PART II
-------------
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Kevin\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1001000.021\SYMEFA.SYS [2008-12-04 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1001000.021\BHDrvx86.sys [2008-12-04 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1001000.021\ccHPx86.sys [2008-12-04 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081203.001\IDSxpx86.sys [2008-12-04 274808]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 TivoBeacon2;TiVo Beacon;"c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service [2007-05-02 865280]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-04 99376]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2007-05-10 747392]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\Cdr4vsd.sys [2008-08-28 72032]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-12-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-09-17 15:35]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Orb - c:\program files\Orb Networks\Orb\bin\OrbTray.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://mail.yahoo.com/uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {A26CC323-56B8-4F95-BCB4-7C3CE96C4967} = 68.87.73.242,68.87.71.226
FireFox -: Profile - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\i95qgolv.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
hxxp://mail.yahoo.comFF -: plugin - c:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npwbe.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-04 21:04:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(1148)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-04 21:06:56 - machine was rebooted [Kevin]
ComboFix-quarantined-files.txt 2008-12-05 02:06:53
Pre-Run: 210,411,073,536 bytes free
Post-Run: 210,399,924,224 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
;timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
243 --- E O F --- 2008-11-13 04:29:25