ComboFix 10-06-01.01 - iraval 06/01/2010 22:05:54.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1301 [GMT -7:00]
Running from: c:\documents and settings\iraval\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\iraval\Desktop\CFScript.txt
AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FILE ::
"c:\windows\inf\COMD6.tmp"
"c:\windows\inf\COME3.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\inf\COMD6.tmp
c:\windows\inf\COME3.tmp
----- BITS: Possible infected sites -----
hxxp://CASANSMS1:80
hxxp://dendapvmexcas1.cricketcommunications.com
.
((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.
2010-05-31 22:44 . 2010-05-31 22:47 -------- d-----w- c:\program files\Gabest
2010-05-31 22:40 . 2010-05-31 22:40 -------- d-----w- c:\program files\DirectVobSub
2010-05-31 17:24 . 2010-05-31 17:24 66 ----a-w- C:\fixme.bat
2010-05-31 17:22 . 2010-05-31 17:22 77312 ----a-w- c:\windows\system32\mbr.exe
2010-05-28 05:11 . 2010-05-28 05:11 -------- d-----w- C:\HelpAsst_backup
2010-05-27 00:13 . 2010-05-27 00:13 -------- d-----w- c:\program files\Common Files\Java
2010-05-27 00:13 . 2010-05-27 00:13 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 18:26 . 2010-05-26 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-05-26 17:15 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2010-05-25 21:24 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-05-25 21:23 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-25 21:20 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-05-25 21:20 . 2010-02-17 16:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-05-25 21:20 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-05-25 21:20 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-05-25 21:13 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-05-25 21:12 . 2010-03-11 12:38 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-05-25 21:12 . 2010-03-11 12:38 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-05-25 21:12 . 2010-03-11 12:38 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-05-25 21:12 . 2010-03-11 12:38 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-05-25 21:12 . 2010-03-11 12:38 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-05-25 21:12 . 2010-03-10 13:18 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-25 21:12 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-05-25 21:12 . 2010-03-11 12:38 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-05-25 15:13 . 2010-05-25 15:13 -------- d-----w- c:\windows\ms
2010-05-25 15:01 . 2008-04-14 12:00 221696 -c--a-w- c:\windows\system32\dllcache\seo.dll
2010-05-25 15:00 . 2008-04-14 12:00 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-05-25 14:59 . 2004-05-13 07:39 598071 -c--a-w- c:\windows\system32\dllcache\fpmmc.dll
2010-05-25 14:40 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-05-25 14:40 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 14:40 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-05-25 11:10 . 2008-04-14 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-05-25 06:05 . 2010-05-25 06:05 -------- d-----w- c:\program files\ESET
2010-05-20 13:47 . 2010-05-20 13:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-18 15:02 . 2009-09-07 21:02 27944 ----a-w- c:\windows\system32\sbbd.exe
2010-05-18 15:02 . 2009-08-05 22:58 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 15:02 . 2010-05-25 15:30 -------- d-----w- C:\VIPRERESCUE
2010-05-06 04:12 . 2010-05-06 04:12 -------- d-----w- c:\program files\iPod
2010-05-06 04:11 . 2010-05-06 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-06 04:11 . 2010-05-06 04:13 -------- d-----w- c:\program files\iTunes
2010-05-06 04:00 . 2010-05-06 04:02 -------- d-----w- c:\program files\QuickTime
2010-05-06 03:56 . 2010-05-06 03:56 -------- d-----w- c:\program files\Bonjour
2010-05-06 01:30 . 2010-05-06 01:30 -------- d-----w- c:\documents and settings\iraval\Local Settings\Application Data\Help
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 05:24 . 2009-11-17 07:50 -------- d-----w- c:\program files\BSEMktWatch
2010-06-01 16:10 . 2009-11-17 01:50 -------- d-----w- c:\documents and settings\iraval\Application Data\Wave Systems Corp
2010-06-01 01:24 . 2010-03-20 20:59 -------- d-----w- c:\documents and settings\iraval\Application Data\vlc
2010-05-29 21:32 . 2010-05-29 21:32 117427 ----a-w- c:\documents and settings\iraval\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions\digitaleditions.exe
2010-05-27 00:14 . 2010-05-27 00:14 503808 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcp71.dll
2010-05-27 00:14 . 2010-05-27 00:14 499712 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\jmc.dll
2010-05-27 00:14 . 2010-05-27 00:14 348160 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb22189-n\msvcr71.dll
2010-05-27 00:13 . 2010-05-27 00:13 61440 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-sse.dll
2010-05-27 00:13 . 2010-05-27 00:13 12800 ----a-w- c:\documents and settings\iraval\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7ad6e02a-n\decora-d3d.dll
2010-05-27 00:13 . 2007-08-28 20:08 -------- d-----w- c:\program files\Java
2010-05-26 14:44 . 2010-02-02 07:52 -------- d-----w- c:\program files\MagicISO
2010-05-25 15:52 . 2010-05-01 19:49 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-25 14:56 . 2007-08-27 20:47 24924 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-25 12:21 . 2010-01-03 06:30 -------- d-----w- c:\documents and settings\iraval\Application Data\Azureus
2010-05-25 12:20 . 2009-12-06 02:59 -------- d-----w- c:\program files\CCleaner
2010-05-25 11:08 . 2010-05-25 11:08 1663 ----a-w- c:\windows\inf\COM12F.tmp
2010-05-25 08:20 . 2007-08-27 21:54 95194 ----a-w- c:\windows\system32\nvModes.dat
2010-05-22 05:53 . 2010-01-03 06:29 -------- d-----w- c:\program files\Vuze
2010-05-21 21:14 . 2010-01-16 07:10 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-20 13:48 . 2009-11-17 07:50 -------- d-----w- c:\program files\Google
2010-05-12 19:47 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 04:12 . 2009-11-23 07:43 -------- d-----w- c:\program files\Common Files\Apple
2010-05-06 03:40 . 2010-05-06 03:40 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-04 03:06 . 2010-03-20 23:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 19:38 . 2010-05-02 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-03 19:36 . 2010-05-02 05:42 -------- d-----w- c:\program files\SiteAdvisor
2010-05-03 18:25 . 2010-05-02 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-05-02 21:22 . 2009-11-23 07:46 -------- d-----w- c:\documents and settings\iraval\Application Data\Apple Computer
2010-05-02 04:57 . 2009-12-06 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-02 01:15 . 2007-08-28 19:56 -------- d-----w- c:\program files\Microsoft Office Communicator
2010-05-01 19:36 . 2010-01-22 12:58 -------- d-----w- c:\documents and settings\admin\Application Data\Wave Systems Corp
2010-05-01 18:45 . 2010-05-01 18:45 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2010-05-01 18:42 . 2010-01-22 12:58 71776 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 22:39 . 2010-03-20 23:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-20 23:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 03:26 . 2009-10-20 17:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 21:59 . 2010-04-19 21:59 255472 ----a-w- c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-17 19:53 . 2009-12-06 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-17 19:53 . 2010-04-17 07:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-16 15:33 . 2009-11-23 07:43 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2009-11-23 07:43 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 04:15 . 2010-03-28 07:29 894184 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-15 16:18 . 2010-04-14 03:02 -------- d-----w- c:\program files\PuTTY Connection Manager
2010-04-14 03:07 . 2009-11-17 07:20 -------- d-----w- c:\program files\PuTTY
2010-04-14 02:55 . 2009-11-20 01:53 -------- d-----w- c:\program files\Quest Software
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-28 02:06 . 2007-08-27 22:09 71776 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 15:51 . 2009-08-18 16:08 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2010-03-11 12:38 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 18:16 282112 ----a-w- c:\windows\system32\mscoree.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC"="c:\program files\Session ShortCuts\ssc.exe" [2008-06-12 265728]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2010-01-13 4057088]
"Google Update"="c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-29 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-02-02 65536]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSRPM Enrollment Wizard"="c:\program files\Tools4ever\SSRPM\Enrollment Wizard\SSRPMEnroll.exe" [2008-01-31 604672]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-26 2178832]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2010-04-11 5116256]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\iraval\Start Menu\Programs\Startup\
BSEGadget.lnk - c:\program files\BSEMktWatch\BSE Mkt Watch.exe [2010-1-16 421888]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-2-2 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
To_DO.lnk - c:\documents and settings\iraval\Desktop\To_DO.txt [2010-5-18 700]
VirtuaWin.lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2009-11-17 126464]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2009-12-27 157088]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\0]
"Script"=Inventory4.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\1\0]
"Script"=servicenow.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-103558\Scripts\Logon\2\0]
"Script"=list_lenovo_profiles_and_delete.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\0]
"Script"=Inventory4.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\0\1]
"Script"=ComputerDescript.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-709901224-932253684-619646970-98379\Scripts\Logon\1\0]
"Script"=list_lenovo_profiles_and_delete.vbs
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-21 04:14 135664 ----atw- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 07:30 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-16 05:56 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\iraval\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Sametime\\STConnect7.5.1\\jre\\bin\\sametime75.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [6/29/2007 3:10 AM 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/18/2010 8:02 AM 93872]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe [7/23/2007 3:47 AM 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 4:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 4:12 AM 73120]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 11:14 AM 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [7/10/2007 5:14 PM 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [4/14/2008 5:00 AM 5120]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl5fd50652;MpKsl5fd50652;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl5fd50652.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{B01E06E4-0F57-4BFC-91C4-566B7B0083CB}\MpKsl6bf6c1a0.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 avbackup;Backup Agent;"c:\program files\avs\bin\avagent.exe" /ServiceStart "--logfile=c:\program files\avs\var\avagent.log" --> c:\program files\avs\bin\avagent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/20/2010 6:47 AM 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/5/2009 6:20 PM 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2sec.exe [7/23/2007 3:48 AM 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\BIN\ONRSD80.EXE [1/28/2010 2:27 PM 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
2010-06-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-16 07:30]
2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]
2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 11:24]
2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558Core.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]
2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-709901224-932253684-619646970-103558UA.job
- c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-21 04:14]
2010-06-02 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
2010-06-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
2010-06-02 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = ;*.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.19/uploader2.cab
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/spyware-removal-tool/tool/BarracudaSpyRemoval.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sslvpn.leapwireless.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\iraval\Application Data\Mozilla\Firefox\Profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_
everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a
s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-06-01 22:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1584)
c:\windows\system32\SSRPMGINA.dll
- - - - - - - > 'lsass.exe'(1640)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
- - - - - - - > 'explorer.exe'(8472)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMHost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\rundll32.exe
c:\windows\stsystra.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
c:\program files\BSEMktWatch\Gadgetworker.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\windows\system32\NOTEPAD.EXE
c:\program files\VirtuaWin\modules\WinList.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\progra~1\Webshots\315~1.761\Webshots.scr
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-01 22:30:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-02 05:30
ComboFix2.txt 2010-05-29 04:09
Pre-Run: 23,002,599,424 bytes free
Post-Run: 23,039,139,840 bytes free
- - End Of File - - C42645F1074F29D1AA6E845ECA0E92C5