combofix log
ComboFix 11-03-31.02 - Bear 04/01/2011 1:16.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3839.3248 [GMT -4:00]
Running from: c:\documents and settings\Bear\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bear\Application Data\Adobe\plugs
c:\documents and settings\Bear\Application Data\Adobe\shed
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}\chrome.manifest
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}\chrome\content\_cfg.js
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}\chrome\content\overlay.xul
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}\install.rdf
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}\chrome.manifest
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}\chrome\content\_cfg.js
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}\chrome\content\overlay.xul
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}\install.rdf
E:\Uninstall.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-03-31 00:29 . 2011-03-31 16:29 -------- d-----w- c:\program files\SDistTest
2011-03-30 00:55 . 2011-03-30 00:55 -------- d-----w- c:\program files\ERUNT
2011-03-26 22:56 . 2011-03-26 22:56 -------- d-----w- c:\program files\Common Files\Stardock
2011-03-26 22:55 . 2011-03-26 22:55 -------- d-----w- c:\program files\Stardock Games
2011-03-26 22:30 . 2011-03-26 22:32 -------- d-----w- c:\documents and settings\Bear\Application Data\Stardock
2011-03-26 22:29 . 2011-03-26 22:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{0D7C3114-2F34-430F-A142-545BE493A7E9}
2011-03-26 22:28 . 2011-03-26 22:28 -------- d-----w- c:\documents and settings\Bear\Local Settings\Application Data\PackageAware
2011-03-26 22:25 . 2011-03-26 22:25 -------- d-----w- c:\documents and settings\Bear\Local Settings\Application Data\Stardock
2011-03-25 15:31 . 2011-03-25 15:31 -------- d-----w- c:\documents and settings\Bear\Application Data\webex
2011-03-24 15:13 . 2011-03-24 15:13 -------- d-----w- c:\windows\Downloaded Installations
2011-03-23 22:08 . 2011-03-23 22:08 -------- d-----w- c:\documents and settings\Bear\Application Data\SUPERAntiSpyware.com
2011-03-23 22:08 . 2011-03-23 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-23 15:13 . 2011-03-23 15:13 -------- d-----w- c:\documents and settings\Bear\Local Settings\Application Data\Symantec
2011-03-22 12:22 . 2011-03-23 04:23 0 ----a-w- c:\windows\Alupineteriwedok.bin
2011-03-20 23:58 . 2010-02-09 01:59 56200 ----a-w- c:\windows\system32\offreg.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 05:00 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-03-11 05:54 . 2010-04-12 15:09 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-03-11 05:53 . 2010-04-12 15:09 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-03-11 05:53 . 2010-04-12 15:09 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-03-11 05:36 . 2010-04-12 15:09 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-05-21 13:26 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-05-21 13:26 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="e:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="E:\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-13 417792]
.
c:\documents and settings\Bear\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Impulse Now.lnk - e:\stardock\Impulse\Now\ImpulseNow.exe [2011-3-21 476464]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-8 805392]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "E:\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- E:\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"e:\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19036:TCP"= 19036:TCP:BitComet 19036 TCP
"19036:UDP"= 19036:UDP:BitComet 19036 UDP
"58734:TCP"= 58734:TCP

ando P2P TCP Listening Port
"58734:UDP"= 58734:UDP

ando P2P UDP Listening Port
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/24/2010 11:21 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/24/2010 11:21 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/24/2010 11:21 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20110330.001\IDSXpx86.sys [3/31/2011 1:40 AM 341944]
R1 SASDIFSV;SASDIFSV;E:\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;E:\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/12/2010 11:09 AM 724152]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/12/2010 11:09 AM 724152]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/24/2010 11:21 PM 117640]
R2 SDisTestService;SpybotSnD Distributed Testing;c:\program files\SDistTest\SDistTestSvc.exe [3/30/2011 8:29 PM 907680]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/21/2011 8:55 PM 102448]
R3 SAUSBHW;%SAUSBHW.SvcDesc%;c:\windows\system32\drivers\SAUSB.SYS [9/16/2009 11:29 AM 171600]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\ArcGIS Indexing (DELL270_Bear).job
- c:\program files\ArcGIS\Desktop10.0\bin\DesktopIndexingService.exe [2010-05-19 18:33]
.
2011-04-01 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
2011-04-01 c:\windows\Tasks\User_Feed_Synchronization-{38EB9964-2679-46E6-86C3-8DBEC74145FF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-04-01 c:\windows\Tasks\User_Feed_Synchronization-{6024F565-C638-441B-AD02-6C963EF82601}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Hkikezonus - c:\windows\secinvc.dll
SafeBoot-klmdb.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - e:\\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-04-01 01:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\Bear\LOCALS~1\Temp\Perflib_Perfdata_edc.dat 16384 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
E:\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2011-04-01 01:25:17
ComboFix-quarantined-files.txt 2011-04-01 05:25
.
Pre-Run: 6,952,194,048 bytes free
Post-Run: 7,128,571,904 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - EECC10929DB559D43E065883FA5A1FFD