Ran Combofix again. Allowed to update to latest version. Log follows.
FYI - while it was scanning, Windows error appeared saying "pev.exe has encountered a problem and will be shut down."
There was an infected file found.
ComboFix 12-09-10.04 - GERALD WERBIN 09/10/2012 22:42:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2679 [GMT -4:00]
Running from: c:\documents and settings\GERALD WERBIN\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\GERALD WERBIN\WINDOWS
c:\windows\dasetup.log
c:\windows\system\olepro32.dll
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-11 to 2012-09-11 )))))))))))))))))))))))))))))))
.
.
2012-09-10 18:36 . 2012-09-10 18:36 -------- d-----w- c:\program files\Foxit Software
2012-09-09 14:25 . 2012-09-09 14:25 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\KeePass
2012-09-06 18:17 . 2012-09-06 18:17 -------- d-----w- c:\program files\ESET
2012-09-06 15:10 . 2012-07-02 17:49 206848 ----a-w- c:\windows\system\occache.dll
2012-09-06 14:55 . 2012-09-06 14:55 -------- d-----w- c:\program files\Auslogics
2012-09-05 07:16 . 2012-09-10 17:32 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\ElevatedDiagnostics
2012-09-05 06:02 . 2012-09-05 06:02 -------- d-----w- c:\program files\CCleaner
2012-09-04 15:35 . 2012-09-04 15:35 -------- d-----w- c:\documents and settings\GERALD WERBIN\DoctorWeb
2012-09-03 06:21 . 2012-09-03 06:21 388096 ----a-r- c:\documents and settings\GERALD WERBIN\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-09-03 06:21 . 2012-09-03 06:21 -------- d-----w- c:\program files\Trend Micro
2012-09-02 16:53 . 2012-09-02 16:53 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\Malwarebytes
2012-09-02 16:53 . 2012-09-02 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-09-02 16:53 . 2012-09-02 16:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-02 16:53 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-01 21:12 . 2012-09-01 21:12 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\Safer Networking
2012-09-01 21:11 . 2012-09-01 21:11 -------- d-----w- c:\program files\Safer Networking
2012-08-31 12:09 . 2012-08-31 12:09 -------- d-----w- c:\program files\Common Files\Java
2012-08-31 12:09 . 2012-08-31 12:08 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-31 12:08 . 2012-08-31 12:08 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-31 00:53 . 2012-08-31 00:53 -------- d-----w- c:\program files\iPod
2012-08-31 00:53 . 2012-08-31 00:55 -------- d-----w- c:\program files\iTunes
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2012-08-31 00:15 . 2012-08-31 00:17 -------- d-----w- c:\program files\QuickTime
2012-08-30 16:36 . 2012-09-10 17:23 -------- d-----w- c:\program files\KeePass Password Safe
2012-08-30 16:35 . 2012-08-30 16:35 -------- d-----w- c:\program files\MSXML 4.0
2012-08-30 16:31 . 2012-08-30 16:31 -------- d-----w- c:\documents and settings\GERALD WERBIN\Local Settings\Application Data\Secunia PSI
2012-08-30 16:31 . 2012-08-30 16:31 -------- d-----w- c:\program files\Secunia
2012-08-30 13:04 . 2012-08-30 13:04 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-30 12:38 . 2012-08-30 12:38 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\SUPERAntiSpyware.com
2012-08-30 12:37 . 2012-09-10 20:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-08-30 12:37 . 2012-08-30 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-04 00:41 . 2012-03-29 11:07 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-04 00:41 . 2011-06-27 11:21 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-31 12:08 . 2012-05-14 12:23 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-31 12:08 . 2010-11-09 21:09 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-06 13:58 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2005-08-16 10:37 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2005-08-16 10:18 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2005-08-16 10:18 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HostManager"="c:\program files\Common Files\AOL\1135344252\ee\AOLSoftware.exe" [2010-03-08 41800]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1318816]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-06-04 1466760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\GERALD WERBIN\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
Monitor Ink Alerts - HP Photosmart 7510 series.lnk - c:\windows\system32\RunDll32.exe [2005-8-16 33280]
SocialButterfly.lnk - c:\program files\Blue Mountain Social Butterfly\SocialButterfly\SocialButterfly.exe [2010-10-8 142336]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL OnePoint.lnk - c:\program files\AOL OnePoint\IDVault.exe [2012-5-23 6186328]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^024h Lucky Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\024h Lucky Reminder.lnk
backup=c:\windows\pss\024h Lucky Reminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 08:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 01:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 23:33 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
2004-11-11 16:26 26112 ----a-w- c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReminderApp]
2005-08-30 22:30 145104 ----a-w- c:\program files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-22 22:20 339968 -c--a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135344252\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\waol.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\AOL Desktop 9.7a\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.7a\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\AOL Desktop 9.7b\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.7b\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*
isabled:Windows Remote Management
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [9/29/2011 7:20 PM 89792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 IDVaultSvc;AOL OnePoint Service;c:\program files\AOL OnePoint\IDVaultSvc.exe [5/23/2012 6:29 PM 65368]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/29/2011 7:20 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/29/2011 7:20 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [9/29/2011 7:21 PM 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/29/2011 7:15 PM 151880]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [9/29/2011 7:20 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [9/29/2011 7:20 PM 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [9/29/2011 7:20 PM 83856]
S3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 7:38 PM 116608]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/29/2012 7:07 AM 250568]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/23/2010 8:21 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/23/2010 8:21 AM 135664]
S3 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [9/29/2011 7:20 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/29/2011 7:20 PM 87656]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [11/9/2010 2:48 PM 27064]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [7/25/2012 4:46 AM 1326176]
S3 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [7/25/2012 4:46 AM 681056]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 17:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 00:41]
.
2012-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-09-10 c:\windows\Tasks\User_Feed_Synchronization-{EE7ECC23-2F6F-4184-B5CC-A31990E750BB}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://support.dell.com/support/topics/global.aspx/support/security/security?c=us&cs=19&l=en&s=dhs&appindex=ds
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-10 22:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\GERALD~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\QuickComplete]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2664)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\windows\wanmpsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
c:\program files\Common Files\AOL\1135344252\ee\aolupdates.exe
.
**************************************************************************
.
Completion time: 2012-09-10 22:58:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-11 02:58
.
Pre-Run: 112,683,307,008 bytes free
Post-Run: 112,667,815,936 bytes free
.
- - End Of File - - D01A40AC6CE131175412A85E0B135569
FYI - while it was scanning, Windows error appeared saying "pev.exe has encountered a problem and will be shut down."
There was an infected file found.
ComboFix 12-09-10.04 - GERALD WERBIN 09/10/2012 22:42:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2679 [GMT -4:00]
Running from: c:\documents and settings\GERALD WERBIN\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\GERALD WERBIN\WINDOWS
c:\windows\dasetup.log
c:\windows\system\olepro32.dll
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-11 to 2012-09-11 )))))))))))))))))))))))))))))))
.
.
2012-09-10 18:36 . 2012-09-10 18:36 -------- d-----w- c:\program files\Foxit Software
2012-09-09 14:25 . 2012-09-09 14:25 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\KeePass
2012-09-06 18:17 . 2012-09-06 18:17 -------- d-----w- c:\program files\ESET
2012-09-06 15:10 . 2012-07-02 17:49 206848 ----a-w- c:\windows\system\occache.dll
2012-09-06 14:55 . 2012-09-06 14:55 -------- d-----w- c:\program files\Auslogics
2012-09-05 07:16 . 2012-09-10 17:32 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\ElevatedDiagnostics
2012-09-05 06:02 . 2012-09-05 06:02 -------- d-----w- c:\program files\CCleaner
2012-09-04 15:35 . 2012-09-04 15:35 -------- d-----w- c:\documents and settings\GERALD WERBIN\DoctorWeb
2012-09-03 06:21 . 2012-09-03 06:21 388096 ----a-r- c:\documents and settings\GERALD WERBIN\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-09-03 06:21 . 2012-09-03 06:21 -------- d-----w- c:\program files\Trend Micro
2012-09-02 16:53 . 2012-09-02 16:53 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\Malwarebytes
2012-09-02 16:53 . 2012-09-02 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-09-02 16:53 . 2012-09-02 16:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-02 16:53 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-01 21:12 . 2012-09-01 21:12 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\Safer Networking
2012-09-01 21:11 . 2012-09-01 21:11 -------- d-----w- c:\program files\Safer Networking
2012-08-31 12:09 . 2012-08-31 12:09 -------- d-----w- c:\program files\Common Files\Java
2012-08-31 12:09 . 2012-08-31 12:08 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-31 12:08 . 2012-08-31 12:08 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-31 00:53 . 2012-08-31 00:53 -------- d-----w- c:\program files\iPod
2012-08-31 00:53 . 2012-08-31 00:55 -------- d-----w- c:\program files\iTunes
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2012-08-31 00:17 . 2012-08-31 00:17 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2012-08-31 00:15 . 2012-08-31 00:17 -------- d-----w- c:\program files\QuickTime
2012-08-30 16:36 . 2012-09-10 17:23 -------- d-----w- c:\program files\KeePass Password Safe
2012-08-30 16:35 . 2012-08-30 16:35 -------- d-----w- c:\program files\MSXML 4.0
2012-08-30 16:31 . 2012-08-30 16:31 -------- d-----w- c:\documents and settings\GERALD WERBIN\Local Settings\Application Data\Secunia PSI
2012-08-30 16:31 . 2012-08-30 16:31 -------- d-----w- c:\program files\Secunia
2012-08-30 13:04 . 2012-08-30 13:04 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-30 12:38 . 2012-08-30 12:38 -------- d-----w- c:\documents and settings\GERALD WERBIN\Application Data\SUPERAntiSpyware.com
2012-08-30 12:37 . 2012-09-10 20:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-08-30 12:37 . 2012-08-30 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-04 00:41 . 2012-03-29 11:07 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-04 00:41 . 2011-06-27 11:21 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-31 12:08 . 2012-05-14 12:23 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-31 12:08 . 2010-11-09 21:09 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-06 13:58 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2005-08-16 10:37 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2005-08-16 10:18 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2005-08-16 10:18 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HostManager"="c:\program files\Common Files\AOL\1135344252\ee\AOLSoftware.exe" [2010-03-08 41800]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1318816]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-06-04 1466760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\GERALD WERBIN\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
Monitor Ink Alerts - HP Photosmart 7510 series.lnk - c:\windows\system32\RunDll32.exe [2005-8-16 33280]
SocialButterfly.lnk - c:\program files\Blue Mountain Social Butterfly\SocialButterfly\SocialButterfly.exe [2010-10-8 142336]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL OnePoint.lnk - c:\program files\AOL OnePoint\IDVault.exe [2012-5-23 6186328]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^024h Lucky Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\024h Lucky Reminder.lnk
backup=c:\windows\pss\024h Lucky Reminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 08:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 01:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 23:33 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-12-13 18:37 135536 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
2004-11-11 16:26 26112 ----a-w- c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReminderApp]
2005-08-30 22:30 145104 ----a-w- c:\program files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-22 22:20 339968 -c--a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135344252\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\waol.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\AOL Desktop 9.7a\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.7a\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\AOL Desktop 9.7b\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.7b\\AOLBrowser\\aolbrowser.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*
isabled:Windows Remote Management .
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [9/29/2011 7:20 PM 89792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 IDVaultSvc;AOL OnePoint Service;c:\program files\AOL OnePoint\IDVaultSvc.exe [5/23/2012 6:29 PM 65368]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/29/2011 7:20 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/29/2011 7:20 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [9/29/2011 7:21 PM 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/29/2011 7:15 PM 151880]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [9/29/2011 7:20 PM 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [9/29/2011 7:20 PM 340920]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [9/29/2011 7:20 PM 83856]
S3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 7:38 PM 116608]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/29/2012 7:07 AM 250568]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/23/2010 8:21 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/23/2010 8:21 AM 135664]
S3 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [9/29/2011 7:20 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/29/2011 7:20 PM 87656]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [11/9/2010 2:48 PM 27064]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [7/25/2012 4:46 AM 1326176]
S3 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [7/25/2012 4:46 AM 681056]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 17:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 00:41]
.
2012-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-09-10 c:\windows\Tasks\User_Feed_Synchronization-{EE7ECC23-2F6F-4184-B5CC-A31990E750BB}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://support.dell.com/support/topics/global.aspx/support/security/security?c=us&cs=19&l=en&s=dhs&appindex=ds
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-10 22:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\GERALD~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\QuickComplete]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2664)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\windows\wanmpsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
c:\program files\Common Files\AOL\1135344252\ee\aolupdates.exe
.
**************************************************************************
.
Completion time: 2012-09-10 22:58:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-11 02:58
.
Pre-Run: 112,683,307,008 bytes free
Post-Run: 112,667,815,936 bytes free
.
- - End Of File - - D01A40AC6CE131175412A85E0B135569
