((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Mitam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Mitam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9D7A51B4-1ADE-4856-B496-3C398698BF01}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{80DD3954-7E43-49A8-A599-BD740C0EACDE}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{73F8EB6E-7E17-4725-9182-B38B7283DA0C}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{A7DB3633-1AA8-4129-8FC4-53D2B15DDCBD}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{859BFBF2-8299-4F19-8F89-638C280BC252}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{56C3BF16-0580-478A-9DB5-C2D10146020E}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5E8A0479-9B27-452D-AAEC-37D0C4F6AFC8}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{17E010E9-F214-46EB-ADB8-593154CA519E}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{606E5035-9832-4170-9280-9B9B79044CE1}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{19373767-1236-480A-8416-4909E02376F1}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0D5F17B6-FB99-4C45-8A27-095A18602B7C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0F232F3B-E633-456A-8794-0C458C5DAA85}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DBBD76F9-6810-40BC-A156-BCA1C7CC0F7B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9F6F4509-14D8-4693-8582-7B5AE64F6B48}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{5518BBB3-AFFE-4D97-9DDC-D1FDA0DEDF5A}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{374C5C6B-D5E9-4FF4-8301-01D549041FF7}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{CDF50E01-77A5-4FF1-A8DF-4D0089D9D37B}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7485E0E5-5A0B-4C0B-9D2E-C13AA7AA1316}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F81C8404-E972-4213-816F-9D2AC8D95575}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{501D2856-05FC-487B-9686-11011CDB682A}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E5AFD565-800F-4FF1-B3CF-F65F9A4F1A09}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{969F0BA1-AA22-46AF-96B8-C33449FB0BB5}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{A3B9F169-42F4-4A8E-9E6A-A9B4CC9A990D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B3B4CA29-05CC-47A8-843E-6284A9DF4ABF}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{73DA009F-4370-4D31-8E5C-2D4A8E13CAF7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B3535CEF-7740-4B21-8FC9-269A4EE51717}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{441013F6-DEB1-4C4E-B611-8DDD4A2D6E40}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{51CAFA8E-73A8-4220-A3AD-FD729A765304}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{91644312-00F8-41DA-925B-D15DC7A41F48}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{CB4A6135-FC6A-4645-B657-40DA3D9471A4}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C79DB1F1-7277-4487-9F8B-0ADE5C9EB14A}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{F6405534-88E5-4EA2-9698-01D75031CC00}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B11E90E3-0245-4E8C-B22C-7D51C1748B0F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{352DB064-03A4-40E8-8A34-774910FA7BBA}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{11420C5A-AC8E-4FA4-9A2A-B09D2113ED9E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{6C659DDF-DBB2-40E4-BD24-65181AA1835A}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{6210DD36-0D54-481E-BCD7-28B50923CAD1}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{8AB07A11-330B-446A-A638-C7FB7BFDC22F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{3785C76A-AA33-443C-9447-CE2A4A5AA3DE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{0465D557-C130-4C98-B986-671BCBC96E83}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{571A3EC3-FEEC-4EF9-91D6-226076CE6DAA}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{96119DC4-3517-409C-BD3A-B4AE2510F6DC}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{608EAB65-E4A8-4B61-887B-8D7939DE4955}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{FC525F68-15FD-4412-83AF-41B62F7E3A88}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{8A4B07E3-F3C8-4B7E-8A3B-89BC5B675F24}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{EAACC13B-D578-43AD-BE37-CBF2D1E8632D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{EACA67FC-9A53-4B47-BEEF-98DCAF9255E7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B269906B-3804-469B-93AA-74BE7B4FE88D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{6F62F350-7962-4A39-AB7D-23E8DB5654EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{F2A5861F-37D8-4B75-8D5A-BFB43F7FA6BD}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{A760EAAA-D37C-432C-B71A-E9046ED64450}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{26A6B476-0055-4021-851B-CF2FD0B8BB17}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{1C8C36E5-A389-4843-AAF0-480023103836}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C8BC1E25-FDC3-4285-9D8F-15AD5B985C43}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{1DE5C24D-6790-4B79-9471-11A836398E98}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{A3F35C3A-DE3D-4204-AE6B-35A73B6D2A91}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{EEA1B18F-5CB6-47F6-8692-9CC6360CC4DF}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{F230D5BC-21BE-4F5B-B6E6-E3BDE32DE202}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{7F645FE1-5621-481E-A6F0-29E43299D856}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B1E6354F-15D5-4C49-9D42-0D3DE86E68EB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D9E1E4BF-2807-4F0E-B3FE-7D9AC37F2B6F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{32CEC970-7B9D-4C97-AD99-36F62F2F027A}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{CF28384C-A20B-4379-AF2C-72754BB16B5C}"= c:\program files\Skype\Phone\Skype.exe:Skype
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/29/2008 3:05 PM 24652]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Mitam\AppData\Roaming\Mozilla\Firefox\Profiles\r1utmayd.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Mitam\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 14:12
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-21 14:14
ComboFix-quarantined-files.txt 2009-07-21 19:14
ComboFix2.txt 2009-07-20 18:10
Pre-Run: 42,932,330,496 bytes free
Post-Run: 42,905,620,480 bytes free
308 --- E O F --- 2009-07-20 17:31
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Mitam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Mitam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9D7A51B4-1ADE-4856-B496-3C398698BF01}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{80DD3954-7E43-49A8-A599-BD740C0EACDE}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{73F8EB6E-7E17-4725-9182-B38B7283DA0C}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{A7DB3633-1AA8-4129-8FC4-53D2B15DDCBD}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{859BFBF2-8299-4F19-8F89-638C280BC252}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{56C3BF16-0580-478A-9DB5-C2D10146020E}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5E8A0479-9B27-452D-AAEC-37D0C4F6AFC8}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{17E010E9-F214-46EB-ADB8-593154CA519E}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{606E5035-9832-4170-9280-9B9B79044CE1}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{19373767-1236-480A-8416-4909E02376F1}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0D5F17B6-FB99-4C45-8A27-095A18602B7C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0F232F3B-E633-456A-8794-0C458C5DAA85}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DBBD76F9-6810-40BC-A156-BCA1C7CC0F7B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9F6F4509-14D8-4693-8582-7B5AE64F6B48}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{5518BBB3-AFFE-4D97-9DDC-D1FDA0DEDF5A}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{374C5C6B-D5E9-4FF4-8301-01D549041FF7}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{CDF50E01-77A5-4FF1-A8DF-4D0089D9D37B}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7485E0E5-5A0B-4C0B-9D2E-C13AA7AA1316}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F81C8404-E972-4213-816F-9D2AC8D95575}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{501D2856-05FC-487B-9686-11011CDB682A}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E5AFD565-800F-4FF1-B3CF-F65F9A4F1A09}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{969F0BA1-AA22-46AF-96B8-C33449FB0BB5}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{A3B9F169-42F4-4A8E-9E6A-A9B4CC9A990D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B3B4CA29-05CC-47A8-843E-6284A9DF4ABF}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{73DA009F-4370-4D31-8E5C-2D4A8E13CAF7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B3535CEF-7740-4B21-8FC9-269A4EE51717}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{441013F6-DEB1-4C4E-B611-8DDD4A2D6E40}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{51CAFA8E-73A8-4220-A3AD-FD729A765304}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{91644312-00F8-41DA-925B-D15DC7A41F48}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{CB4A6135-FC6A-4645-B657-40DA3D9471A4}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C79DB1F1-7277-4487-9F8B-0ADE5C9EB14A}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{F6405534-88E5-4EA2-9698-01D75031CC00}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B11E90E3-0245-4E8C-B22C-7D51C1748B0F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{352DB064-03A4-40E8-8A34-774910FA7BBA}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{11420C5A-AC8E-4FA4-9A2A-B09D2113ED9E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{6C659DDF-DBB2-40E4-BD24-65181AA1835A}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{6210DD36-0D54-481E-BCD7-28B50923CAD1}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{8AB07A11-330B-446A-A638-C7FB7BFDC22F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{3785C76A-AA33-443C-9447-CE2A4A5AA3DE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{0465D557-C130-4C98-B986-671BCBC96E83}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{571A3EC3-FEEC-4EF9-91D6-226076CE6DAA}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{96119DC4-3517-409C-BD3A-B4AE2510F6DC}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{608EAB65-E4A8-4B61-887B-8D7939DE4955}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{FC525F68-15FD-4412-83AF-41B62F7E3A88}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{8A4B07E3-F3C8-4B7E-8A3B-89BC5B675F24}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{EAACC13B-D578-43AD-BE37-CBF2D1E8632D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{EACA67FC-9A53-4B47-BEEF-98DCAF9255E7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B269906B-3804-469B-93AA-74BE7B4FE88D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{6F62F350-7962-4A39-AB7D-23E8DB5654EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{F2A5861F-37D8-4B75-8D5A-BFB43F7FA6BD}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{A760EAAA-D37C-432C-B71A-E9046ED64450}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{26A6B476-0055-4021-851B-CF2FD0B8BB17}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{1C8C36E5-A389-4843-AAF0-480023103836}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C8BC1E25-FDC3-4285-9D8F-15AD5B985C43}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{1DE5C24D-6790-4B79-9471-11A836398E98}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{A3F35C3A-DE3D-4204-AE6B-35A73B6D2A91}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{EEA1B18F-5CB6-47F6-8692-9CC6360CC4DF}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{F230D5BC-21BE-4F5B-B6E6-E3BDE32DE202}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{7F645FE1-5621-481E-A6F0-29E43299D856}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{B1E6354F-15D5-4C49-9D42-0D3DE86E68EB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D9E1E4BF-2807-4F0E-B3FE-7D9AC37F2B6F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{32CEC970-7B9D-4C97-AD99-36F62F2F027A}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{CF28384C-A20B-4379-AF2C-72754BB16B5C}"= c:\program files\Skype\Phone\Skype.exe:Skype
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/29/2008 3:05 PM 24652]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Mitam\AppData\Roaming\Mozilla\Firefox\Profiles\r1utmayd.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Mitam\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 14:12
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-21 14:14
ComboFix-quarantined-files.txt 2009-07-21 19:14
ComboFix2.txt 2009-07-20 18:10
Pre-Run: 42,932,330,496 bytes free
Post-Run: 42,905,620,480 bytes free
308 --- E O F --- 2009-07-20 17:31