ComboFix 13-01-21.04 - DAVE 01/22/2013 15:06:55.9.2 - x86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1693 [GMT -5:00] Running from: c:\documents and settings\DAVE\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\DAVE\Application Data\PriceGong c:\documents and settings\DAVE\Application Data\PriceGong\Data\1.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\a.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\b.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\c.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\d.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\e.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\f.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\g.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\h.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\i.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\j.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\k.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\l.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\m.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\mru.xml c:\documents and settings\DAVE\Application Data\PriceGong\Data\n.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\o.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\p.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\q.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\r.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\s.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\t.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\u.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\v.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\w.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\wlu.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\x.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\y.txt c:\documents and settings\DAVE\Application Data\PriceGong\Data\z.txt c:\documents and settings\DAVE\Recent\Thumbs.db c:\documents and settings\DAVE\WINDOWS c:\progra~1\AIRCAN~1\TRAVel~1.exe c:\windows\system32\sqlite3.dll c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\msvcr71.dll.int c:\windows\system32\URTTemp\regtlib.exe . . ((((((((((((((((((((((((( Files Created from 2012-12-22 to 2013-01-22 ))))))))))))))))))))))))))))))) . . 2013-01-21 23:33 . 2012-05-25 17:14 42864 ----a-w- c:\windows\system32\sbbd.exe 2013-01-21 23:33 . 2012-05-25 17:14 101112 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2013-01-21 23:32 . 2013-01-22 09:27 -------- d-----w- C:\VIPRERESCUE 2013-01-16 06:14 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2F921FC6-F611-4BCD-B143-9103683D1C32}\mpengine.dll 2013-01-15 03:08 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-13 01:11 . 2012-04-03 17:59 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-01-13 01:11 . 2011-05-22 17:10 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23 . 2004-08-04 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 01:25 . 2011-02-09 05:36 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-06 02:01 . 2009-08-19 22:07 1371648 ----a-w- c:\windows\system32\msxml6.dll 2012-11-02 02:02 . 2011-02-09 05:36 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec 2012-09-11 21:11 . 2012-09-11 21:11 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-07 297808] . [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}] [HKEY_CLASSES_ROOT\agihelper.AGUtils] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016] "hplampc"="c:\windows\System32\hplampc.exe" [2002-01-17 40448] "Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768] "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176] "CTHelper"="CTHELPER.EXE" [2006-08-11 17920] "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Yahoo! Autosync.lnk - c:\program files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-8-21 391680] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] [bU] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^Alaska Airlines Update Conduit.lnk] path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\Alaska Airlines Update Conduit.lnk backup=c:\windows\pss\Alaska Airlines Update Conduit.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^CNET TechTracker.lnk] path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\CNET TechTracker.lnk backup=c:\windows\pss\CNET TechTracker.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^Smile Desktop.lnk] path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\Smile Desktop.lnk backup=c:\windows\pss\Smile Desktop.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^United Airlines Timetable Update Application.lnk] path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\United Airlines Timetable Update Application.lnk backup=c:\windows\pss\United Airlines Timetable Update Application.lnkStartup . [HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^Webshots.lnk] path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\Webshots.lnk backup=c:\windows\pss\Webshots.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3 . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoBAUP_FilesBackup_2] AUTOBAUP2 [X] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu] /L:ENG [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service] 2008-09-22 23:42 90112 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2012-12-18 14:28 38112 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2006-02-10 01:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet] 2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] 2006-08-11 18:56 17920 ----a-w- c:\windows\CTHELPER.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] 2006-08-11 18:56 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] 2005-03-16 10:33 127037 -c--a-w- c:\windows\system32\dla\tfswctrl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2006-04-06 14:51 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail] 2012-12-03 19:46 366576 ----a-w- c:\program files\IncrediMail\bin\IncMail.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2004-07-27 20:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2004-07-27 20:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-12 19:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] 2004-04-12 00:15 290816 ------w- c:\program files\Dell\Media Experience\PCMService.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2008-01-21 16:17 61440 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2008-09-24 22:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent] 2012-09-12 20:17 896912 ----a-w- c:\program files\uTorrent\uTorrent.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Spindown Utility] 2004-08-09 19:15 278528 ----a-w- c:\program files\Western Digital Technologies\Spindown\ExSpinDn.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Name of App"=c:\program files\Samsung\FW LiveUpdate\LiveUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12345:TCP"= 12345:TCP:Motorola Helper . R1 MpKslf7e754ad;MpKslf7e754ad;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2F921FC6-F611-4BCD-B143-9103683D1C32}\MpKslf7e754ad.sys [1/22/2013 3:20 PM 29904] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [1/21/2013 6:33 PM 101112] R2 IB Updater;IB Updater;c:\program files\IB Updater\ExtensionUpdaterService.exe [12/3/2012 2:49 PM 188760] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S2 Auto File Backup Service;AutoBAUP Service;c:\program files\AutoBAUP\AutoBAUP.exe --> c:\program files\AutoBAUP\AutoBAUP.exe [?] S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 7:39 PM 99416] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 7:39 PM 99416] S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 7:39 PM 555096] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 7:39 PM 555096] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 7:39 PM 100952] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 7:39 PM 100952] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 7:39 PM 566360] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 7:39 PM 566360] S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [9/22/2008 12:38 AM 9312] S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [9/9/2010 10:47 PM 49377] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/12/2010 6:09 PM 22344] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [4/9/2010 2:39 PM 42752] S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?] S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/12/2010 6:09 PM 654408] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MPKSLF7E754AD *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-01-16 06:46 1606760 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe . Contents of the 'Scheduled Tasks' folder . 2008-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . 2012-11-03 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 19:38] . 2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-13 03:27] . 2013-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-13 03:27] . 2013-01-22 c:\windows\Tasks\MpIdleTask.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25] . 2013-01-22 c:\windows\Tasks\User_Feed_Synchronization-{3917B950-7D37-43A7-A444-D3158FE290D4}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 08:31] . . ------- Supplementary Scan ------- . TCP: DhcpNameServer = 192.168.1.254 DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB FF - ProfilePath - c:\documents and settings\DAVE\Application Data\Mozilla\Firefox\Profiles\tpgzersa.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/|http://att.my.yahoo.com/ FF - ExtSQL: 2012-12-03 14:49; {336D0C35-8A85-403a-B9D2-65C292C39087}; c:\program files\IB Updater\Firefox FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . - - - - ORPHANS REMOVED - - - - . BHO-{2462d2d8-b36e-44ab-84bf-c5a9383d2429} - (no file) Toolbar-{2462d2d8-b36e-44ab-84bf-c5a9383d2429} - (no file) Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) Toolbar-{31c7d459-9cc3-44f2-9dca-fc11795309b4} - (no file) Toolbar-Locked - (no file) WebBrowser-{2462D2D8-B36E-44AB-84BF-C5A9383D2429} - (no file) SafeBoot-MCODS MSConfigStartUp-Acronis True Image Monitor - c:\program files\Acronis\TrueImage\TrueImageMonitor.exe MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe MSConfigStartUp-MSN Toolbar - c:\program files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe MSConfigStartUp-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe MSConfigStartUp-WsdtReplacer - c:\documents and settings\DAVE\Local Settings\Temp\WebshotSupplantLauncher.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-22 15:20 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2] "ImagePath"="\"\"" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,a9,60,07,25,40,6d,44,bd,3f,88,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4a,7f,87,e3,d3,82,7b,4d,a9,21,da,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,87,9c,eb,28,da,a1,9f,4a,a0,88,eb,\ . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(784) c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(8104) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\program files\Iomega\DriveIcons\IMGHOOK.DLL c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Microsoft Security Client\MsMpEng.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\windows\system32\CTsvcCDA.exe c:\progra~1\Iomega\System32\AppServices.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Retrospect\Retrospect 7.5\retrorun.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\windows\system32\MsPMSPSv.exe c:\program files\Skyhook Wireless\Wi-Fi Driver\WPSScannerSvc.exe c:\program files\Iomega\AutoDisk\ADService.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\program files\Common Files\Intellisync\PushSyncService\PushSyncService.exe . ************************************************************************** . Completion time: 2013-01-22 15:27:08 - machine was rebooted ComboFix-quarantined-files.txt 2013-01-22 20:27 ComboFix2.txt 2010-10-08 19:24 . Pre-Run: 74,048,622,592 bytes free Post-Run: 72,308,334,592 bytes free . - - End Of File - - F4AD0BBA3564CD15179EF4ACAB59F81B ............................................................................................................... System seems ok on normal boot ...not in safe mode anymore. What next?