ComboFix 12-11-06.03 - Trog28 07/11/2012  21:25:12.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.1014.384 [GMT 2:00]
Running from: c:\users\Trog28\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected 
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe 
.
.
(((((((((((((((((((((((((   Files Created from 2012-10-07 to 2012-11-07  )))))))))))))))))))))))))))))))
.
.
2012-11-06 18:16 . 2012-11-06 18:16	--------	d-----w-	c:\program files\ESET
2012-11-01 19:20 . 2012-11-01 19:20	73656	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-01 19:20 . 2012-11-01 19:20	696760	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-10-31 22:40 . 2012-10-31 22:40	--------	d-----w-	c:\program files\Common Files\Adobe
2012-10-31 22:35 . 2012-10-31 22:33	821736	----a-w-	c:\windows\system32\npDeployJava1.dll
2012-10-31 22:34 . 2012-10-31 22:34	93672	----a-w-	c:\windows\system32\WindowsAccessBridge.dll
2012-10-30 22:17 . 2012-09-29 17:54	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-10-30 21:47 . 2012-10-30 21:47	--------	dc----w-	C:\_OTL
2012-10-25 20:39 . 2012-10-25 20:39	--------	d-----w-	c:\users\Trog28\AppData\Roaming\Runscanner.net
2012-10-24 20:14 . 2012-10-24 20:14	--------	d-----w-	c:\program files\T55
2012-10-24 20:14 . 2012-10-24 20:14	--------	d-----w-	c:\users\Trog28\AppData\Roaming\T55
2012-10-19 07:08 . 2000-01-01 00:00	53248	----a-w-	c:\windows\system32\CSVer.dll
2012-10-19 07:04 . 2000-01-01 00:00	303104	------w-	c:\windows\system32\CmiInstallResAll.dll
2012-10-19 06:53 . 2012-10-19 06:55	--------	d--h--w-	c:\program files\Temp
2012-10-19 06:50 . 2012-10-19 06:50	--------	d-----w-	c:\program files\Belkin
2012-10-19 06:24 . 2012-10-25 17:31	13024	----a-w-	c:\windows\system32\drivers\SWDUMon.sys
2012-10-19 06:24 . 2012-10-19 06:24	--------	d-----w-	c:\users\Trog28\AppData\Local\SlimWare Utilities Inc
2012-10-12 15:06 . 2012-10-12 15:06	--------	d-----w-	c:\users\Trog28\AppData\Roaming\LavasoftStatistics
2012-10-12 15:01 . 2012-10-12 15:01	--------	d-----w-	c:\programdata\Lavasoft
2012-10-12 15:01 . 2012-10-14 06:21	--------	d-----w-	c:\program files\Ad-Aware Antivirus
2012-10-12 15:00 . 2012-10-19 06:29	--------	d-----w-	c:\users\Trog28\AppData\Local\Downloaded Installations
2012-10-12 15:00 . 2012-10-12 15:00	--------	d-----w-	c:\users\Trog28\AppData\Local\adawarebp
2012-10-12 15:00 . 2012-10-13 05:21	--------	d-----w-	c:\programdata\Ad-Aware Browsing Protection
2012-10-10 06:59 . 2012-06-02 00:02	985088	----a-w-	c:\windows\system32\crypt32.dll
2012-10-10 06:59 . 2012-06-02 00:02	98304	----a-w-	c:\windows\system32\cryptnet.dll
2012-10-10 06:59 . 2012-06-02 00:02	133120	----a-w-	c:\windows\system32\cryptsvc.dll
2012-10-10 06:59 . 2012-08-24 15:53	172544	----a-w-	c:\windows\system32\wintrust.dll
2012-10-10 06:59 . 2012-09-13 13:28	2048	----a-w-	c:\windows\system32\tzres.dll
2012-10-10 06:59 . 2012-08-29 11:27	3602816	----a-w-	c:\windows\system32\ntkrnlpa.exe
2012-10-10 06:59 . 2012-08-29 11:27	3550080	----a-w-	c:\windows\system32\ntoskrnl.exe
2012-10-09 17:56 . 2012-10-09 17:56	--------	d-----w-	c:\program files\Microsoft Security Client
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-12 05:56 . 2012-11-06 21:05	6918632	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{597FD290-E356-4E40-99BC-337A27F7C2C3}\mpengine.dll
2012-10-12 05:56 . 2012-11-05 18:25	6918632	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-09 17:58 . 2012-10-20 06:25	740784	------w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-10-09 17:58 . 2012-10-20 06:25	740784	------w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{050C8C7C-DCBF-4288-B538-63436F9386F8}\gapaengine.dll
2012-09-18 21:59 . 2012-10-09 06:27	6980552	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{02FC0066-D669-441F-B718-E4D4EE8F79F4}\mpengine.dll
2012-08-30 19:03 . 2012-08-30 19:03	99272	----a-w-	c:\windows\system32\drivers\NisDrvWFP.sys
2012-08-30 19:03 . 2012-08-30 19:03	193552	----a-w-	c:\windows\system32\drivers\MpFilter.sys
2012-08-24 06:59 . 2012-10-07 19:13	1800704	----a-w-	c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-10-07 19:13	1129472	----a-w-	c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-10-07 19:13	1427968	----a-w-	c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-10-07 19:13	142848	----a-w-	c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-10-07 19:13	420864	----a-w-	c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-10-07 19:13	2382848	----a-w-	c:\windows\system32\mshtml.tlb
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}]
2011-11-23 20:45	233288	----a-w-	c:\program files\Expat Shield\HssIE\ExpatIE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DT2-1 V2.4.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DT2-1 V2.4.lnk
backup=c:\windows\pss\DT2-1 V2.4.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ExifLauncher2.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ExifLauncher2.lnk
backup=c:\windows\pss\ExifLauncher2.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Antivirus]
c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp]
reg.exe delete HKCU\Software\AppDataLow\Software\adawarebp [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp_DATA_FOLDER]
rmdir [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp_INSTALL_FOLDER]
rmdir [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adawarebp_XP]
reg.exe delete HKCU\Software\adawarebp [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Browsing Protection]
2012-08-08 08:17	540056	----a-w-	c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51	919008	----a-w-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 11:32	203264	----a-w-	c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
2006-08-18 13:58	49152	----a-w-	c:\windows\Domino.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33	125952	----a-w-	c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-26 08:10	135664	----atw-	c:\users\Trog28\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2000-01-01 00:00	166424	----a-w-	c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2000-01-01 00:00	141848	----a-w-	c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-09-12 14:19	947176	----a-w-	c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-11-09 23:54	4240760	----a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2000-01-01 00:00	133656	----a-w-	c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder_MUI]
2007-07-20 09:15	1089536	----a-r-	c:\applications\oem\Reminder\Reminder_MUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 07:04	252848	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-07-08 21:30	39408	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38	1008184	----a-w-	c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZSSnp211]
2007-04-06 08:06	57344	----a-w-	c:\windows\ZSSnp211.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2011-04-09 21:44	114176	----a-w-	c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-01 19:20]
.
2012-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 09:45]
.
2012-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 09:45]
.
2012-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-49009418-3967457827-3402590753-1000Core.job
- c:\users\Trog28\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-01 08:10]
.
2012-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-49009418-3967457827-3402590753-1000UA.job
- c:\users\Trog28\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-01 08:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=88.208.239.66:808;https=88.208.239.66:808;ftp=88.208.239.66:808;socks=88.208.239.66:1808
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Advanced SystemCare 5 - c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe
MSConfigStartUp-DriverScanner - c:\program files\Uniblue\DriverScanner\launcher.exe
MSConfigStartUp-Flashget - c:\program files\FlashGet\FlashGet.exe
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil32_11_4_402_278_ActiveX.exe
MSConfigStartUp-Lvimafiyacikofe - c:\users\Trog28\AppData\Local\KBDrvg.dll
MSConfigStartUp-Nseries - c:\program files\Nokia\Ovi\System Utilities\System Utilities\PcSync2.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-RtHDVCpl - RtHDVCpl.exe
MSConfigStartUp-Shockwave Updater - c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe
MSConfigStartUp-Skytel - Skytel.exe
MSConfigStartUp-TkBellExe - c:\program files\real\realplayer\Update\realsched.exe
MSConfigStartUp-UpdateP2GShortCut - c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-07 21:40
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2012-11-07  21:44:14 - machine was rebooted
ComboFix-quarantined-files.txt  2012-11-07 19:44
.
Pre-Run: 81,028,972,544 bytes free
Post-Run: 80,898,678,784 bytes free
.
- - End Of File - - C5EF4B280F53FADA2CCE6BD29826642B