ComboFix 12-02-17.02 - Bill 02/19/2012 7:58.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1165 [GMT -8:00]
Running from: c:\documents and settings\Bill\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Bill\Desktop\cfscript.txt
AV: PC Cleaners *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-19 to 2012-02-19 )))))))))))))))))))))))))))))))
.
.
2012-02-17 14:50 . 2012-02-17 14:50 -------- d-----w- c:\windows\LastGood
2012-02-15 11:15 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 11:15 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-01 17:19 . 2012-02-01 17:38 723294 ----a-w- c:\windows\unins000.exe
2012-01-27 14:37 . 2012-01-27 14:37 -------- d-----w- c:\documents and settings\Bill\Application Data\Malwarebytes
2012-01-27 14:37 . 2012-01-27 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-27 14:37 . 2012-01-27 14:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-27 14:37 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-24 20:11 . 2012-01-24 20:11 -------- d-----w- c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com
2012-01-24 20:11 . 2012-01-24 20:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-24 20:11 . 2012-01-24 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-24 19:09 . 2012-01-24 19:09 388096 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-24 17:51 . 2012-02-01 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-24 17:51 . 2012-01-24 17:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-24 15:29 . 2012-01-24 15:29 -------- d-----w- c:\program files\SpywareBlaster
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-17 14:50 . 2012-01-02 14:25 12984 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2012-01-12 16:53 . 2005-12-29 06:29 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 08:13 . 2005-12-29 06:29 832512 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 08:13 . 2005-12-29 06:28 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-12-19 08:13 . 2005-12-29 06:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-12-19 08:13 . 2005-12-29 06:28 17408 ------w- c:\windows\system32\corpol.dll
2011-11-25 21:57 . 2005-12-29 06:29 293376 ----a-w- c:\windows\system32\winsrv.dll
2012-02-19 15:01 . 2012-01-24 19:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-01-16 20:30 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-01-16 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Bill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Bill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Bill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Bill\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SlimDrivers"="c:\program files\SlimDrivers\SlimDrivers.exe" [2011-12-12 27481952]
"Facebook Update"="c:\documents and settings\Bill\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2012-01-05 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 671744]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 24576]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 28672]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-12-28 73728]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-01-16 939872]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2000-01-01 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2000-01-01 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2000-01-01 131072]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-16 928096]
.
c:\documents and settings\Bill\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Bill\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-29 155648]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Bill\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1886:TCP"= 1886:TCP:Genieo
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 3:38 PM 116608]
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [5/2/2011 2:37 PM 188272]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/2/2011 2:46 PM 64080]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [1/16/2012 12:30 PM 909152]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [1/17/2012 11:51 AM 6609920]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/2/2011 9:51 PM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/2/2012 6:46 AM 1691480]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/2/2011 9:51 PM 136176]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [1/2/2012 6:25 AM 12984]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2012-01-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2343413112-2627855830-284998304-1006Core.job
- c:\documents and settings\Bill\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-01-05 07:10]
.
2012-02-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2343413112-2627855830-284998304-1006UA.job
- c:\documents and settings\Bill\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-01-05 07:10]
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-03 05:51]
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-03 05:51]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://yahoo.genieo.com/uInternet Connection Wizard,ShellNext =
hxxp://www.toshibadirect.com/dpdstartuInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.233.207.8 64.233.207.9
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\evoqymkq.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL -
hxxp://search.yahoo.com/search?fr=w3is& ... ,0,6434&p=FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2012-02-19 08:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(892)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(600)
c:\windows\system32\WININET.dll
c:\documents and settings\Bill\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2012-02-19 08:19:34
ComboFix-quarantined-files.txt 2012-02-19 16:19
ComboFix2.txt 2012-02-19 15:32
ComboFix3.txt 2012-02-04 14:24
.
Pre-Run: 68,616,884,224 bytes free
Post-Run: 68,613,455,872 bytes free
.
- - End Of File - - 306BCE7F6DCAB5719AC92AD0818A6CD3