ComboFix 10-11-30.02 - administrator 11/30/2010 19:45:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2275 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}
c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{319D5F58-2B6E-44A5-85E3-DFE8F39FA975}\install.rdf
c:\documents and settings\JayV\System
c:\documents and settings\JayV\System\win_qs7.jqx
c:\documents and settings\JayV\System\win_qs8.jqx
c:\windows\axagupiseriyo.dll
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))
.
2010-11-20 16:13 . 2008-04-14 07:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-11-20 16:13 . 2008-04-14 07:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-11-20 16:13 . 2008-04-14 07:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-11-20 16:13 . 2008-04-14 07:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-11-20 16:13 . 2008-04-14 12:42 16384 ----a-w- c:\windows\system32\ipsink.ax
2010-11-20 16:13 . 2008-04-14 07:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-11-20 16:13 . 2008-04-14 07:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-11-20 16:12 . 2008-04-14 07:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-11-20 16:12 . 2008-04-14 07:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-11-20 16:12 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-11-20 16:12 . 2008-04-14 07:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-11-20 16:12 . 2008-04-14 07:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-11-20 16:12 . 2008-04-14 07:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-11-20 16:12 . 2008-04-14 07:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-11-20 16:12 . 2008-04-14 07:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-11-20 16:10 . 2008-04-14 12:42 43008 ----a-w- c:\windows\system32\ksxbar.ax
2010-11-18 03:18 . 2010-11-18 03:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-14 02:08 . 2010-11-14 02:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-13 23:57 . 2010-11-30 00:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 23:57 . 2010-11-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-13 23:57 . 2010-12-01 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 23:57 . 2010-11-30 00:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 19:25 . 2010-12-01 00:20 0 ----a-w- c:\windows\Ppoluwenanojoway.bin
2010-11-13 19:22 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\mJiBo02042
2010-11-13 19:19 . 2010-12-01 03:10 763904 ----a-w- c:\windows\system32\drivers\qevuue.sys
2010-11-13 19:18 . 2010-11-16 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2010-11-13 19:18 . 2010-11-13 19:18 0 ----a-w- c:\windows\system32\lsp179C.tmp
2010-11-12 09:14 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2412747F-8DCD-4EE2-B6F4-2809C630C6E7}\mpengine.dll
2010-11-03 05:28 . 2010-11-03 05:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 18:41 . 2010-01-22 22:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2008-09-11 15:00 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
2010-09-18 19:23 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-07-16 16:28 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-07-16 16:28 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-07-16 16:28 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-13 03:59 . 2010-09-13 03:59 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2010-09-13 03:58 . 2010-09-13 03:58 57344 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2010-09-10 05:58 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2003-07-16 16:24 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-14 05:17 . 2008-08-30 00:50 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-09-14 05:17 . 2008-08-30 00:50 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-09-14 05:17 . 2008-08-30 00:52 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-04-23 18:04 . 2009-04-23 18:04 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-08-15 50592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-05-06 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-05-06 118784]
"WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
"NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2004-08-26 439448]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"VF0060 STISvc"="V0060Pin.dll" [2004-11-01 36864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]
c:\documents and settings\JayV\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2007-10-23 44655]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2005-10-27 28672]
eFax Live Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GDllCmd.exe [2004-7-23 17408]
eFax Tray Menu 3.3.lnk - c:\program files\eFax Messenger Plus 3.3\J2GTray.exe [2004-7-23 40960]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-2 724992]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-25 106560]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1136\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1138\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-1539\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-16615\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2698\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2874\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-2899\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3413\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3440\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3614\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3791\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-3851\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4186\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-4210\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-500\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5620\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-5680\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NETLOGON\logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6034\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6156\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6631\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6638\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-6778\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7087\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7361\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7745\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7802\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7812\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7953\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2404267284-557891354-1994849693-7985\Scripts\Logon\0\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
"59153:UDP"= 59153:UDP:SonicWALL Compliance 59153
R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [8/26/2004 4:03 PM 6496]
R2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [8/26/2004 4:35 PM 439448]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/31/2010 10:37 PM 102448]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [8/26/2004 4:04 PM 198720]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2010 2:41 PM 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 DigimHID;DigimHID;c:\windows\system32\drivers\DigimHID.SYS [2/5/2007 9:09 AM 5248]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [11/20/2010 9:11 AM 196409]
--- Other Services/Drivers In Memory ---
*Deregistered* - qevuue
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-10 21:41]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ccsend.com
Trusted Zone: constantcontact.com
Trusted Zone: ic.aiall
Trusted Zone: icrossing.com
Trusted Zone: icrossing.net
Trusted Zone: projectorpsa.com
Trusted Zone: proxicom.com
Trusted Zone: prxm.corp
Trusted Zone: zendesk.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4A026B12-94F3-4D2F-A468-96AA55DE20A5} - hxxp://192.168.10.140/img/NetCamPlayerWeb11g.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter:
jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: LogMeIn, Inc. Remote Access Plugin:
LogMeInClient@logmein.com - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\LogMeInClient@logmein.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7ag21vps.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
---- FIREFOX POLICIES ----
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s=
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Xyacasus - c:\windows\axagupiseriyo.dll
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-11-30 20:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qevuue]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1004336348-651377827-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,1f,4c,5a,7c,74,ad,45,8f,39,f9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(592)
c:\windows\system32\WININET.dll
c:\program files\eFax Messenger Plus 3.3\J2GPfcW.dll
c:\program files\eFax Messenger Plus 3.3\J2GRes_Enu.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\RunDLL32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\windows\system32\SearchFilterHost.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2010-11-30 20:19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-01 03:19
Pre-Run: 37,342,138,368 bytes free
Post-Run: 39,402,119,168 bytes free
- - End Of File - - C4C0553CD0F1E2239B7EC3F5D5E2D3F7