ComboFix 13-04-25.01 - HP_Administrator 04/25/2013 16:43:58.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1250 [GMT -4:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\_ctypes.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\_elementtree.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\_hashlib.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\_socket.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\_ssl.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\pyexpat.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\pysqlite2._sqlite.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\python27.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\pythoncom27.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\PyWinTypes27.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\select.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\unicodedata.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32api.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32com.shell.shell.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32crypt.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32event.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32file.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32inet.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32pdh.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32process.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32profile.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32security.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\win32ts.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\windows._cacheinvalidation.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wx._controls_.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wx._core_.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wx._gdi_.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wx._html2.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wx._misc_.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wx._windows_.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wx._wizard.pyd c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wxbase294u_net_vc90.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wxbase294u_vc90.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wxmsw294u_adv_vc90.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wxmsw294u_core_vc90.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wxmsw294u_html_vc90.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI33122\wxmsw294u_webview_vc90.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll c:\documents and settings\Administrator\WINDOWS c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\0B4227B4.TMP c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini c:\documents and settings\All Users\Application Data\TEMP\AVG\setupcz.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupda.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupfr.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupge.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setuphu.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupid.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupin.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupit.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupjp.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupko.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupms.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupnl.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppb.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppl.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppt.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupru.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsc.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsk.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsp.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setuptr.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupus.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzh.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzt.lns c:\documents and settings\All Users\Application Data\TEMP\AVG\trialkey.dat c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk c:\documents and settings\Default User\WINDOWS c:\documents and settings\HP_Administrator\Application Data\.# c:\documents and settings\HP_Administrator\Application Data\.#\MBX@8DC@1464180.### c:\documents and settings\HP_Administrator\Application Data\.#\MBX@8DC@14641B0.### c:\documents and settings\HP_Administrator\Application Data\.#\MBX@8DC@14641E0.### c:\documents and settings\HP_Administrator\GoToAssistDownloadHelper.exe c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\_ctypes.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\_elementtree.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\_hashlib.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\_socket.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\_ssl.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\pyexpat.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\pysqlite2._sqlite.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\python27.dll c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\pythoncom27.dll c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\PyWinTypes27.dll c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\select.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\unicodedata.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32api.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32com.shell.shell.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32crypt.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32event.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32file.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32inet.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32pdh.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32process.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32profile.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32security.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\win32ts.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\windows._cacheinvalidation.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wx._controls_.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wx._core_.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wx._gdi_.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wx._html2.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wx._misc_.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wx._windows_.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wx._wizard.pyd c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wxbase294u_net_vc90.dll c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wxbase294u_vc90.dll c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wxmsw294u_adv_vc90.dll c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wxmsw294u_core_vc90.dll c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wxmsw294u_html_vc90.dll c:\documents and settings\HP_Administrator\Local Settings\Temp\_MEI33122\wxmsw294u_webview_vc90.dll c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll c:\documents and settings\HP_Administrator\WINDOWS c:\windows\system32\Cache c:\windows\system32\Cache\17b37e1d89627257.fb c:\windows\system32\Cache\26c630d098e22dd5.fb c:\windows\system32\Cache\272512937d9e61a4.fb c:\windows\system32\Cache\287204568329e189.fb c:\windows\system32\Cache\28bc8f716fd76a47.fb c:\windows\system32\Cache\2c53092c95605355.fb c:\windows\system32\Cache\31a0997e9a5b5eb3.fb c:\windows\system32\Cache\32c84fe32bb74d60.fb c:\windows\system32\Cache\3917078cb68ec657.fb c:\windows\system32\Cache\3c07d3dec88fc68b.fb c:\windows\system32\Cache\3c812097cf6648a9.fb c:\windows\system32\Cache\54f6c2cdfb7ee841.fb c:\windows\system32\Cache\590ba23ce359fd0c.fb c:\windows\system32\Cache\610289e025a3ee9a.fb c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb c:\windows\system32\Cache\6d03dad1035885d3.fb c:\windows\system32\Cache\71757c74ba543db7.fb c:\windows\system32\Cache\79938acb11929dc5.fb c:\windows\system32\Cache\7d3ffafc290d3dfb.fb c:\windows\system32\Cache\95f567698be8a182.fb c:\windows\system32\Cache\a8556537add6dfc5.fb c:\windows\system32\Cache\ab9c2ed8eb30f70f.fb c:\windows\system32\Cache\ad10a52aff5e038d.fb c:\windows\system32\Cache\b2029a5c849e44bc.fb c:\windows\system32\Cache\c1fa887b03019701.fb c:\windows\system32\Cache\c4d28dca2e7648be.fb c:\windows\system32\Cache\d201ef9910cd39de.fb c:\windows\system32\Cache\d2e94710a5708128.fb c:\windows\system32\Cache\d79b9dfe81484ec4.fb c:\windows\system32\Cache\df754a4b8a26f3fd.fb c:\windows\system32\Cache\e0de16f883bea794.fb c:\windows\system32\Cache\f998975c9cc711ee.fb c:\windows\system32\Cache\fdd50f077c1bd20a.fb c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\sp c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe . . ((((((((((((((((((((((((( Files Created from 2013-03-25 to 2013-04-25 ))))))))))))))))))))))))))))))) . . 2013-04-24 01:44 . 2013-04-24 01:44 -------- d-----w- C:\FRST 2013-04-22 22:08 . 2013-04-23 00:40 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-04-01 23:19 . 2013-04-01 23:19 -------- d-----w- C:\1fca4a979587afe1b176b92e79876fe7 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-03-26 00:40 . 2012-09-04 05:14 33624 ----a-w- c:\windows\system32\drivers\avgtpx86.sys 2013-03-12 18:44 . 2012-04-08 18:07 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-03-12 18:44 . 2011-05-20 11:31 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-03-08 08:36 . 2004-11-26 09:00 293376 ----a-w- c:\windows\system32\winsrv.dll 2013-03-07 01:32 . 2004-11-26 08:58 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-03-07 00:50 . 2004-08-04 05:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-03-02 02:06 . 2004-11-26 09:00 916480 ----a-w- c:\windows\system32\wininet.dll 2013-03-02 02:06 . 2004-11-26 08:57 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-03-02 02:06 . 2004-11-26 08:57 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2013-03-02 01:25 . 2004-11-26 09:00 1867264 ----a-w- c:\windows\system32\win32k.sys 2013-03-02 01:08 . 2004-11-26 08:57 385024 ----a-w- c:\windows\system32\html.iec 2013-03-01 14:32 . 2012-09-21 07:45 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys 2013-02-27 07:56 . 2004-11-26 08:58 2067456 ----a-w- c:\windows\system32\mstscax.dll 2013-02-27 03:40 . 2012-09-13 07:11 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys 2013-02-14 07:52 . 2011-07-11 05:14 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2013-02-12 00:32 . 2008-09-03 10:45 12928 ------w- c:\windows\system32\drivers\usb8023x.sys 2013-02-12 00:32 . 2004-11-26 09:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys 2013-02-08 08:37 . 2011-08-08 10:08 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2013-02-08 08:37 . 2012-09-21 07:46 245048 ----a-w- c:\windows\system32\drivers\avglogx.sys 2013-02-08 08:37 . 2012-04-19 08:50 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys 2013-02-08 08:37 . 2011-07-11 05:13 170808 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2013-01-26 03:55 . 2004-11-26 08:58 552448 ----a-w- c:\windows\system32\oleaut32.dll 2005-08-29 15:52 . 2005-08-30 03:17 218112 ----a-w- c:\program files\HijackThis.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}] 2013-03-26 00:40 1956016 ----a-w- c:\program files\AVG Secure Search\15.0.0.2\AVG Secure Search_toolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\15.0.0.2\AVG Secure Search_toolbar.dll" [2013-03-26 1956016] . [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}] 2013-03-07 20:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}] 2013-03-07 20:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}] 2013-03-07 20:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay] @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}" [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}] 2013-03-07 20:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2006-05-19 20480] "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608] "Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2012-09-03 4895192] "GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2013-03-07 19357112] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648] "HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152] "HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952] "SoundMan"="SOUNDMAN.EXE" [2005-04-06 90112] "AlcWzrd"="ALCWZRD.EXE" [2005-04-06 2805248] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-05 282624] "PS2"="c:\windows\system32\ps2.exe" [2002-10-17 81920] "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-03-26 1219248] "PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2009-10-24 597792] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-10-24 296096] "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-03-13 4394032] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856] "Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2012-09-03 4895192] . c:\documents and settings\Default User\Start Menu\Programs\Startup\ AutoTBar.exe [2003-10-1 57344] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-29 241664] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-5-18 450560] Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [N/A] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2010-02-10 17:54 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "50000:UDP"= 50000:UDP:IHA_MessageCenter . R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 60216] R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 3:46 AM 245048] R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [9/13/2012 3:11 AM 208184] R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [9/21/2012 3:45 AM 22328] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 1:13 AM 170808] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 182072] R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [9/4/2012 1:14 AM 33624] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 74480] R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [2/19/2013 4:02 AM 282624] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [7/1/2011 3:01 PM 352248] R2 PGMTrusted;PGMTrusted;c:\program files\Pogo Games\PGMTrusted.exe [10/29/2012 1:25 PM 519920] R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 4:18 AM 360224] R2 vToolbarUpdater15.0.0;vToolbarUpdater15.0.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.0.0\ToolbarUpdater.exe [3/25/2013 8:40 PM 990896] R2 X4HSEx_Pr143;X4HSEx_Pr143;c:\program files\Free Ride Games\X4HSEx_Pr143.sys [11/5/2012 8:21 PM 58696] S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [2/27/2013 11:42 PM 4937264] S3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [10/12/2010 1:59 PM 206072] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/22/2013 6:08 PM 40776] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2013-04-25 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 18:44] . 2013-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 19:46] . 2013-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-15 19:46] . 2013-04-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2438911799-3484224873-888160877-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27] . 2013-04-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2438911799-3484224873-888160877-1008.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27] . . ------- Supplementary Scan ------- . uStart Page = hxxp://home.cua.edu/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop uInternet Settings,ProxyOverride = localhost; uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s TCP: DhcpNameServer = 192.168.1.1 71.252.0.12 TCP: Interfaces\{3E76E1D9-062E-4EE5-A1AE-373FC027275D}: DhcpNameServer = 192.168.1.1 71.252.0.12 Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\15.0.0\ViProtocol.dll DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} - hxxp://clubgames.pogo.com/online2/pogo/parking_dash/parkingdash.1.0.0.15.cab . - - - - ORPHANS REMOVED - - - - . HKLM-Run-SoundDrivers - c:\documents and settings\All Users\Application Data\f34rfcdsfwe.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-04-25 16:53 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI37282\support c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI37282\support\gen_py c:\docume~1\HP_ADM~1\LOCALS~1\Temp\_MEI37282\support\gen_py\__init__.py 0 bytes . scan completed successfully hidden files: 3 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(852) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll . - - - - - - - > 'explorer.exe'(5732) c:\windows\system32\WININET.dll c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll c:\program files\Google\Drive\googledrivesync32.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Google\Update\1.3.21.135\GoogleCrashHandler.exe c:\progra~1\COMMON~1\AOL\ACS\acsd.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\wanmpsvc.exe c:\windows\system32\dllhost.exe c:\windows\AGRSMMSG.exe c:\windows\SOUNDMAN.EXE c:\windows\ALCWZRD.EXE c:\windows\eHome\ehmsas.exe c:\program files\Logitech\Video\FxSvr2.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2013-04-25 17:09:19 - machine was rebooted ComboFix-quarantined-files.txt 2013-04-25 21:09 ComboFix2.txt 2010-08-11 00:24 ComboFix3.txt 2010-07-12 02:53 ComboFix4.txt 2010-07-09 06:25 ComboFix5.txt 2013-04-25 20:41 . Pre-Run: 238,277,414,912 bytes free Post-Run: 237,854,715,904 bytes free . - - End Of File - - 594F673CC37AB905299BF04E021AC9AB