ComboFix 09-09-12.A0 - Administrator 09/13/2009 2:20.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.607 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\020000007f6fd8f3579C.manifest
c:\documents and settings\Administrator\Application Data\020000007f6fd8f3579O.manifest
c:\documents and settings\Administrator\Application Data\020000007f6fd8f3579P.manifest
c:\documents and settings\Administrator\Application Data\020000007f6fd8f3579S.manifest
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\epitegigusobo.dll
c:\windows\Installer\f61db2.msi
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\41.exe
c:\windows\system32\C8XZ0GEucBtOU.vbs
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\iqcqP.vbs
c:\windows\system32\oem4.inf
c:\windows\system32\puvelepu.dll
c:\windows\system32\tazamuto.dll
c:\windows\system32\tufamovo.dll
C:\xcrashdump.dat
----- BITS: Possible infected sites -----
hxxp://download.yimg.com.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_kbiwkmmyvtbpnq
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_kbiwkmmyvtbpnq
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.
2009-09-13 07:17 . 2009-09-13 07:19 -------- d-----w- C:\Combo-Fix
2009-09-13 06:25 . 2009-09-13 06:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 17:17 . 2009-08-22 06:32 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-09-12 17:17 . 2009-09-13 05:38 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-12 17:17 . 2009-09-13 05:38 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-12 17:17 . 2009-09-13 05:38 -------- d-----w- c:\program files\Symantec
2009-09-12 17:17 . 2009-09-12 17:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-12 17:17 . 2009-09-13 06:39 -------- d-----w- c:\windows\system32\drivers\NAV
2009-09-12 17:17 . 2009-09-12 17:17 -------- d-----w- c:\program files\Norton AntiVirus
2009-09-12 17:17 . 2009-09-12 17:17 -------- d-----w- c:\program files\Windows Sidebar
2009-09-12 17:17 . 2009-09-12 17:17 -------- d-----w- c:\program files\NortonInstaller
2009-09-12 14:59 . 2009-09-12 14:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-12 14:51 . 2009-09-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\gwr
2009-09-10 05:21 . 2009-09-10 06:32 -------- d--h--w- c:\windows\PIF
2009-09-07 22:01 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 22:01 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 15:59 . 2009-09-12 15:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 15:59 . 2009-09-06 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-03 19:06 . 2009-09-03 19:12 30720 ----a-w- c:\windows\system32\7EE983E52D57964A.exe
2009-08-31 20:06 . 2009-08-31 20:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-08-31 06:41 . 2009-08-31 06:41 412160 ----a-w- c:\windows\qcpra5753.exe
2009-08-30 17:19 . 2009-08-30 17:19 -------- d-----w- C:\found.001
2009-08-30 16:34 . 2009-08-30 16:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2009-08-30 16:33 . 2009-08-30 16:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ICS
2009-08-30 16:33 . 2009-08-30 18:15 -------- d-----w- c:\windows\LMI19.tmp
2009-08-30 06:08 . 2009-08-30 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mixxx
2009-08-28 16:48 . 2009-08-28 16:48 -------- d-----w- c:\program files\Microsoft Plus! Digital Media Edition
2009-08-27 18:06 . 2009-08-27 18:06 -------- d-----w- c:\program files\VirtualDJ
2009-08-27 05:06 . 2009-08-27 05:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FlyOrDie
2009-08-17 19:48 . 2009-08-17 19:49 -------- d-----w- c:\program files\LimeWire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 05:38 . 2009-09-12 17:17 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-13 05:38 . 2009-09-12 17:17 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-12 18:06 . 2009-03-08 06:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-09-12 17:17 . 2009-02-26 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-12 17:17 . 2009-02-26 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-12 17:17 . 2009-02-26 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-12 15:50 . 2009-04-19 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-31 09:15 . 2009-04-29 18:58 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-08-30 16:19 . 2009-04-16 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-08-30 02:58 . 2009-02-26 12:40 129568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 11:58 . 2009-09-13 06:26 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:01 . 2004-08-10 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 06:43 . 2009-08-04 06:43 -------- d-----w- c:\program files\Topaz Labs
2009-07-24 02:54 . 2009-03-02 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-24 02:54 . 2009-07-24 00:22 -------- d-----w- c:\program files\NOS
2009-07-24 00:41 . 2009-03-03 16:39 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-24 00:36 . 2009-05-16 05:46 -------- d-----w- c:\program files\ASIO4ALL v2
2009-07-24 00:21 . 2009-05-16 05:41 -------- d-----w- c:\program files\Image-Line
2009-07-17 19:01 . 2004-08-10 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2006-03-04 03:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-10 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.
------- Sigcheck -------
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll
[-] 2004-08-10 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll
c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-24 143360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-27 155648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"Easy Dock"="c:\documents and settings\Administrator\My Documents\RCA easyRip\EZDock.exe" [2009-04-03 573440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"7EE983E52D57964A"="c:\windows\system32\7EE983E52D57964A.exe" [2009-09-03 30720]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\documents and settings\Administrator\My Documents\RCA Detective\RCADetective.exe [2009-6-18 942592]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Studio\\FRegister.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Studio\\BCGUpdate.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Studio\\Summitsoft Products.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Studio\\BCGFonts.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Studio\\Splash_LDS.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Studio\\Splash Series 1_Oct132008.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\WINDOWS\\LMI19.tmp\\lmi_rescue.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Web Server
"3335:UDP"= 3335:UDP:Windows Media Format SDK (iexplore.exe)
"3334:UDP"= 3334:UDP:Windows Media Format SDK (iexplore.exe)
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1007020.00B\SymEFA.sys [9/13/2009 12:38 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1007020.00B\BHDrvx86.sys [9/13/2009 12:38 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1007020.00B\cchpx86.sys [9/13/2009 12:38 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090910.003\IDSXpx86.sys [9/12/2009 12:25 PM 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe [9/13/2009 12:38 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/12/2009 3:00 AM 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 PM 231424]
.
Contents of the 'Scheduled Tasks' folder
2009-09-11 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-03-20 12:29]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uSearchMigratedDefaultURL =
hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-09-13 02:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1080)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1700)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2009-09-13 2:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 07:39
Pre-Run: 49,621,610,496 bytes free
Post-Run: 49,495,838,720 bytes free
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
270 --- E O F --- 2009-09-13 06:01