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\gcS2ibD3pGa
c:\users\Kohen Family\AppData\Roaming\GobF4pmG5Q
c:\users\Kohen Family\AppData\Roaming\GobF4pmG5Q\Cloud AV 2012.ico
c:\users\Kohen Family\AppData\Roaming\H3pnG5aQHdKfLgX
c:\users\Kohen Family\AppData\Roaming\iwjUVelIBz
c:\users\Kohen Family\AppData\Roaming\jnFFF4pmH5sQJdK
c:\users\Kohen Family\AppData\Roaming\jRRLL99hTXqUCkI
c:\users\Kohen Family\AppData\Roaming\jRRLL99hTXqUCkI\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\Lm7RwOyDpJgXlNv
c:\users\Kohen Family\AppData\Roaming\nH5Q7dEK8R9YwUe
c:\users\Kohen Family\AppData\Roaming\piD3o5sWJdLgZhX
c:\users\Kohen Family\AppData\Roaming\QiivvD3oon4am5s
c:\users\Kohen Family\AppData\Roaming\R6dEK8fRZhXjCl
c:\users\Kohen Family\AppData\Roaming\R6dEK8fRZhXjCl\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\rJ77fEEL8gTZhYw
c:\users\Kohen Family\AppData\Roaming\SF33ppmG5aQJdW8
c:\users\Kohen Family\AppData\Roaming\tIBrzPNyx1
c:\users\Kohen Family\AppData\Roaming\tkkkIBBrzONyA0v
c:\users\Kohen Family\AppData\Roaming\vvvDD3onn4amH
c:\users\Kohen Family\AppData\Roaming\weeelIBzNyA1uSo
c:\users\Kohen Family\AppData\Roaming\wfEL8gThYwUrOtP
c:\users\Kohen Family\AppData\Roaming\WFFF3pmG5aQJ
c:\users\Kohen Family\AppData\Roaming\WFFF3pmG5aQJ\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\WZjBx2mdLjBx2n6
c:\users\Kohen Family\AppData\Roaming\WZjBx2mdLjBx2n6\AV Protection 2011.ico
c:\users\Kohen Family\AppData\Roaming\xCeellIBrzPNyAu
c:\users\Kohen Family\AppData\Roaming\yfEL9gTZqYIrOtP
c:\users\Kohen Family\AppData\Roaming\yfEL9gTZqYIrOtP\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\867C5
c:\users\Mr. Vrumbo\AppData\Roaming\867C5\55A6.67C
c:\users\Mr. Vrumbo\AppData\Roaming\Apple Computer
c:\users\Mr. Vrumbo\AppData\Roaming\Apple Computer\Logs\asl.081238_21Nov11.log
c:\users\Mr. Vrumbo\AppData\Roaming\axAS26dWfLgXj
c:\users\Mr. Vrumbo\AppData\Roaming\axAS26dWfLgXj\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\BONtxA0uc2
c:\users\Mr. Vrumbo\AppData\Roaming\BONtxA0uc2\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\BpmG5aQJ6W
c:\users\Mr. Vrumbo\AppData\Roaming\cFFF3ppnG5aH6WK
c:\users\Mr. Vrumbo\AppData\Roaming\cFFF3ppnG5aH6WK\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\daQH6sWK7
c:\users\Mr. Vrumbo\AppData\Roaming\eG4amH6sW7E8qYw
c:\users\Mr. Vrumbo\AppData\Roaming\eoonnF4ppH5
c:\users\Mr. Vrumbo\AppData\Roaming\GwkUVrlOBx0c1
c:\users\Mr. Vrumbo\AppData\Roaming\hE9gTZjYCkVlx0c
c:\users\Mr. Vrumbo\AppData\Roaming\hE9gTZjYCkVlx0c\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\HhUIzy0S35HWkOA
c:\users\Mr. Vrumbo\AppData\Roaming\lyyxxA0uvS2i
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay\FlashPlugin\FlashUtil196_ActiveX.exe
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay\FlashPlugin\FlashUtil52_ActiveX.exe
c:\users\Mr. Vrumbo\AppData\Roaming\MediaWmplay\wmiencoder.cfg
c:\users\Mr. Vrumbo\AppData\Roaming\mFF4pmH5sQ
c:\users\Mr. Vrumbo\AppData\Roaming\mFF4pmH5sQ\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\mSS22obbF3mG5
c:\users\Mr. Vrumbo\AppData\Roaming\mSS22obbF3mG5\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\NelOOttPyc1iDo
c:\users\Mr. Vrumbo\AppData\Roaming\NUVrlOBtx0ci34H
c:\users\Mr. Vrumbo\AppData\Roaming\NUVrlOBtx0ci34H\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\NvD3onF4aHsJdLg
c:\users\Mr. Vrumbo\AppData\Roaming\NvD3onF4aHsJdLg\AV Security 2012.ico
c:\users\Mr. Vrumbo\AppData\Roaming\oD3onG4aHWEgqYw
c:\users\Mr. Vrumbo\AppData\Roaming\oK7fRL9gTqYeIr
c:\users\Mr. Vrumbo\AppData\Roaming\Pi3QK7fELgZjCk
c:\users\Mr. Vrumbo\AppData\Roaming\Pi3QK7fELgZjCk\AV Protection 2011.ico
c:\users\Mr. Vrumbo\AppData\Roaming\Qyhoil
c:\users\Mr. Vrumbo\AppData\Roaming\SwkUVrlOt01vo4m
c:\users\Mr. Vrumbo\AppData\Roaming\tCCwwkIIVrONtP0
c:\users\Mr. Vrumbo\AppData\Roaming\Urpoxuu
c:\users\Mr. Vrumbo\AppData\Roaming\VTTTZZqhYCwkVrO
c:\users\Mr. Vrumbo\AppData\Roaming\w0S35HWkOAci3QK
c:\users\Mr. Vrumbo\AppData\Roaming\wBtz0ycA1v2n4HQ
c:\windows\is-820P7.exe
c:\windows\system32\76A0.tmp
c:\windows\system32\9D14.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_azwqdmsl
-------\Service_durolbsl
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2011-11-28 12:44 . 2011-11-28 12:44 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CE8EA356-BDFB-4D3D-94D9-94A1DD8B0691}\offreg.dll
2011-11-28 12:43 . 2011-11-28 12:43 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Local\temp
2011-11-28 12:43 . 2011-11-28 12:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-28 04:58 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-27 20:41 . 2011-11-27 20:41 -------- d-----w- C:\afdstuff
2011-11-27 07:55 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-11-27 07:43 . 2009-04-11 04:45 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2011-11-27 07:43 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-27 02:37 . 2011-11-27 02:37 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Roaming\Malwarebytes
2011-11-27 02:06 . 2011-11-27 02:06 -------- d-----w- c:\users\admin
2011-11-25 05:24 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CE8EA356-BDFB-4D3D-94D9-94A1DD8B0691}\mpengine.dll
2011-11-25 04:43 . 2011-11-25 04:43 302592 ----a-w- C:\eurwzonsgmer.exe
2011-11-25 04:43 . 2011-11-25 04:44 607260 ----a-w- C:\dds.scr
2011-11-23 05:04 . 2011-11-23 05:04 -------- d-----w- c:\program files\Sophos
2011-11-23 05:03 . 2011-11-23 05:04 1410192 ----a-w- C:\sophos anti rootkit.exe
2011-11-23 03:00 . 2011-11-25 04:21 -------- d-----w- c:\users\Kohen Family\AppData\Local\LogMeIn Rescue Applet
2011-11-22 00:25 . 2011-11-22 00:25 -------- d-----w- c:\programdata\WeCareReminder
2011-11-22 00:25 . 2011-11-22 00:25 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-11-22 00:25 . 2011-11-22 00:25 -------- d-----w- c:\program files\FoxTabFLVPlayer
2011-11-16 18:19 . 2011-11-16 18:19 -------- d-----w- c:\users\Mr. Vrumbo\AppData\Local\Apple
2011-11-09 19:07 . 2011-09-20 21:02 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 19:07 . 2011-09-20 13:44 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-11-09 19:07 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 23:49 . 2011-10-10 23:50 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E2450EA3-F9BA-48B9-84ED-4A9CC51A9977}\gapaengine.dll
2011-10-07 03:48 . 2011-07-07 19:30 6668624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-03 23:45 . 2011-06-05 13:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:30 . 2011-10-12 18:01 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 02:35 . 2011-10-13 07:01 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28 . 2011-10-13 07:01 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22 . 2011-10-13 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-31 22:00 . 2011-07-05 19:20 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 13:39 . 2011-07-05 11:55 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-10-20 17:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-10-20 17:51 2846008 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
mozystat - Shortcut.lnk - c:\program files\MozyHome\mozystat.exe [2009-10-20 2890552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-14 50688]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-14 07:19 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 16:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-579958825-4098481908-445513631-1000]
"EnableNotificationsRef"=dword:00000011
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-579958825-4098481908-445513631-1001]
"EnableNotificationsRef"=dword:00000005
.
R4 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe [2007-06-26 537840]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 00:33]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 00:33]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-579958825-4098481908-445513631-1000Core.job
- c:\users\Kohen Family\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 13:49]
.
2011-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-579958825-4098481908-445513631-1000UA.job
- c:\users\Kohen Family\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 13:49]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080614
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www2.snapfish.com/SnapfishActivia3.cab
DPF: {8D7624E2-F8CB-412B-9132-FD571DBA78FB} - hxxp://tegrity2.wku.edu/tegrity/_instructor/RecInstaller.CAB
FF - ProfilePath - c:\users\Kohen Family\AppData\Roaming\Mozilla\Firefox\Profiles\ogqkxu5k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z128&install_date=20111122
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111122&q=
FF - user.js: extentions.y2layers.installId - 8625a1ba-eb43-4878-8f4a-915138a31e75
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-11-28 07:48
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\D864.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2620)
c:\program files\MozyHome\mozyshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\WUDFHost.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Tegrity\Recorder\TegSrv.exe
c:\program files\MozyHome\mozybackup.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-11-28 07:50:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-28 12:50
.
Pre-Run: 251,638,349,824 bytes free
Post-Run: 248,334,659,584 bytes free
.
- - End Of File - - 4ADC1713F6B28734883CECA728589000