ComboFix 09-09-16.01 - Cubby 09/16/2009 19:42.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.660 [GMT -4:00]
Running from: c:\documents and settings\cubby.MACDONALDWOOD\Desktop\Combo-Fix.exe
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\cijyqo.reg
c:\documents and settings\All Users\Application Data\hafocy.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\woriwa.bat
c:\documents and settings\All Users\Documents\giquqisoz.reg
c:\documents and settings\All Users\Documents\mypuwiki.sys
c:\documents and settings\cubby.MACDONALDWOOD\Application Data\pysupowi.bin
c:\documents and settings\cubby.MACDONALDWOOD\Application Data\sunaciryxi.lib
c:\documents and settings\cubby.MACDONALDWOOD\Application Data\uheputakyj.lib
c:\documents and settings\cubby.MACDONALDWOOD\Application Data\xurejor.pif
c:\documents and settings\cubby.MACDONALDWOOD\Cookies\lymopecy.scr
c:\documents and settings\cubby.MACDONALDWOOD\Cookies\netud.bin
c:\documents and settings\cubby.MACDONALDWOOD\Cookies\unubew.scr
c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\ohuvewux.pif
c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Temporary Internet Files\iziri._dl
C:\p2hhr.bat
c:\program files\Common Files\ebopasu.ban
c:\program files\Common Files\vaxuwa.dl
c:\windows\anenave._dl
c:\windows\fymexej.inf
c:\windows\Installer\134c3c3.msi
c:\windows\Installer\435118.msp
c:\windows\Installer\6bbfd10.msp
c:\windows\Installer\b155f4f.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\numabuh.dl
c:\windows\system\oeminfo.ini
c:\windows\system32\bemadoko.dll
c:\windows\system32\cobyx.scr
c:\windows\system32\drivers\gasfkyoymrssra.sys
c:\windows\system32\efanuxyk.sys
c:\windows\system32\FAXFORM.DLL
c:\windows\system32\fosowefe.dll
c:\windows\system32\gasfkyadpxrmlt.dat
c:\windows\system32\gasfkybscbnrpv.dll
c:\windows\system32\gasfkyivbljvdn.dll
c:\windows\system32\gasfkyoirqnejx.dll
c:\windows\system32\gasfkyyqbphxus.dat
c:\windows\system32\gehufidu.dll
c:\windows\system32\hetirika.dll
c:\windows\system32\kowoziza.dll
c:\windows\system32\koyahune.exe
c:\windows\system32\lavogana.dll
c:\windows\system32\legidonu.dll
c:\windows\system32\NCTAudioInformation2.dll
c:\windows\system32\numitopi.dll
c:\windows\system32\ropogeko.dll
c:\windows\system32\tarozahi.dll
c:\windows\system32\twain.dll
c:\windows\system32\vasidifu.dll
c:\windows\system32\wevetora.dll
c:\windows\system32\yaruzesa.dll
c:\windows\system32\yimipivu.dll
c:\windows\system32\yugovuji.dll
c:\windows\system32\yxizubi.bin
c:\windows\system32\zip32.dll
c:\windows\visor.exe
c:\windows\vuhem.dl
c:\windows\xurywam.exe
----- BITS: Possible infected sites -----
hxxp://82.98.231.97.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gasfkyepxgsnvd
-------\Legacy_gasfkyepxgsnvd
-------\Legacy_NWCWORKSTATION
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_NWCWorkstation
-------\Service_SfX
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.
2009-09-16 17:14 . 2009-09-16 17:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-13 00:07 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 00:07 . 2009-09-16 17:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 00:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-11 15:26 . 2009-09-11 15:26 1 ---h--w- c:\windows\bk23567.dat
2009-09-04 21:11 . 2009-09-04 21:11 18533 ----a-w- c:\windows\ozebe.dat
2009-09-01 18:37 . 2009-09-01 18:37 -------- d-----w- C:\_OTM
2009-09-01 15:53 . 2009-09-01 18:48 -------- d-----w- c:\program files\M1N1
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Malwarebytes
2009-09-01 14:35 . 2009-09-01 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 10:10 . 2009-09-01 10:10 -------- d-sh--w- c:\documents and settings\Cubby\PrivacIE
2009-09-01 10:01 . 2009-09-01 10:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-01 10:00 . 2009-09-01 10:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-31 20:54 . 2009-08-31 20:54 -------- d-sh--w- c:\documents and settings\Cubby\IETldCache
2009-08-31 20:28 . 2009-08-31 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 11:20 . 2009-08-26 11:20 -------- d-----w- c:\program files\Media5 Software
2009-08-26 11:17 . 2002-12-03 07:11 143872 ----a-w- c:\windows\system32\NCTWMAFile.dll
2009-08-26 11:17 . 2002-12-03 07:07 168448 ----a-w- c:\windows\system32\NCTAudioPlayer.dll
2009-08-26 11:17 . 2002-12-03 07:02 491520 ----a-w- c:\windows\system32\NCTAudioFile.dll
2009-08-26 11:13 . 2009-08-26 11:13 -------- d-----w- c:\program files\WMA WAV MP3 to Audio CD Maker
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AVS4YOU
2009-08-25 01:27 . 2009-08-25 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-25 01:26 . 2009-08-25 01:27 -------- d-----w- c:\program files\AVS4YOU
2009-08-25 01:26 . 2008-08-13 15:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMeshMediabarTb
2009-08-24 23:56 . 2009-08-28 14:28 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\iMesh
2009-08-24 23:56 . 2009-08-24 23:56 -------- d-----w- c:\program files\iMesh Applications
2009-08-24 18:58 . 2009-08-24 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\2BAB
2009-08-22 13:55 . 2009-08-22 14:03 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\CVS
2009-08-22 13:54 . 2009-08-31 20:07 -------- d-sh--w- c:\windows\ftpcache
2009-08-22 13:39 . 2009-08-22 13:39 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-08-21 00:40 . 2009-08-25 15:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 00:39 . 2009-08-21 00:39 -------- d-----w- c:\program files\LitexMedia
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 17:02 . 2009-06-16 17:02 88064 --sha-w- c:\windows\system32\pitivoni.dll
2009-09-14 11:57 . 2007-04-13 00:07 -------- d-----w- c:\program files\dl_Cats
2009-09-13 14:08 . 2009-06-13 14:08 88576 ------w- c:\windows\system32\dibiyowa.dll
2009-09-13 14:08 . 2007-09-13 16:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-11 00:09 . 2009-06-11 00:09 89088 --sha-w- c:\windows\system32\jubawiro.dll
2009-09-10 10:31 . 2009-06-10 10:31 88064 --sha-w- c:\windows\system32\vugivodi.dll
2009-09-09 10:31 . 2009-06-09 10:31 88064 --sha-w- c:\windows\system32\ropasaje.dll
2009-09-08 22:30 . 2009-06-08 22:30 88576 --sha-w- c:\windows\system32\jobobuwi.dll
2009-09-08 10:30 . 2009-06-08 10:30 88064 --sha-w- c:\windows\system32\tesifeke.dll
2009-09-07 14:48 . 2009-06-07 14:48 49664 --sha-w- c:\windows\system32\sohojire.dll
2009-09-01 21:59 . 2009-06-01 21:59 88064 --sha-w- c:\windows\system32\yoyijite.dll
2009-09-01 10:13 . 2006-08-22 06:33 -------- d-----w- c:\program files\Google
2009-09-01 00:58 . 2006-12-28 01:31 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Azureus
2009-08-31 20:04 . 2007-11-15 02:48 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Wave Systems Corp
2009-08-25 01:46 . 2008-01-08 19:03 -------- d-----w- c:\program files\MediaCoder
2009-08-22 13:38 . 2007-10-17 16:18 -------- d-----w- c:\program files\MSECache
2009-08-07 13:39 . 2006-09-13 17:27 93472 ----a-w- c:\documents and settings\cubby.MACDONALDWOOD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\MSBuild
2009-08-06 07:07 . 2009-08-06 07:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 11:33 . 2007-09-13 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-01 11:13 . 2009-03-28 23:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 23:49 . 2006-08-22 06:06 35001 ----a-w- c:\windows\system32\nvModes.dat
2009-07-31 19:27 . 2006-09-13 15:35 -------- d-----w- c:\documents and settings\cubby.MACDONALDWOOD\Application Data\AdobeUM
2009-07-19 22:00 . 2009-07-19 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-19 22:00 . 2009-06-18 13:57 -------- d-----w- c:\program files\Norton Security Scan
2009-07-19 22:00 . 2009-07-19 22:00 -------- d-----w- c:\program files\NortonInstaller
2009-07-19 22:00 . 2009-07-19 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2006-12-17 21:20 . 2006-12-17 21:20 36206039 -c--a-w- c:\program files\Top Producer Outlook Connector.EXE
2006-12-13 03:12 . 2007-02-08 21:35 66648 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2007-02-08 21:35 54352 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2007-02-08 21:35 34928 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2007-02-08 21:35 46696 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2007-02-08 21:35 172120 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-03-15 21:30 . 2007-03-15 21:30 80 -csh--r- c:\windows\system32\67F454E4E8.dll
.
------- Sigcheck -------
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll
c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]
[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-14 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-24 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-12 73728]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-04-06 1032192]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"domezudim"="c:\windows\system32\dibiyowa.dll" [2009-09-13 88576]
c:\documents and settings\Cubby\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-5-17 1220608]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{6c9ffc2b-36ba-4bc7-ae7f-e0d630dd57a2}"= "c:\windows\system32\dibiyowa.dll" [2009-09-13 88576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-04-24 282624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gakofitot"= {6c9ffc2b-36ba-4bc7-ae7f-e0d630dd57a2} - c:\windows\system32\dibiyowa.dll [2009-09-13 88576]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwprovau
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=c:\windows\pss\Anapod Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^cubby.MACDONALDWOOD^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\cubby.MACDONALDWOOD\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlbtpswx.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=
"c:\\WebC_ActiveX4.22\\ptermX.exe"=
"c:\\Program Files\\Ericom Software\\PowerTerm WebConnect 5.6\\151.203.99.51\\ptermX.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"8085:TCP"= 8085:TCP:ddnsfilter
R2 WILPAR;Wordcraft Parallel Driver;c:\windows\system32\drivers\WILPAR.SYS [9/1/2006 11:40 AM 22976]
S1 Filter;Filter;\??\c:\windows\system32\drivers\Filter.sys --> c:\windows\system32\drivers\Filter.sys [?]
S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [9/5/2006 10:41 AM 50176]
S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [9/5/2006 10:41 AM 6096]
S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [9/5/2006 10:41 AM 81056]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [5/17/2007 2:28 PM 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [5/17/2007 2:28 PM 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [5/17/2007 2:28 PM 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [5/17/2007 2:28 PM 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [5/17/2007 2:28 PM 69632]
S3 SMC2208;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [2/16/2008 12:40 PM 26525]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
2008-01-16 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-07 07:04]
2009-09-03 c:\windows\Tasks\Norton Security Scan for Cubby.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-19 16:21]
2009-09-04 c:\windows\Tasks\User_Feed_Synchronization-{522C9FDF-90D3-4175-A7FB-7B976A9CAC8A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
2009-09-02 c:\windows\Tasks\{CB904F16-01AA-4E35-81DF-0F9BCF531682}_MACDONALDWOOD_Cubby.job
- c:\windows\system32\mobsync.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.commStart Page =
hxxp://www.google.comuInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster -
file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia -
file://c:\program files\ieSpell\wikipedia.HTM
LSP: vlsp.dll
Trusted Zone: stumbleupon.com
DPF: Microsoft XML Parser for Java -
file:///C:/WINDOWS/Java/classes/xmldso.cabDPF: PUFLITE -
hxxp://cubbyfitts.point2agent.com/Office/ColpaControls/Photo/Control/PUFLITE.CABDPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} -
hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cabDPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} -
hxxp://www.facebook.com/controls/contactx.dllDPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} -
hxxp://151.203.99.51/Ericom/WebConnect%205.6/web/windows/ptdownloader.cabFF - ProfilePath - c:\documents and settings\cubby.MACDONALDWOOD\Application Data\Mozilla\Firefox\Profiles\xf0e1ri2.default\
FF - prefs.js: browser.startup.homepage -
hxxp://search.imesh.com/FF - prefs.js: browser.search.selectedEngine - iMesh Web Search
FF - prefs.js: keyword.URL -
hxxp://search.imesh.com/webResults.html?src=ffb&q=FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
BHO-{ecfc4506-fcc3-4507-b2c1-27e4129eff84} - jifipanu.dll
HKLM-Run-zuvinesiza - tarozahi.dll
AddRemove-Adobe Photoshop 5.5 - c:\windows\ISUNINST.EXE -fc:\program files\Adobe\Photoshop 5.5\Uninst.isu
AddRemove-RCA Detective_is1 - c:\documents and settings\cubby.MACDONALDWOOD\My Documents\RCA Detective\unins000.exe
AddRemove-RCA Memory Manager_is1 - c:\documents and settings\cubby.MACDONALDWOOD\My Documents\RCA Memory Manager\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-09-16 20:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1823468856-3774011236-2554016227-1605\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1C9602E9-0078-28D7-9D74-7CB879902A53}*]
"hakohkpfpeeclemj"=hex:6a,61,6f,70,6b,64,6f,66,6b,6d,65,68,69,69,66,67,68,68,
6c,63,00,00
"iamoongcjdkkmbbope"=hex:6a,61,6f,70,6b,64,6f,66,63,6e,6d,66,6e,61,64,64,61,6b,
6c,64,00,00
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,97,65,98,77,df,
c4,d9,d5,e2,63,26,f1,3f,c8,ff,68,26,da,4a,51,2c,18,5c,9b,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,c0,d8,10,c6,fc,
d8,85,02,6a,9c,d6,61,af,45,84,18,63,98,aa,41,9d,27,22,f8,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,77,6b,0f,1c,e2,
18,6e,17,ff,7c,85,e0,43,d4,0e,fe,42,e8,9f,e8,ec,72,c5,99,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,93,ca,7f,74,98,
a9,19,16,86,8c,21,01,be,91,eb,e7,18,97,a8,58,fe,a9,4e,79,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,3c,0e,eb,90,42,
fa,06,cb,f5,1d,4d,73,a8,13,5c,05,6b,83,dc,d8,36,37,17,f7,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,50,cf,42,b4,96,
4a,7b,52,df,20,58,62,78,6b,cf,c8,df,e7,7e,bd,d5,e9,01,09,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,cb,53,db,0d,94,
5e,6e,68,fb,a7,78,e6,12,2f,9a,ea,6f,2a,ed,60,b2,d1,47,83,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ff,57,35,74,eb,
c0,05,20,01,3a,48,fc,e8,04,4a,f1,f1,75,68,bb,bf,e2,2e,a4,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,a9,be,9e,98,8b,
17,38,7b,f6,0f,4e,58,98,5b,89,c9,42,b2,98,75,e4,2f,3b,36,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,c2,82,54,f6,10,
e3,07,8e,3d,ce,ea,26,2d,45,aa,78,ee,29,88,ea,c4,c6,75,12,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2d,db,c2,de,4b,
e1,3d,b4,2a,b7,cc,b5,b9,7f,41,e7,68,33,58,56,d5,cb,db,4d,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,62,be,74,45,21,
51,65,c7,6c,43,2d,1e,aa,22,2f,9c,08,b7,02,b6,70,38,f2,30,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\system32\vlsp.dll
- - - - - - - > 'explorer.exe'(1136)
c:\windows\system32\WININET.dll
c:\windows\system32\dibiyowa.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\vlsp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\lexbces.exE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\common\DataServer.exe
c:\windows\system32\dlbtcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\windows\system32\BCMWLTRY.EXE
.
**************************************************************************
.
Completion time: 2009-09-17 20:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 00:05
Pre-Run: 35,583,873,024 bytes free
Post-Run: 35,673,800,704 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
471 --- E O F --- 2009-08-26 17:40