Finally, a log from Combofix
ComboFix 12-03-30.06 - donnakeller 04/03/2012 22:31:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.687 [GMT -4:00]
Running from: c:\documents and settings\donnakeller\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi
c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\trialkey.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi
c:\documents and settings\donnakeller\Application Data\Mozilla\Firefox\Profiles\cy3whktf.default\searchplugins\bing-zugo.xml
c:\documents and settings\donnakeller\Application Data\PriceGong
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\1.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\4489.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\83.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\a.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\b.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\c.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\d.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\e.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\f.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\g.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\h.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\i.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\j.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\k.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\l.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\m.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\n.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\o.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\p.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\q.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\r.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\s.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\t.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\u.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\v.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\w.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\x.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\y.txt
c:\documents and settings\donnakeller\Application Data\PriceGong\Data\z.txt
c:\documents and settings\donnakeller\Application Data\Toolbar4
c:\documents and settings\donnakeller\WINDOWS
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\37841a1008243a4c.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\435a26ecf9452ea5.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\8e95f788b664f88b.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\bba3e843c2b7b474.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\dd8cff256a1cdad8.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\dds_log_ad13.cmd
c:\windows\system32\dds_log_trash.cmd
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-03-04 to 2012-04-04 )))))))))))))))))))))))))))))))
.
.
2012-04-04 01:40 . 2012-03-13 23:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDE759DC-3945-4FF0-8086-499178D5213E}\mpengine.dll
2012-04-03 00:32 . 2012-04-03 00:32 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-03 00:20 . 2012-03-13 23:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-01 23:54 . 2012-04-01 23:54 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-30 04:09 . 2012-03-30 04:09 -------- d-----w- c:\documents and settings\donnakeller\Application Data\SUPERAntiSpyware.com
2012-03-30 04:08 . 2012-03-30 04:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-30 04:08 . 2012-03-30 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-26 04:40 . 2008-04-13 17:40 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2012-03-26 04:40 . 2008-04-13 17:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-25 06:53 . 2012-03-25 06:53 -------- d-----w- c:\documents and settings\donnakeller\Application Data\AVG Secure Search
2012-03-25 06:07 . 2012-03-25 06:07 -------- d-----w- C:\AVGTemp
2012-03-20 04:40 . 2012-03-20 04:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-20 03:54 . 2012-03-20 03:54 -------- d-----w- c:\program files\VS Revo Group
2012-03-20 03:49 . 2010-02-19 03:45 1079272 ----a-w- c:\program files\revosetup.exe
2012-03-19 03:02 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-19 03:02 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-19 02:57 . 2012-03-19 02:57 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2012-03-19 02:49 . 2012-03-19 02:52 -------- d-----w- c:\program files\TCPOptimizer
2012-03-18 20:50 . 2011-12-30 21:03 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2012-03-18 20:15 . 2012-03-18 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2012-03-18 20:14 . 2012-03-18 20:14 -------- d-----w- c:\documents and settings\donnakeller\Application Data\IObit
2012-03-18 20:14 . 2012-03-18 20:14 -------- d-----w- c:\program files\IObit
2012-03-18 20:03 . 2012-04-01 23:46 -------- d-----w- c:\documents and settings\donnakeller\Application Data\TeamViewer
2012-03-12 04:32 . 2012-03-12 04:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-12 03:38 . 2012-03-12 03:38 356556 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-03-05 03:59 . 2012-03-05 03:59 -------- d-----w- c:\documents and settings\donnakeller\Application Data\Malwarebytes
2012-03-05 03:59 . 2012-03-05 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-05 03:22 . 2012-03-25 07:53 -------- d-----w- c:\documents and settings\Administrator
2012-03-05 03:20 . 2012-03-13 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ---ha-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2009-10-03 07:48 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-09 16:20 . 2007-12-24 14:00 139784 ---ha-w- c:\windows\system32\drivers\rdpwd.sys
2010-08-06 16:31 . 2009-11-15 20:28 119808 ---ha-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nero PhotoShow Media Manager"="c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-10 249856]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-29 620376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-16 49152]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\documents and settings\donnakeller\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-2-14 390432]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-06 16:31 30192 ---ha-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-03-12 04:38 136176 ----atw- c:\documents and settings\donnakeller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-22 04:33 68856 ---ha-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\GPhotos.scr"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Google\\Picasa3\\PicasaUpdater.exe"=
"c:\\Program Files\\Google\\Picasa3\\Picasa3.exe"=
"c:\\WINDOWS\\system32\\wscript.exe"=
"c:\\Documents and Settings\\donnakeller\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\donnakeller\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\IObit\\Advanced SystemCare 5\\ASC.exe"=
"c:\\Program Files\\IObit\\Advanced SystemCare 5\\AutoUpdate.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\VS Revo Group\\Revo Uninstaller\\revouninstaller.exe"=
.
R1 mchInjDrv;madCodeHook DLL injection driver;c:\windows\system32\drivers\mchInjDrv.sys [1/28/2009 3:28 PM 2560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [3/18/2012 4:14 PM 497496]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 7:15 PM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/20/2012 12:40 AM 652360]
S2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/22/2008 12:34 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 7:15 PM 135664]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dladresn
nimcdfxk
isamsmt
mr2kserv
CVPND
E1000
atalk
screadspool
rt73
s716bus
opcenum
rpcnet
FVXSCSI
websensecommunicationagent
mi-raysat_3dsmax9_32
houdiniserver
HPSLPSVC
iksysflt
61883
bvrp_pci
CrystalSysInfo
iaimfp2
w550mdm
wampmysqld
irsir
MxlW2k
TPPWRIF
DfwWebAgent
hwdatacard
CAM1210
bthport
TryAndDecideService
SunkFilt
cis1284
AmeLanPc
PGPdisk
prosync1
sfrem01
RR2Mjpeg
winmtsrv
w800bus
uclauncherservice
ipsraidn
apphostsvc
SNC
TPM
fsbwsys
magictuneengine
HFACSVC
enethusb
areschatserver
asp.net
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:39]
.
2012-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 04:39]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-573735546-682003330-1004Core.job
- c:\documents and settings\donnakeller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-12 04:38]
.
2012-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-573735546-682003330-1004UA.job
- c:\documents and settings\donnakeller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-12 04:38]
.
2012-04-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2012-04-04 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2012-04-04 c:\windows\Tasks\User_Feed_Synchronization-{1E05FE6E-10DE-4035-830E-8D851BC6B289}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://home.joobers.com/
uSearchAssistant = hxxp://search.joobers.com/toolbar/SearchAssistant
uCustomizeSearch = hxxp://search.joobers.com/toolbar/CustomizeSearch
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: cnet.com\download
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\donnakeller\Application Data\Mozilla\Firefox\Profiles\cy3whktf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3007394&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://www.basicscan.com/?tmp=nemo_results_removelink&prt=BscscnPB&keywords=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: ShopAtHome.com Intelligent Shopping Toolbar:
[email protected] - %profile%\extensions\
[email protected]FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: PHPNukeEN Community Toolbar: {dd02a4eb-4afd-4d60-99d8-e67f964ca813} - %profile%\extensions\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}
FF - Ext: WhiteSmoke Bar Community Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - %profile%\extensions\{167d9323-f7cc-48f5-948a-6f012831a69f}
FF - Ext: Java Quick Starter:
[email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Security Toolbar: avg@toolbar - c:\documents and settings\All Users\Application Data\AVG Secure Search\10.0.0.7
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-NWEReboot - (no file)
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
HKLM-Run-vProt - c:\program files\AVG Secure Search\vprot.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG2012\avgtray.exe
AddRemove-648f1ec7 - c:\windows\system32\648f1ec7.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2012-04-03 22:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\VTTimer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\GPhotos.scr
.
**************************************************************************
.
Completion time: 2012-04-03 22:52:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-04 02:52
.
Pre-Run: 6,865,932,288 bytes free
Post-Run: 6,980,030,464 bytes free
.
- - End Of File - - BE106CED2EAA598FC57971758C7ACBAB