ComboFix 11-05-07.01 - Owner 05/07/2011 21:14:45.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2037.972 [GMT -4:00] Running from: c:\users\Owner\Desktop\George.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\Common Files\Uninstall c:\programdata\ntuser.dat c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk c:\windows\system32\arp.exe c:\windows\system32\drivers\snetcfg.exe c:\windows\system32\ndisapi.dll c:\windows\system32\UAChfeysivjas.dat c:\windows\system32\uacinit.dll . Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((( Files Created from 2011-04-08 to 2011-05-08 ))))))))))))))))))))))))))))))) . . 2011-05-08 01:06 . 2011-05-08 01:07 -------- d-----w- C:\32788R22FWJFW 2011-05-08 00:56 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4C5A9255-B0C7-4CEB-BA6D-0311EEA72AA1}\mpengine.dll 2011-05-08 00:28 . 2011-05-08 00:28 -------- d-----w- C:\_OTL 2011-05-05 12:06 . 2011-05-07 12:57 -------- d-----w- c:\programdata\STOPzilla! 2011-05-05 00:57 . 2011-05-05 00:57 -------- d--h--w- c:\users\Owner\AppData\Local\ESET . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software] 2007-02-13 16:30 405504 ---ha-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON] 2006-12-08 00:49 55416 ---ha-w- c:\program files\Toshiba\TBS\HSON.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-11-29 22:38 421888 ---ha-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl] 2007-02-07 01:50 4374528 ---ha-w- c:\windows\RtHDVCpl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar] 2008-06-27 23:20 1232896 ----a-w- c:\program files\Windows Sidebar\sidebar.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] 2007-01-19 06:24 448632 ---ha-w- c:\program files\Toshiba\SmoothView\SmoothView.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] 2008-05-28 17:33 1506544 ---ha-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD] 2006-11-10 22:22 417792 ---ha-w- c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2008-07-09 21:33 36352 ---ha-w- c:\program files\Winamp\winampa.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] 2007-08-24 05:17 1006264 ----a-w- c:\program files\Windows Defender\MSASCui.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . R2 gupdate1c9e885e17a0b00;Google Update Service (gupdate1c9e885e17a0b00);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 133104] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 133104] R3 MBAMCatchMe;MBAMCatchMe;c:\windows\system32\drivers\mbamcatchme.sys [2008-07-08 34296] R3 Ndisrd;WinpkFilter Service;c:\windows\system32\DRIVERS\ndisrd.sys [2009-06-22 22016] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024] S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168] S3 NdisrdMP;NdisrdMP;c:\windows\system32\DRIVERS\ndisrd.sys [2009-06-22 22016] . . Contents of the 'Scheduled Tasks' folder . 2011-05-08 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-28 22:09] . 2011-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 22:09] . 2011-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-08 22:09] . . ------- Supplementary Scan ------- . uStart Page = www.yahoo.com mWindow Title = Windows Internet Explorer provided by Comcast FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\slftdvzz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p= FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . MSConfigStartUp-1570795875 - c:\program files\Toshiba Registration\Activation.exe MSConfigStartUp-740751906 - c:\program files\Toshiba Registration\Registration.exe MSConfigStartUp-Antivirus - c:\program files\VAV\vav.exe MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe MSConfigStartUp-Trend Micro AntiVirus 2007 - c:\program files\Trend Micro\AntiVirus 2007\tavui.exe AddRemove-ComcastHSI - c:\program files\support.com\uninstall\chsi_uninstaller.exe AddRemove-Davis's Drug Search for Nurses, 11e - c:\users\Owner\Davis's Drug Search for Nurses AddRemove-HijackThis - c:\users\Owner\Desktop\Computer Clean-Up Kit\HijackThis.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-05-07 21:23 Windows 6.0.6000 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . Completion time: 2011-05-07 21:26:26 ComboFix-quarantined-files.txt 2011-05-08 01:26 . Pre-Run: 131,470,430,208 bytes free Post-Run: 131,420,991,488 bytes free . - - End Of File - - 428FF548DEB606D0278AC63EA781606C