ComboFix 10-03-23.04 - Administrator 03/24/2010 9:02.3.

1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.485 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix3.24.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-
B128-1A293FD8233D}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 33
/wow section - STAGE 34
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))

)))))))))))))))))))))))))))))
.
c:\windows\Downloaded Program Files\x64
c:\windows\Downloaded Program Files\x64\racodec.ax
c:\windows\Downloaded Program Files\x86
c:\windows\Downloaded Program Files\x86\racodec.ax
c:\windows\patchw32.dll
c:\windows\pw32a.dll
.
((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))
))))))))))))))))))))))))
.
2010-03-22 14:33 . 2009-08-06 23:23 215920 ----a-w- c:\windows\syste
m32\muweb.dll
2010-03-22 11:54 . 2010-03-22 11:54 -------- d-----w- c:\progr
am files\Trend Micro
2010-03-17 18:46 . 2009-06-11 19:33 1825377280 ----a-w- c:\windo
ws\system32\mswgm.exe
2010-03-09 13:25 . 2010-03-09 13:25 -------- d-----w- c:\progr
am files\Akamai
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))
)))))))))))))))))))))))))))))))
.
2010-03-24 12:00 . 2009-01-27 19:52 -------- d-----w- c:\docum
ents and settings\Administrator\Application Data\LogMeIn Rescue
2010-03-10 08:12 . 2009-01-22 18:31 -------- d-----w- c:\docum
ents and settings\Administrator\Application Data\uTorrent
2010-03-10 08:06 . 2009-01-22 19:42 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\Microsoft Help
2010-03-09 14:05 . 2009-05-05 12:56 -------- d-----w- c:\docum
ents and settings\Administrator\Application Data\Download Manager
2010-02-23 21:28 . 2009-09-17 17:28 -------- d-----w- c:\docum
ents and settings\Administrator\Application Data\U3
2010-02-22 20:08 . 2009-01-23 14:46 -------- d-----w- c:\progr
am files\Alwil Software
2010-02-22 13:51 . 2010-02-22 13:51 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\Alwil Software
2010-02-11 18:53 . 2009-03-10 13:22 38848 ----a-w- c:\windows\syste
m32\avastSS.scr
2010-02-11 18:53 . 2009-03-10 13:21 153184 ----a-w- c:\windows\syste
m32\aswBoot.exe
2010-02-11 18:42 . 2009-03-10 13:22 46672 ----a-w- c:\windows\syste
m32\drivers\aswTdi.sys
2010-02-11 18:42 . 2009-03-10 13:22 162512 ----a-w- c:\windows\syste
m32\drivers\aswSP.sys
2010-02-11 18:39 . 2009-03-10 13:22 23376 ----a-w- c:\windows\syste
m32\drivers\aswRdr.sys
2010-02-11 18:38 . 2009-03-10 13:22 100432 ----a-w- c:\windows\syste
m32\drivers\aswmon2.sys
2010-02-11 18:38 . 2009-03-10 13:22 94800 ----a-w- c:\windows\syste
m32\drivers\aswmon.sys
2010-02-11 18:38 . 2009-03-10 13:22 19024 ----a-w- c:\windows\syste
m32\drivers\aswFsBlk.sys
2010-02-11 18:38 . 2009-03-10 13:22 28880 ----a-w- c:\windows\syste
m32\drivers\aavmker4.sys
2010-02-05 20:39 . 2009-07-06 12:29 -------- d-----w- c:\docum
ents and settings\Administrator\Application Data\Apple Computer
2010-02-01 12:39 . 2009-02-04 18:23 -------- d-----w- c:\progr
am files\Malwarebytes' Anti-Malware
2010-02-01 12:36 . 2009-06-22 20:59 5115824 ----a-w- c:\documents and
settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mba
m-setup.exe
2010-01-18 16:43 . 2009-01-22 19:23 74320 ----a-w- c:\documents and
settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-11 20:13 . 2010-01-11 20:13 193127167 ----a-w- C:\ccset
up.exe
2010-01-11 13:28 . 2010-01-11 13:27 214419720 ----a-w- C:\qbweb
patch.exe
2010-01-07 21:07 . 2009-02-04 18:23 38224 ----a-w- c:\windows\syste
m32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-02-04 18:23 19160 ----a-w- c:\windows\syste
m32\drivers\mbam.sys
2010-01-07 17:58 . 2010-01-07 17:58 102998 ----a-w- C:\bitsfiles.exe
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\syste
m32\drivers\srv.sys
.
------- Sigcheck -------
[-] 2009-06-05 . 1F39C7BDBA4C5F3F01C4EABF7EDBF4B3 . 361600 . . [5.1.2600.5625] .
. c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-06-05 . 1F39C7BDBA4C5F3F01C4EABF7EDBF4B3 . 361600 . . [5.1.2600.5625] .
. c:\windows\system32\drivers\TCPIP.SYS
[-] 2008-07-03 . 762EEF6258E2D1137F8E953A56A839A7 . 1480704 . . [6.00.2900.5634]
. . c:\windows\explorer.exe
[7] 2008-07-03 . 2BB75B7F548D82A099125D0C5971DE7D . 1033728 . . [6.00.2900.5634]
. . c:\windows\system32\dllcache\explorer.exe
[-] 2008-08-27 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512]
. . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))
)))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-11-
12 2037096]
"SoundMan"="SOUNDMAN.EXE" [2003-11-13 62464]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-0
2 15872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_s
l.exe" [2009-02-27 35696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09
221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch
.exe" [2005-02-16 81920]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkg
dupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 2
9984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11
46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-3
1 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11
-07 65536]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 14
9280]
"Manage Process"="c:\windows\system32\mswgm.exe" [2009-06-11 1825377280]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.ex
e [2009-8-18 384000]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz
edApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\Cisco Systems\\CiscoSMB\\Cisco Configuration Assistant\\pack
ages\\runtime-2.2\\bin\\java.exe"=
"c:\\Program Files\\Cisco Systems\\CiscoSMB\\Cisco Configuration Assistant\\pack
ages\\runtime-2.2\\bin\\javaw.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Globally
OpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6198:TCP"= 6198:TCP:vnc
"6198:UDP"= 6198:UDP:vnc2
R0 aar1210;aar1210;c:\windows\system32\drivers\aar1210.sys [8/27/2008 11:14 AM 1
86880]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [11/9/2009
9:11 AM 86552]
S0 wetmzstl;wetmzstl;c:\windows\system32\drivers\aydlnc.sys --> c:\windows\syste
m32\drivers\aydlnc.sys [?]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/10/2009 9:22 AM 162512]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/10/2009 9:22 AM
19024]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [8
/17/2001 12:11 PM 20160]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [3/16
/2009 11:17 AM 42112]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [11/9/2009
9:09 AM 24876]
S3 SliceDisk5;SliceDisk5;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\FindAndMount\sli
cedisk.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\FindAndMount\slicedisk.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-03-24 c:\windows\Tasks\User_Feed_Synchronization-{549EA7DE-1D3D-42EE-BFB9-4
C1C218725A7}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acr
obat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Background Download As - c:\windows\System32\bits_ie.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: blogspot.com\printer-solutions
Trusted Zone: dyndns.org\monroe911
Trusted Zone: gotdns.com\ljhughes
Trusted Zone: gotdns.org\smsvpn
Trusted Zone: netacad.net\cisco
Trusted Zone: ptserver
TCP: {DAFDD112-F91B-419E-B11E-14731FFBD8A6} = 4.2.2.2,208.180.42.100
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/U
S/TechConsole/x86/RescueControl.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozi
lla\Firefox\Profiles\7g2pz4sy.default\
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Fi
refox\Profiles\7g2pz4sy.default\extensions\TechnicianConsole@logmeinrescue.com\p
latform\WINNT\plugins\npRescue.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFF12.DLL
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80
e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation
Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Com
mon Files\Nero\Lib\NMBgMonitor.exe
HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-DrvIcon - c:\program files\Vista Drive Icon\DrvIcon.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http:/
/www.gmer.net
Rootkit scan 2010-03-24 14:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1177238915-1844237615-1417001333-500\Software\Microsoft\Int
ernet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,6e,b1,a3,02,1a,a6,4d,96,cc,d4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,a1,c4,a2,bd,1a,b6,4d,b2,8a,e1,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\cscui.dll
.
Completion time: 2010-03-24 14:38:25
ComboFix-quarantined-files.txt 2010-03-24 18:38
Pre-Run: 22,239,014,912 bytes free
Post-Run: 25,403,498,496 bytes free
- - End Of File - - 10260FFCBDBBC48277245382EB78DCE8