ComboFix 10-06-23.02 - A24K 06/23/2010 23:10:54.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.767 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\A24K\g2mdlhlpx.exe
c:\documents and settings\A24K\Local Settings\Application Data\asam.exe
c:\documents and settings\A24K\Local Settings\Application Data\ridnolpew\waeatdotssd.exe
c:\windows\system32\CONFIG.exe
c:\windows\system32\ygvjflrn.ini
.
((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.
2010-06-24 01:19 . 2010-06-24 01:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-24 01:16 . 2010-06-24 01:16 -------- d-----w- C:\72b07cfaba36907985e7c0
2010-06-23 22:18 . 2010-06-23 22:18 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-06-23 20:08 . 2010-06-23 20:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-09 17:24 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-26 20:34 . 2010-05-26 20:34 -------- d-----w- c:\program files\Glance25
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 01:19 . 2008-01-31 19:49 -------- d-----w- c:\program files\WorksitePro
2010-06-24 01:16 . 2007-10-03 16:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-17 22:13 . 2008-08-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Credant
2010-06-04 14:12 . 2008-12-06 21:11 256 ----a-w- c:\windows\system32\pool.bin
2010-05-22 01:05 . 2008-04-15 08:33 -------- d-----w- c:\program files\AClient
2010-05-21 19:14 . 2009-10-02 23:29 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-19 20:42 . 2010-05-19 20:42 249856 ------w- c:\windows\Setup1.exe
2010-05-19 20:42 . 2010-05-19 20:42 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-05-12 18:34 . 2010-05-11 20:49 -------- d-----w- c:\program files\AVS4YOU
2010-05-12 18:33 . 2010-05-11 20:49 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-05-11 20:54 . 2010-05-11 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-05-06 10:41 . 2007-10-03 09:10 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2007-10-03 09:10 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-26 01:36 . 2009-04-21 17:00 -------- d-----w- c:\program files\Citrix
2010-04-26 01:32 . 2009-09-29 22:19 -------- d-----w- c:\program files\Coupons
2010-04-26 01:28 . 2010-04-26 01:28 -------- d-----w- c:\program files\Freeze.com
2010-04-26 01:27 . 2010-04-26 01:27 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-04-20 05:30 . 2007-10-03 09:06 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-14 21:41 . 2010-04-14 21:41 6053 ----a-w- c:\windows\Prefetch\PROPERTYCASUALTY_CD1[1].EXE-35BFFE62.zip
2010-03-31 05:16 . 2010-03-31 05:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 05:10 . 2010-03-31 05:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2008-08-29 14:33 . 2008-08-29 14:33 143360 --sha-r- c:\windows\IdleProc.exe
2008-08-29 14:33 . 2008-08-29 14:33 200704 --sha-r- c:\windows\MsCae32.dll
.
------- Sigcheck -------
[7] 2009-08-07 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\system32\dllcache\wuauclt.exe
c:\windows\System32\wuauclt.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"= "c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll" [2010-01-19 361592]
[HKEY_CLASSES_ROOT\clsid\{e38fa08e-f56a-4169-abf5-5c71e3c153a1}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{1E8FC16F-4C51-49C4-BC9B-4FC24BDDCEE7}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
2010-01-19 20:08 361592 ----a-w- c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\A24K\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-25 133104]
"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2009-02-11 479232]
"RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2009-05-04 32768]
"Mikogo"="c:\documents and settings\A24K\Application Data\Mikogo\Mikogo-Host.exe" [2009-10-29 2748416]
"cdloader"="c:\documents and settings\A24K\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aflac_Do_Not_Remove"="c:\aflac2000\WSPInfo.exe" [2006-09-12 45056]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-09-12 753664]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-12 162584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-12 138008]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\iFrmewrk.exe" [2007-07-25 974848]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"Panasonic Hotkey Manager"="c:\program files\Panasonic\Hotkey Appendix\HKEYAPP.EXE" [2007-08-23 976264]
"PCinfo"="c:\program files\Panasonic\pcinfo\PcInfoUt.exe" [2007-08-09 91528]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-12 138008]
"PRunOnce"="c:\util\prunonce\PRunOnce.exe" [2004-08-06 110592]
"setfan"="c:\program files\Panasonic\setfan\setfan.exe" [2007-08-09 443784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 204800]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"WSPPurge"="c:\program files\Aflac\Common\WSPPurge.exe" [2007-12-26 20480]
"WSwitch"="c:\program files\Panasonic\WSwitch\WSwitch.exe" [2007-08-24 734600]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"QuickCare"="c:\program files\Qwest\Quickcare\bin\sprtcmd.exe" [2008-05-31 202016]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"CmgShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2008-04-29 210224]
"EmsService"="EmsServiceHelper.exe" [2008-04-29 492848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AL-1000 Status Monitor.lnk - c:\program files\AL-1000\engss.exe [2010-3-5 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
path=
backup=
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"c:\\Documents and Settings\\A24K\\Application Data\\mjusbsp\\magicJack.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5060:UDP"= 5060:UDP:magicjack
"5070:UDP"= 5070:UDP:magicjack
"443:TCP"= 443:TCP:magicjack
R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [10/3/2007 8:29 PM 17192]
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [4/29/2008 3:05 PM 195128]
R0 CMGShieldReg;CMGShieldReg;c:\windows\system32\drivers\CmgShREG.sys [4/29/2008 3:05 PM 89656]
R1 SafDskNT;SafDskNT;c:\windows\system32\drivers\SafDskNT.sys [8/29/2008 9:33 AM 77824]
R2 BsUDF;BsUDF;c:\windows\system32\drivers\BsUDF.sys [10/3/2007 8:29 PM 195616]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/3/2007 4:16 AM 36352]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [10/3/2007 4:15 AM 42624]
S2 CMGShield;CMG Shield;c:\windows\system32\CmgShieldSvc.exe [4/29/2008 3:01 PM 1103152]
S2 EMS;EMS;c:\windows\system32\EmsService.exe [4/29/2008 3:00 PM 644400]
S2 ETMService;Intel(R) Extended Thermal Model Service Application;c:\windows\system32\etmservice.exe [10/3/2007 11:48 AM 217088]
S2 MsChkSvc;MsChkSvc;c:\windows\system32\Mschksvc.exe [8/29/2008 9:33 AM 32768]
S2 MsWnetChk;MsWnetChk;c:\windows\system32\mswnetchk.exe [8/29/2008 9:33 AM 122880]
S2 OPDOFFSV;Panasonic Opdoff Utility;c:\program files\Panasonic\OPDOFF\opdoffsv.exe [10/3/2007 8:00 PM 206480]
S2 PcInfoPi;Panasonic PC Information Viewer Service 2;c:\program files\Panasonic\pcinfo\PCInfoPi.exe [10/3/2007 1:27 PM 54664]
S2 PcInfoSV;Panasonic PC Information Viewer;c:\program files\Panasonic\pcinfo\PCInfoSV.exe [10/3/2007 1:27 PM 185736]
S2 SDKEY;Panasonic SD Misc. Function Driver;c:\program files\Panasonic\SDKEY\SDKEY.sys [10/3/2007 1:01 PM 13704]
S2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
S3 B-Service;B-Service;c:\documents and settings\A24K\Application Data\Mikogo\B-Service.exe [10/29/2009 1:38 PM 185640]
S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [4/29/2008 3:04 PM 156976]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [3/4/2008 6:30 PM 34128]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/12/2009 2:04 PM 101936]
S3 Etm;Etm;c:\windows\system32\drivers\EtmDrvMgr.sys [10/3/2007 11:48 AM 40448]
S3 EtmCpu;EtmCpu;c:\windows\system32\drivers\EtmDevCpu.sys [10/3/2007 11:48 AM 19712]
S3 EtmFan;EtmFan;c:\windows\system32\drivers\EtmDevFan.sys [10/3/2007 11:48 AM 9600]
S3 EtmGmchMem;EtmGmchMem;c:\windows\system32\drivers\EtmDevGmch.sys [10/3/2007 11:48 AM 36480]
S3 EtmTempSense;EtmTempSense;c:\windows\system32\drivers\EtmTempSense.sys [10/3/2007 11:48 AM 12288]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MDMXSDK
*NewlyCreated* - PXHELP20
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-258322132-2918892608-2119487751-1007Core.job
- c:\documents and settings\A24K\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 02:15]
2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-258322132-2918892608-2119487751-1007UA.job
- c:\documents and settings\A24K\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 02:15]
2010-06-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride =
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: avacast.com\kaplan1
Trusted Zone: kfeducation.com\www
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-vqwgfatr - c:\documents and settings\A24K\Local Settings\Application Data\ridnolpew\waeatdotssd.exe
HKCU-Run-asam - c:\documents and settings\A24K\Local Settings\Application Data\asam.exe
HKLM-Run-vqwgfatr - c:\documents and settings\A24K\Local Settings\Application Data\ridnolpew\waeatdotssd.exe
HKLM-Run-asam - c:\documents and settings\A24K\Local Settings\Application Data\asam.exe
AddRemove-All Products - c:\worldins\DeIsL6.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 23:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\docume~1\A24K\LOCALS~1\Temp\CredDB.CEF 186054 bytes
C:\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\magicJackOutlookAddIn\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\Adobe\Flash Player\AssetCache\KP53GX35\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\Macromedia\Shockwave Player\Prefs\Y5K98FFN\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\CredDB.CEF 12986 bytes
c:\documents and settings\A24K\Application Data\Microsoft\Excel\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\Microsoft\Internet Explorer\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\Microsoft\Office\CredDB.CEF 592 bytes
c:\documents and settings\A24K\Application Data\Microsoft\Office\Recent\CredDB.CEF 24394 bytes
c:\documents and settings\A24K\Application Data\Microsoft\Outlook\CredDB.CEF 1480 bytes
c:\documents and settings\A24K\Application Data\Microsoft\Signatures\CredDB.CEF 8936 bytes
c:\documents and settings\A24K\Application Data\Microsoft\Templates\CredDB.CEF 2368 bytes
c:\documents and settings\A24K\Application Data\Microsoft\Word\CredDB.CEF 668 bytes
c:\documents and settings\A24K\Application Data\Mozilla\Firefox\Profiles\6rq6yvvb.default\CredDB.CEF 592 bytes
c:\documents and settings\A24K\Application Data\Research In Motion\BlackBerry\Intellisync\3055D6E9.CFG\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\Research In Motion\BlackBerry\Intellisync\Device.CFG\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\SecondLife\browser_profile\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\SecondLife\donaldtramp_swashbuckler\CredDB.CEF 296 bytes
c:\documents and settings\A24K\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\CredDB.CEF 5028 bytes
scan completed successfully
hidden files: 22
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7f,66,cb,e6,2a,2f,f0,45,8c,80,a8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7f,66,cb,e6,2a,2f,f0,45,8c,80,a8,\
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CMGShieldReg\CredProt*]
"KeyValidation"=dword:67fb81dd
"LastKeyUpdate"="11/13/2009:19:45"
"PCP"=dword:00000001
.
Completion time: 2010-06-23 23:17:36
ComboFix-quarantined-files.txt 2010-06-24 04:17
Pre-Run: 49,249,320,960 bytes free
Post-Run: 50,887,901,184 bytes free
- - End Of File - - C5628F8DC6A94DE2B32AB5A0834A4736