ComboFix 10-08-04.05 - Owner 08/05/2010 3:18.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.879.360 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
ADS - WINDOWS: deleted 23818 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.
2010-08-04 21:14 . 2010-08-04 21:15 -------- d-----w- c:\documents and settings\Owner\Application Data\18935F87F7CA5F19592EBBE3AC0D6F51
2010-08-03 04:21 . 2010-08-03 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2010-08-03 04:20 . 2010-08-03 04:20 -------- d-----w- c:\program files\Messenger Plus! Live
2010-08-03 04:16 . 2010-08-03 04:16 -------- d-----w- c:\program files\Microsoft
2010-08-03 04:16 . 2010-08-03 04:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-08-01 23:36 . 2007-09-06 13:14 822400 ----a-w- c:\windows\system32\drivers\wn311b.sys
2010-08-01 23:36 . 2007-01-18 15:29 102400 ----a-w- c:\windows\system32\ASupplicant.dll
2010-08-01 23:36 . 2006-09-18 13:25 135265 ----a-w- c:\windows\system32\AW32n50.dll
2010-08-01 23:36 . 2002-04-11 22:43 16194 ----a-w- c:\windows\system32\AWINDIS5.SYS
2010-08-01 23:36 . 2010-08-01 23:36 -------- d-----w- c:\program files\NETGEAR
2010-07-25 23:11 . 2010-07-25 23:12 -------- d-----w- c:\documents and settings\Owner\Application Data\SPORE
2010-07-25 09:14 . 2010-07-25 09:14 -------- d--h--r- c:\documents and settings\Owner\Application Data\SecuROM
2010-07-25 07:55 . 2010-07-25 23:11 -------- d-----w- c:\program files\Electronic Arts
2010-07-14 15:40 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 04:46 . 2010-07-12 04:46 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 08:05 . 2010-01-18 09:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 06:44 . 2007-08-29 02:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-05 06:38 . 2010-01-18 18:38 -------- d-----w- c:\program files\Spyware Doctor
2010-08-05 06:28 . 2009-12-17 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-08-04 18:47 . 2010-05-03 14:10 99 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences2.dat
2010-08-04 18:09 . 2008-07-03 14:11 46 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2010-08-03 04:17 . 2007-07-30 02:15 -------- d-----w- c:\program files\Windows Live
2010-08-01 23:36 . 2006-05-16 15:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-01 21:36 . 2008-05-18 02:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-29 22:55 . 2008-09-04 21:49 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-07-25 09:14 . 2007-08-29 21:47 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-07-14 15:59 . 2008-09-05 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-05 08:58 . 2010-05-06 04:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-07-05 06:31 . 2009-01-16 18:50 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-06-14 14:31 . 2004-08-26 18:01 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-08 02:16 . 2010-01-18 18:46 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21 . 2010-01-18 18:46 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-07 21:58 . 2010-02-02 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-02 2937528]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-11 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AS00_WN311B"="c:\program files\NETGEAR\WN311B\Utility\WN311B.exe" [2008-09-17 3002368]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2009-11-18 18:47 1243088 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]
2009-04-04 23:19 471650 ----a-w- c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 10:01 32768 -c--a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 17:35 90112 -c--a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 10:19 148888 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-15 22:33 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Owner\\Desktop\\SPF.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\gPotato.com\\Allods Online\\bin\\Launcher.exe"=
"c:\\gPotato.com\\Allods Online\\bin\\AOgame.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21428:TCP"= 21428:TCP:BitComet 21428 TCP
"21428:UDP"= 21428:UDP:BitComet 21428 UDP
"58645:TCP"= 58645:TCP:Pando Media Booster
"58645:UDP"= 58645:UDP:Pando Media Booster
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/18/2010 1:39 PM 207792]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/2/2010 6:40 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/2/2010 6:40 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/2/2010 6:39 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100803.001\IDSXpx86.sys [8/3/2010 8:04 PM 331640]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/18/2010 1:46 PM 112592]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 6:39 PM 117640]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [8/1/2010 6:36 PM 16194]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 3:00 AM 102448]
S3 musbehco;musbehco;\??\c:\docume~1\Owner\LOCALS~1\Temp\musbehco.sys --> c:\docume~1\Owner\LOCALS~1\Temp\musbehco.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 10:35 AM 50704]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/18/2010 1:38 PM 359624]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys --> c:\windows\system32\XDva143.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2307869151-1087290343-212140784-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-11 03:53]
2010-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2307869151-1087290343-212140784-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-11 03:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/forgotPassword.asp?affid=370-9&langid=1&close=true&RW=1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {519DBFF3-9B16-427C-A2B7-F50AC08FE8BF} = 209.173.36.11,209.173.45.11
DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} - hxxps://secure.gopetslive.com/dev/gopets.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{a33fa729-d155-4b23-842b-2c665ecabdb6} - (no file)
MSConfigStartUp-readericon - c:\program files\Digital Media Reader\readericon45G.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 03:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2307869151-1087290343-212140784-1003\Software\SecuROM\License information*]
"datasecu"=hex:ab,70,28,e1,f4,ff,4a,64,33,9d,f5,fd,4d,26,94,ba,2b,46,d4,2a,25,
be,fe,82,fb,d3,33,8d,4e,4b,6e,8d,45,bc,5a,01,b2,f9,91,d7,7f,81,72,47,8a,1f,\
"rkeysecu"=hex:78,63,3d,0c,fb,c9,7e,30,18,15,ef,22,b5,28,3c,ee
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-05 03:34:00
ComboFix-quarantined-files.txt 2010-08-05 08:33
Pre-Run: 80,190,238,720 bytes free
Post-Run: 81,392,324,608 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 990EC7638895AB28E567C71695C223D3
Edited by HeroicSubstitute, 05 August 2010 - 10:52 AM.