I have an I-Worm/Bagle, Vundo.k, and Wintems.exe problem. [RESOLVED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

I have an I-Worm/Bagle, Vundo.k, and Wintems.exe problem. [RESOLVED], Complete removal issue.

Options

Spiff_Johnson View Member Profile	May 31 2008, 01:35 PM Post #1
Member Posts: 14 OS: xp	Hello, When I go into windows explorer and go to the folder options menu, unchecking hide system files and folders still will not allow me to see hidden files and folders. My system was infected with vundo and bagle (at least that's what avg told me) and although my av software has claimed that it cleaned those infections, I still think that something is still lurking around on my pc. Other concerns: * in msconfig, I had to uncheck wintems.exe from running at startup, how do I remove this completely? * "latent" vundo in my system restore volume. How do I remove this as well? So if you could, please help. Thank you for your time, - Spiff This post has been edited by Spiff_Johnson: May 31 2008, 01:36 PM

Rorschach112 View Member Profile	May 31 2008, 05:03 PM Post #2
GeekU Teacher Posts: 35,079 From: Dublin OS: XP	Hello Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". During the download, rename Combofix to Combo-Fix as follows: It is important you rename Combofix during the download, but not after. Please do not rename Combofix to other names, but only to the one indicated. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall

Spiff_Johnson View Member Profile	Jun 1 2008, 03:17 PM Post #3
Member Posts: 14 OS: xp	Thank you for your quick reply. ------- ComboFix 08-05-29.1 - Z1 2008-05-31 19:41:10.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.790 [GMT -7:00] Running from: C:\Documents and Settings\Z1\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Z1\Application Data\m C:\Documents and Settings\Z1\Application Data\m\list.oct C:\Documents and Settings\Z1\Application Data\m\shared C:\Documents and Settings\Z1\Application Data\m\srvlist.oct C:\WINDOWS\BM9753eb6e.xml . ---- Previous Run ------- . C:\WINDOWS\pskt.ini C:\WINDOWS\system32\ban_list.txt C:\WINDOWS\system32\Cache C:\WINDOWS\system32\drivers\downld C:\WINDOWS\system32\drivers\downld\1062546.exe C:\WINDOWS\system32\drivers\downld\106671.exe C:\WINDOWS\system32\drivers\downld\1311046.exe C:\WINDOWS\system32\drivers\downld\1375859.exe C:\WINDOWS\system32\drivers\downld\1413046.exe C:\WINDOWS\system32\drivers\downld\2336578.exe C:\WINDOWS\system32\drivers\downld\2495234.exe C:\WINDOWS\system32\drivers\downld\2717734.exe C:\WINDOWS\system32\drivers\downld\2731062.exe C:\WINDOWS\system32\drivers\downld\2738546.exe C:\x.txt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SROSA -------\Service_srosa ((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 ))))))))))))))))))))))))))))))) . 2008-05-31 10:29 . 2008-05-31 10:53 <DIR> d-------- C:\Program Files\Windows Live 2008-05-31 08:31 . 2008-05-31 08:31 123 --a------ C:\WINDOWS\Winchat.ini 2008-05-31 08:04 . 2008-05-31 08:04 <DIR> d-------- C:\WINDOWS\nvidia icons 2008-05-31 08:03 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb 2008-05-30 00:26 . 2008-05-31 17:58 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-05-29 23:44 . 2008-05-31 07:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-05-29 23:44 . 2008-05-29 23:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-05-29 23:44 . 2008-05-29 23:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-05-29 23:44 . 2008-05-29 23:44 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys 2008-05-29 23:44 . 2008-05-29 23:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-05-29 23:43 . 2008-05-29 23:43 <DIR> d-------- C:\Program Files\AVG 2008-05-29 23:43 . 2008-05-30 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-05-29 23:43 . 2008-05-29 23:43 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll 2008-05-29 23:43 . 2008-05-29 23:43 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys 2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Documents and Settings\Z1\Application Data\SystemRequirementsLab 2008-05-28 19:02 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-28 19:02 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-18 19:40 . 2008-05-18 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-18 19:40 . 2008-05-18 19:40 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-17 08:34 . 2008-05-17 08:34 118 --a------ C:\WINDOWS\system32\MRT.INI 2008-05-04 15:49 . 2008-05-04 15:49 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat 2008-05-04 15:48 . 2008-05-04 15:48 <DIR> d-------- C:\Program Files\Common Files\Skype 2008-05-02 22:46 . 2008-05-02 22:46 1,241,088 --a------ C:\WINDOWS\system32\nvcuda.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-01 02:47 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs 2008-06-01 02:47 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad 2008-05-31 22:16 --------- d-----w C:\Program Files\Soulseek 2008-05-31 19:56 --------- d-----w C:\Documents and Settings\Z1\Application Data\Skype 2008-05-31 19:55 --------- d-----w C:\Documents and Settings\Z1\Application Data\skypePM 2008-05-31 17:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-31 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-31 02:37 --------- d-----w C:\Program Files\Dust A Buddy 2008-05-30 05:23 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-05-30 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-05-29 02:05 --------- d-----w C:\Documents and Settings\Z1\Application Data\uTorrent 2008-05-29 02:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-05-29 01:43 --------- d-----w C:\Program Files\eMule 2008-05-21 04:01 --------- d-----w C:\Program Files\TagRename 2008-05-16 01:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\Watchtower 2008-05-16 01:29 --------- d-----w C:\Program Files\Watchtower 2008-05-13 03:12 --------- d-----w C:\Documents and Settings\Z1\Application Data\Camfrog 2008-05-04 22:33 --------- d-----w C:\Program Files\Steam 2008-05-03 05:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys 2008-04-29 00:18 --------- d-----w C:\Program Files\Panda Security 2008-04-28 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-04-28 03:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-28 03:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\SUPERAntiSpyware.com 2008-04-28 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\Malwarebytes 2008-04-28 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-04-28 02:15 --------- d-----w C:\Program Files\Common Files\Download Manager 2008-04-27 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-27 15:37 --------- d-----w C:\Program Files\Lavasoft 2008-04-14 01:47 --------- d-----w C:\Program Files\Winamp 2008-04-14 00:42 --------- d-----w C:\Program Files\Java 2008-04-05 21:00 --------- d-----w C:\Program Files\Soulseek-Test 2008-04-05 20:23 --------- d-----w C:\Program Files\Opera 2008-04-05 01:41 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-03-24 06:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2007-07-07 22:06 24,192 ----a-w C:\Documents and Settings\Z1\usbsermptxp.sys 2007-07-07 22:06 22,768 ----a-w C:\Documents and Settings\Z1\usbsermpt.sys 2007-01-19 10:30 92,064 ----a-w C:\Documents and Settings\Z1\mqdmmdm.sys 2007-01-19 10:30 9,232 ----a-w C:\Documents and Settings\Z1\mqdmmdfl.sys 2007-01-19 10:30 79,328 ----a-w C:\Documents and Settings\Z1\mqdmserd.sys 2007-01-19 10:30 66,656 ----a-w C:\Documents and Settings\Z1\mqdmbus.sys 2007-01-19 10:30 6,208 ----a-w C:\Documents and Settings\Z1\mqdmcmnt.sys 2007-01-19 10:30 5,936 ----a-w C:\Documents and Settings\Z1\mqdmwhnt.sys 2007-01-19 10:30 4,048 ----a-w C:\Documents and Settings\Z1\mqdmcr.sys 2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll 2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "Aim6"="" [] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe] "DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52 184408] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584] "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984] "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832] "Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-11-30 17:10 1978368] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-29 23:44 1177368] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-22 02:14:59 66864] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-29 22:23 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-29 22:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "vidc.DIVF"= DivX412.dll "vidc.XVID"= xvid.dll "VIDC.HFYU"= huffyuv.dll "msacm.divxa32"= DivXa32.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ringo Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ringo Launcher.lnk backup=C:\WINDOWS\pss\Ringo Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\german.exe] C:\WINDOWS\system32\wintems.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] C:\Program Files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-03-10 18:57 155648 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YCentral] --a------ 2006-02-24 01:59 413208 c:\progra~1\yahoo!\YCentral\YahooCentral.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\ICQLite\\ICQLite.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-29 23:44] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-29 23:44] R2 AsusGIO;AsusGIO;C:\Program Files\ASUS\Ai Booster\AsusGIO.sys [2003-11-26 21:15] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 23:44] R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-05-29 23:44] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-29 23:44] R2 PurgProService;PurgPro XP Service;C:\Program Files\PurgeIE\PurgPro_Service.exe [2006-01-18 16:18] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38] R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43] R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 03:06] S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43] S3 UCEDRIVER53;UCEDRIVER53;C:\Program Files\Ultimate Hack Pack\UCE\cetc.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\Opendisc.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{310143ee-6d7b-11dc-bb5f-0013d41913fe}] \Shell\AutoRun\command - G:\Autorun.exe /run \Shell\Shell00\Command - G:\Autorun.exe /run \Shell\Shell01\Command - G:\Autorun.exe /action \Shell\Shell02\Command - G:\Autorun.exe /uninstall . Contents of the 'Scheduled Tasks' folder "2008-05-31 04:16:16 C:\WINDOWS\Tasks\purgpro.job" - C:\Program Files\PurgeIE\purgpro.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-31 19:49:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe . ************************************************************************ . Completion time: 2008-05-31 19:54:53 - machine was rebooted [Z1] ComboFix-quarantined-files.txt 2008-06-01 02:54:50 Pre-Run: 23,350,202,368 bytes free Post-Run: 22,287,663,104 bytes free 286 --- E O F --- 2008-05-31 10:06:29 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:15:03 PM, on 6/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgfws8.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\PurgeIE\PurgPro_Service.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\ASUS\Ai Booster\OverClk.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Documents and Settings\Z1\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe 1 O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1 O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spiffj.spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128724499203 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164751532823 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing) O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PurgPro XP Service (PurgProService) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgPro_Service.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 14038 bytes

Rorschach112 View Member Profile	Jun 1 2008, 03:20 PM Post #4
GeekU Teacher Posts: 35,079 From: Dublin OS: XP	Few things for you 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\WINDOWS\system32\drivers\lvuvc.hs C:\WINDOWS\system32\drivers\logiflt.iad C:\WINDOWS\system32\wintems.exe D:\Opendisc.exe G:\Autorun.exe Folder:: Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\german.exe] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{310143ee-6d7b-11dc-bb5f-0013d41913fe}] SysRst:: Driver:: Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Please do an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner and click Accept You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Click here to use the F-Secure Online Scanner Then click the Start Scanning button below. You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX. Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan. In case you are having problems with installing the ActiveX/starting the scan, please read here. Click the Full System Scan button. It will start to download scanner components and databases. This can take a while. The main scan will start. Once the scan finished scanning, click the Automatic cleaning (recommended) button It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure. The cleaning can take a while, so please be patient. Then click the Show report button and copy and paste what's present under results in your next reply. This post has been edited by Rorschach112: Jun 1 2008, 03:20 PM

Spiff_Johnson View Member Profile	Jun 1 2008, 03:25 PM Post #5
Member Posts: 14 OS: xp	By the way, since running combofix, my hidden folders option works the way it's supposed to

Rorschach112 View Member Profile	Jun 1 2008, 03:27 PM Post #6
GeekU Teacher Posts: 35,079 From: Dublin OS: XP	Yeah ComboFix should have fixed a lot of stuff, but there is still a bit of work to do You will need two posts to fit these logs in

Spiff_Johnson View Member Profile	Jun 2 2008, 06:08 PM Post #7
Member Posts: 14 OS: xp	ComboFix 08-05-29.1 - Z1 2008-06-01 16:13:36.4 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.786 [GMT -7:00] Running from: C:\Documents and Settings\Z1\Desktop\Combo-Fix.exe Command switches used :: C:\Documents and Settings\Z1\Desktop\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\drivers\logiflt.iad C:\WINDOWS\system32\drivers\lvuvc.hs C:\WINDOWS\system32\wintems.exe D:\Opendisc.exe G:\Autorun.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\WINDOWS\system32\drivers\logiflt.iad C:\WINDOWS\system32\drivers\lvuvc.hs . ((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 ))))))))))))))))))))))))))))))) . 2008-05-31 10:29 . 2008-05-31 10:53 <DIR> d-------- C:\Program Files\Windows Live 2008-05-31 08:31 . 2008-05-31 08:31 123 --a------ C:\WINDOWS\Winchat.ini 2008-05-31 08:04 . 2008-05-31 08:04 <DIR> d-------- C:\WINDOWS\nvidia icons 2008-05-31 08:03 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb 2008-05-30 00:26 . 2008-06-01 14:15 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-05-29 23:44 . 2008-06-01 15:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-05-29 23:44 . 2008-05-29 23:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-05-29 23:44 . 2008-05-29 23:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-05-29 23:44 . 2008-05-29 23:44 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys 2008-05-29 23:44 . 2008-05-29 23:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-05-29 23:43 . 2008-05-29 23:43 <DIR> d-------- C:\Program Files\AVG 2008-05-29 23:43 . 2008-05-30 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-05-29 23:43 . 2008-05-29 23:43 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll 2008-05-29 23:43 . 2008-05-29 23:43 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys 2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Documents and Settings\Z1\Application Data\SystemRequirementsLab 2008-05-28 19:02 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-28 19:02 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-18 19:40 . 2008-05-18 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-18 19:40 . 2008-05-18 19:40 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-17 08:34 . 2008-05-17 08:34 118 --a------ C:\WINDOWS\system32\MRT.INI 2008-05-04 15:49 . 2008-05-04 15:49 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat 2008-05-04 15:48 . 2008-05-04 15:48 <DIR> d-------- C:\Program Files\Common Files\Skype 2008-05-02 22:46 . 2008-05-02 22:46 1,241,088 --a------ C:\WINDOWS\system32\nvcuda.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-31 22:16 --------- d-----w C:\Program Files\Soulseek 2008-05-31 19:56 --------- d-----w C:\Documents and Settings\Z1\Application Data\Skype 2008-05-31 19:55 --------- d-----w C:\Documents and Settings\Z1\Application Data\skypePM 2008-05-31 17:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-31 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-31 02:37 --------- d-----w C:\Program Files\Dust A Buddy 2008-05-30 05:23 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-05-30 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-05-29 02:05 --------- d-----w C:\Documents and Settings\Z1\Application Data\uTorrent 2008-05-29 02:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-05-29 01:43 --------- d-----w C:\Program Files\eMule 2008-05-21 04:01 --------- d-----w C:\Program Files\TagRename 2008-05-16 01:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\Watchtower 2008-05-16 01:29 --------- d-----w C:\Program Files\Watchtower 2008-05-13 03:12 --------- d-----w C:\Documents and Settings\Z1\Application Data\Camfrog 2008-05-04 22:33 --------- d-----w C:\Program Files\Steam 2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE 2008-04-29 00:18 --------- d-----w C:\Program Files\Panda Security 2008-04-28 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-04-28 03:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-28 03:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\SUPERAntiSpyware.com 2008-04-28 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\Malwarebytes 2008-04-28 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-04-28 02:15 --------- d-----w C:\Program Files\Common Files\Download Manager 2008-04-27 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-27 15:37 --------- d-----w C:\Program Files\Lavasoft 2008-04-14 01:47 --------- d-----w C:\Program Files\Winamp 2008-04-14 00:42 --------- d-----w C:\Program Files\Java 2008-04-05 21:00 --------- d-----w C:\Program Files\Soulseek-Test 2008-04-05 20:23 --------- d-----w C:\Program Files\Opera 2008-04-05 01:41 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-24 06:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2007-07-07 22:06 24,192 ----a-w C:\Documents and Settings\Z1\usbsermptxp.sys 2007-07-07 22:06 22,768 ----a-w C:\Documents and Settings\Z1\usbsermpt.sys 2007-01-19 10:30 92,064 ----a-w C:\Documents and Settings\Z1\mqdmmdm.sys 2007-01-19 10:30 9,232 ----a-w C:\Documents and Settings\Z1\mqdmmdfl.sys 2007-01-19 10:30 79,328 ----a-w C:\Documents and Settings\Z1\mqdmserd.sys 2007-01-19 10:30 66,656 ----a-w C:\Documents and Settings\Z1\mqdmbus.sys 2007-01-19 10:30 6,208 ----a-w C:\Documents and Settings\Z1\mqdmcmnt.sys 2007-01-19 10:30 5,936 ----a-w C:\Documents and Settings\Z1\mqdmwhnt.sys 2007-01-19 10:30 4,048 ----a-w C:\Documents and Settings\Z1\mqdmcr.sys 2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll 2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . ((((((((((((((((((((((((((((( snapshot@2008-05-31_19.54.37.68 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-01 02:47:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-01 23:04:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "Aim6"="" [] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe] "DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52 184408] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584] "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984] "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832] "Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-11-30 17:10 1978368] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-29 23:44 1177368] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-22 02:14:59 66864] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-29 22:23 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-29 22:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "vidc.DIVF"= DivX412.dll "vidc.XVID"= xvid.dll "VIDC.HFYU"= huffyuv.dll "msacm.divxa32"= DivXa32.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ringo Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ringo Launcher.lnk backup=C:\WINDOWS\pss\Ringo Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] C:\Program Files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-03-10 18:57 155648 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YCentral] --a------ 2006-02-24 01:59 413208 c:\progra~1\yahoo!\YCentral\YahooCentral.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\ICQLite\\ICQLite.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-29 23:44] S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-29 23:44] S2 AsusGIO;AsusGIO;C:\Program Files\ASUS\Ai Booster\AsusGIO.sys [2003-11-26 21:15] S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 23:44] S2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-05-29 23:44] S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-29 23:44] S2 PurgProService;PurgPro XP Service;C:\Program Files\PurgeIE\PurgPro_Service.exe [2006-01-18 16:18] S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38] S3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43] S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43] S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 03:06] S3 UCEDRIVER53;UCEDRIVER53;C:\Program Files\Ultimate Hack Pack\UCE\cetc.sys [] Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder "2008-06-01 04:16:04 C:\WINDOWS\Tasks\purgpro.job" - C:\Program Files\PurgeIE\purgpro.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-01 16:17:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-06-01 16:21:29 ComboFix-quarantined-files.txt 2008-06-01 23:21:23 ComboFix2.txt 2008-06-01 02:54:54 Pre-Run: 23,508,160,512 bytes free Post-Run: 23,499,374,592 bytes free 251 --- E O F --- 2008-05-31 10:06:29 ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, June 01, 2008 9:58:56 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 1/06/2008 Kaspersky Anti-Virus database records: 821471 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 198674 Number of viruses found: 9 Number of infected objects: 23 Number of suspicious objects: 2 Duration of the scan process: 04:29:42 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\avg8\AvgAm\avgam.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avgam.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avgfw8u.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpub.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\00583a8603e3e3620e5d5f9068f64450_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ba6d9253a71ac8a152afc996b68bfbf_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3eb188c73c38a5d7518dc831f3cbb328_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4427b503cc51d3d745e4a0535e693db6_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\64ebafcabc175a02baa9d53760efc56c_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b91e4e69304cd4fa3921ac849788fec_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\74565ebb402ff4cdea448fdcd94e2881_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b7a4558591a3cb0683e603f5a850627e_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c46ef3fa61a34800231ad7e2898e7a23_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf6bac28535ffa8ac8e731d0f57e2fb4_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\daeeb4a87bca21c3f3d0c2081e94b983_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff86bc441877073baa99bc64824649b0_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Z1\Application Data\$_hpcst$.hpc Object is locked skipped C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\cert8.db Object is locked skipped C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\history.dat Object is locked skipped C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\key3.db Object is locked skipped C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\parent.lock Object is locked skipped C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\search.sqlite Object is locked skipped C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Z1\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Z1\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Z1\Local Settings\History\History.IE5\MSHist012008060120080602\index.dat Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Temp\hpodvd09.log Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Temp\Perflib_Perfdata_9c4.dat Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Temp\WCESLog.log Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Z1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe/data.rar/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe/data.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe RarSFX: infected - 2 skipped C:\Documents and Settings\Z1\ntuser.dat Object is locked skipped C:\Documents and Settings\Z1\ntuser.dat.LOG Object is locked skipped C:\Excursion9.5\mIRC.ExCurSioN.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\chandir.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\chandir.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\chn.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\chn.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\D0000000.FCS Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\inuse.txt Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\L0000004.FCS Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\main.log Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_die.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_die.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_dnd.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_dnd.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_ext.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_ext.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_rcv.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_rcv.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\storydb.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\storydb.idx Object is locked skipped C:\QooBox\Quarantine\Registry_backups\Service_srosa.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0045306.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0045313.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0045337.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046339.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046553.exe Infected: Email-Worm.Win32.Bagle.vr skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046554.exe Infected: Email-Worm.Win32.Bagle.of skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046555.exe Infected: Email-Worm.Win32.Bagle.vr skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046556.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046571.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046592.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046608.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046609.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046612.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047958.exe Infected: Email-Worm.Win32.Bagle.of skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047959.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047960.exe Infected: Email-Worm.Win32.Bagle.of skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047961.exe Infected: Email-Worm.Win32.Bagle.of skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047962.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP449\change.log Object is locked skipped C:\WINDOWS\CSC\00000001 Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\etc\Hosts.bak Object is locked skipped C:\WINDOWS\system32\Logfiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\TEMP\Perflib_Perfdata_23c.dat Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped F:\found.001\dir0000.chk\MountPointManagerRemoteDatabase Object is locked skipped F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped F:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP449\change.log Object is locked skipped Scan process completed.

Spiff_Johnson View Member Profile	Jun 2 2008, 06:09 PM Post #8
Member Posts: 14 OS: xp	Scanning Report Monday, June 02, 2008 05:33:08 - 17:07:40 Computer name: ZACK Scanning type: Scan system for malware, rootkits Target: C:\ F:\ Result: 3 malware found Client-IRC.Win32.mIRC (spyware) * System Trojan-Spy:W32/Agent.BPQ (virus) * System * C:\PROGRAM FILES\DUST A BUDDY\YMSG12ENCRYPT.DLL Statistics Scanned: * Files: 95793 * System: 6476 * Not scanned: 20 Actions: * Disinfected: 0 * Renamed: 0 * Deleted: 0 * None: 3 * Submitted: 0 Files not scanned: * C:\HIBERFIL.SYS * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\00583A8603E3E3620E5D5F9068F64450_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3BA6D9253A71AC8A152AFC996B68BFBF_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3EB188C73C38A5D7518DC831F3CBB328_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4427B503CC51D3D745E4A0535E693DB6_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\64EBAFCABC175A02BAA9D53760EFC56C_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6B91E4E69304CD4FA3921AC849788FEC_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\74565EBB402FF4CDEA448FDCD94E2881_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B7A4558591A3CB0683E603F5A850627E_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C46EF3FA61A34800231AD7E2898E7A23_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\CF6BAC28535FFA8AC8E731D0F57E2FB4_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\DAEEB4A87BCA21C3F3D0C2081E94B983_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FF86BC441877073BAA99BC64824649B0_56C5DC0E-ED5D-4041-9974-884F62AB6F7D * F:\FOUND.001\DIR0000.CHK\MOUNTPOINTMANAGERREMOTEDATABASE Options Scanning engines: * F-Secure USS: 2.30.0 * F-Secure Blacklight: 1.0.68 * F-Secure Hydra: 2.8.8110, 2008-06-02 * F-Secure Pegasus: 1.20.0, 2008-04-14 * F-Secure AVP: 7.0.171, 2008-06-02 Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use Advanced heuristics

Spiff_Johnson View Member Profile	Jun 2 2008, 06:11 PM Post #9
Member Posts: 14 OS: xp	My avg automatically scans at 3am and it broke the F-Secure scan the first time through. Thanks again.

Rorschach112 View Member Profile	Jun 2 2008, 06:14 PM Post #10
GeekU Teacher Posts: 35,079 From: Dublin OS: XP	Ok looking good 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe DirLook:: C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's SysRst:: Registry:: Driver:: Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Please download and unzip Icesword to its own folder on your desktop If you get a lot of "red entries" in an IceSword log, don't panic. Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop. Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop. Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop. Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name. Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present. Now post all of the data collected under the headings for : Processes Win32 Services Startup SSDT Message Hooks Also post a new HijackThis log

Spiff_Johnson View Member Profile	Jun 2 2008, 08:05 PM Post #11
Member Posts: 14 OS: xp	For message hooks, am I writing down red entries under WH_Keyboard or all entries under WH_Keyboard? Thanks in advance

Rorschach112 View Member Profile	Jun 3 2008, 06:57 AM Post #12
GeekU Teacher Posts: 35,079 From: Dublin OS: XP	Write down all entries under WH_Keyboard

Spiff_Johnson View Member Profile	Jun 3 2008, 07:54 PM Post #13
Member Posts: 14 OS: xp	ComboFix 08-05-29.1 - Z1 2008-06-02 17:46:05.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.636 [GMT -7:00] Running from: C:\Documents and Settings\Z1\Desktop\Combo-Fix.exe Command switches used :: C:\Documents and Settings\Z1\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe . ((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 ))))))))))))))))))))))))))))))) . 2008-06-01 22:04 . 2008-06-01 22:04 <DIR> d-------- C:\fsaua.data 2008-06-01 16:51 . 2008-06-01 16:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-06-01 16:51 . 2008-06-01 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-31 10:29 . 2008-05-31 10:53 <DIR> d-------- C:\Program Files\Windows Live 2008-05-31 08:31 . 2008-05-31 08:31 123 --a------ C:\WINDOWS\Winchat.ini 2008-05-31 08:04 . 2008-05-31 08:04 <DIR> d-------- C:\WINDOWS\nvidia icons 2008-05-31 08:03 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb 2008-05-30 00:26 . 2008-06-01 20:30 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-05-29 23:44 . 2008-06-02 15:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-05-29 23:44 . 2008-05-29 23:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-05-29 23:44 . 2008-05-29 23:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-05-29 23:44 . 2008-05-29 23:44 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys 2008-05-29 23:44 . 2008-05-29 23:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-05-29 23:43 . 2008-05-29 23:43 <DIR> d-------- C:\Program Files\AVG 2008-05-29 23:43 . 2008-05-30 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-05-29 23:43 . 2008-05-29 23:43 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll 2008-05-29 23:43 . 2008-05-29 23:43 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys 2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Documents and Settings\Z1\Application Data\SystemRequirementsLab 2008-05-28 19:02 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-28 19:02 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-18 19:40 . 2008-05-18 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-18 19:40 . 2008-05-18 19:40 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-17 08:34 . 2008-05-17 08:34 118 --a------ C:\WINDOWS\system32\MRT.INI 2008-05-04 15:49 . 2008-05-04 15:49 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat 2008-05-04 15:48 . 2008-05-04 15:48 <DIR> d-------- C:\Program Files\Common Files\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-03 00:07 --------- d-----w C:\Program Files\Dust A Buddy 2008-06-02 02:36 --------- d-----w C:\Documents and Settings\Z1\Application Data\Skype 2008-06-02 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\skypePM 2008-05-31 22:16 --------- d-----w C:\Program Files\Soulseek 2008-05-31 17:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-31 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-30 05:23 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-05-30 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-05-29 02:05 --------- d-----w C:\Documents and Settings\Z1\Application Data\uTorrent 2008-05-29 02:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-05-29 01:43 --------- d-----w C:\Program Files\eMule 2008-05-21 04:01 --------- d-----w C:\Program Files\TagRename 2008-05-16 01:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\Watchtower 2008-05-16 01:29 --------- d-----w C:\Program Files\Watchtower 2008-05-13 03:12 --------- d-----w C:\Documents and Settings\Z1\Application Data\Camfrog 2008-05-04 22:33 --------- d-----w C:\Program Files\Steam 2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE 2008-04-29 00:18 --------- d-----w C:\Program Files\Panda Security 2008-04-28 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-04-28 03:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-28 03:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\SUPERAntiSpyware.com 2008-04-28 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\Malwarebytes 2008-04-28 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-04-28 02:15 --------- d-----w C:\Program Files\Common Files\Download Manager 2008-04-27 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-27 15:37 --------- d-----w C:\Program Files\Lavasoft 2008-04-14 01:47 --------- d-----w C:\Program Files\Winamp 2008-04-14 00:42 --------- d-----w C:\Program Files\Java 2008-04-05 21:00 --------- d-----w C:\Program Files\Soulseek-Test 2008-04-05 20:23 --------- d-----w C:\Program Files\Opera 2008-04-05 01:41 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-24 06:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2007-07-07 22:06 24,192 ----a-w C:\Documents and Settings\Z1\usbsermptxp.sys 2007-07-07 22:06 22,768 ----a-w C:\Documents and Settings\Z1\usbsermpt.sys 2007-01-19 10:30 92,064 ----a-w C:\Documents and Settings\Z1\mqdmmdm.sys 2007-01-19 10:30 9,232 ----a-w C:\Documents and Settings\Z1\mqdmmdfl.sys 2007-01-19 10:30 79,328 ----a-w C:\Documents and Settings\Z1\mqdmserd.sys 2007-01-19 10:30 66,656 ----a-w C:\Documents and Settings\Z1\mqdmbus.sys 2007-01-19 10:30 6,208 ----a-w C:\Documents and Settings\Z1\mqdmcmnt.sys 2007-01-19 10:30 5,936 ----a-w C:\Documents and Settings\Z1\mqdmwhnt.sys 2007-01-19 10:30 4,048 ----a-w C:\Documents and Settings\Z1\mqdmcr.sys 2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll 2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's ---- 2005-01-31 19:42 23819897 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4.rar 2005-01-14 22:40 1314498 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe 2004-11-30 02:37 30 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\Setup\SN.txt 2004-11-30 02:37 30 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\Setup\Setup\SN.txt 2004-08-08 08:38 2901673 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\HH\HC-Swift3D40-fxj.exe 2004-07-26 12:40 24467538 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\Setup\Setup\Swift3DV4Release-301.exe 2004-07-26 12:38 3941 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\Setup\Setup\buildhistory.txt 2004-05-31 00:35 3412995 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Microangelo v5.59 setup.exe 2004-04-11 19:09 1366 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\wuh.txt 2004-04-11 19:07 29 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\duh.txt 2004-04-11 19:03 29 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\uh.txt ((((((((((((((((((((((((((((( snapshot@2008-05-31_19.54.37.68 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-01 02:47:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-02 12:27:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-02-27 22:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll + 2008-02-27 22:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll + 2008-02-27 23:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll + 2008-02-27 22:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe + 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll + 2008-06-02 12:27:36 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7b4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "Aim6"="" [] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe] "DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52 184408] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584] "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984] "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832] "Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-11-30 17:10 1978368] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-29 23:44 1177368] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-29 22:23 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-29 22:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "vidc.DIVF"= DivX412.dll "vidc.XVID"= xvid.dll "VIDC.HFYU"= huffyuv.dll "msacm.divxa32"= DivXa32.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ringo Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ringo Launcher.lnk backup=C:\WINDOWS\pss\Ringo Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] C:\Program Files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-03-10 18:57 155648 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YCentral] --a------ 2006-02-24 01:59 413208 c:\progra~1\yahoo!\YCentral\YahooCentral.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\ICQLite\\ICQLite.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-29 23:44] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-29 23:44] R2 AsusGIO;AsusGIO;C:\Program Files\ASUS\Ai Booster\AsusGIO.sys [2003-11-26 21:15] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 23:44] R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-05-29 23:44] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-29 23:44] R2 PurgProService;PurgPro XP Service;C:\Program Files\PurgeIE\PurgPro_Service.exe [2006-01-18 16:18] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38] R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43] R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 03:06] S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43] S3 UCEDRIVER53;UCEDRIVER53;C:\Program Files\Ultimate Hack Pack\UCE\cetc.sys [] . Contents of the 'Scheduled Tasks' folder "2008-06-02 04:16:42 C:\WINDOWS\Tasks\purgpro.job" - C:\Program Files\PurgeIE\purgpro.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-02 18:35:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-06-02 18:39:22 ComboFix-quarantined-files.txt 2008-06-03 01:39:16 ComboFix2.txt 2008-06-01 23:21:30 ComboFix3.txt 2008-06-01 02:54:54 Pre-Run: 22,267,121,664 bytes free Post-Run: 22,328,164,352 bytes free 270 --- E O F --- 2008-05-31 10:06:29 C:\WINDOWS\explorer.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\explorer.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\AVG\AVG8\avgui.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\WINDOWS\explorer.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\soundman.exe C:\Program Files\ASUS\Ai Booster\OverClk.exe C:\Program Files\Microsoft InelliType Pro\itype.exe C:\Program Files\Quickcam\Quickcam.exe C:\Program Files\Microsoft InelliType Pro\ipoint.exe C:\Program Files\Microsoft InelliType Pro\itype.exe C:\Program Files\Quickcam\Quickcam.exe C:\PROGRA~\MI3AA1~\rapimgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft InelliType Pro\ipoint.exe C:\Program Files\Microsoft InelliType Pro\ipoint.exe C:\WINDOWS\explorer.exe C:\Program Files\Logitech\Desktop Messenger\88766480\Program\LogitechDesktopMessenger.exe C:\WINDOWS\explorer.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Logitech\Desktop Messenger\88766480\Program\LogitechDesktopMessenger.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Alarm Clock\Alarm Clock.exe C:\WINDOWS\explorer.exe C:\Program Files\Alarm Clock\Alarm Clock.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Alarm Clock\Alarm Clock.exe C:\WINDOWS\NOTEPAD.exe C:\Program Files\ManyCam2.2\ManyCam.exe C:\Program Files\ManyCam2.2\ManyCam.exe C:\Program Files\ManyCam2.2\ManyCam.exe C:\Program Files\ManyCam2.2\ManyCam.exe WH_KEYBOARD_LL C:\Program Files\Microsoft InelliType Pro\ipoint.exe Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:07:49 PM, on 6/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\ASUS\Ai Booster\OverClk.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\AVG\AVG8\avgfws8.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\PurgeIE\PurgPro_Service.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\AVG\AVG8\avgui.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Z1\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe 1 O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1 O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spiffj.spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128724499203 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164751532823 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing) O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PurgPro XP Service (PurgProService) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgPro_Service.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 14415 bytes

Rorschach112 View Member Profile	Jun 4 2008, 05:40 AM Post #14
GeekU Teacher Posts: 35,079 From: Dublin OS: XP	Can you post the IceSword logs from Win32 Services Startup Also tell me how your PC is running And do this 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: QUOTE Sysrst:: Folder:: Registry:: Driver:: Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall This post has been edited by Rorschach112: Jun 4 2008, 05:42 AM

Spiff_Johnson View Member Profile	Jun 5 2008, 06:57 PM Post #15
Member Posts: 14 OS: xp	My PC is running better than it has in a while thanks to you sorry for being so late in posting this. Also, my AVG has crashed about 2 times lately when it tries to autoscan and my pc rebooted itself abruptly for no reason yesterday, but other than that, I've been fine. Also, I forgot to turn off my avg when combofix was running and I got a virus alert (probably just from combofix right?) Thanks -------------------- Started Service: Service Name:ALG Display Name:Application Layer Gateway Service Service Name:AudioSrv Display Name:Windows Audio Service Name:avg8wd Display Name:AVG8 WatchDog Service Name:avgfws8 Display Name:AVG8 Firewall Service Name:BITS Display Name:Background Intelligent Transfer Service Service Name:Browser Display Name:Computer Browser Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access Service Name:CryptSvc Display Name:Cryptographic Services Service Name:DcomLaunch Display Name:DCOM Server Process Launcher Service Name:Dhcp Display Name:DHCP Client Service Name:Diskeeper Display Name:Diskeeper Service Name:dmserver Display Name:Logical Disk Manager Service Name:Dnscache Display Name:DNS Client Service Name:ERSvc Display Name:Error Reporting Service Service Name:Eventlog Display Name:Event Log Service Name:EventSystem Display Name:COM+ Event System Service Name:helpsvc Display Name:Help and Support Service Name:lanmanserver Display Name:Server Service Name:lanmanworkstation Display Name:Workstation Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper Service Name:LVCOMSer Display Name:LVCOMSer Service Name:LVPrcSrv Display Name:Process Monitor Service Name:MDM Display Name:Machine Debug Manager Service Name:Netman Display Name:Network Connections Service Name:Nla Display Name:Network Location Awareness (NLA) Service Name:NVSvc Display Name:NVIDIA Display Driver Service Service Name:PlugPlay Display Name:Plug and Play Service Name:PolicyAgent Display Name:IPSEC Services Service Name:ProtectedStorage Display Name:Protected Storage Service Name:PurgProService Display Name:PurgPro XP Service Service Name:RpcSs Display Name:Remote Procedure Call (RPC) Service Name:SamSs Display Name:Security Accounts Manager Service Name:Schedule Display Name:Task Scheduler Service Name:seclogon Display Name:Secondary Logon Service Name:SENS Display Name:System Event Notification Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS) Service Name:ShellHWDetection Display Name:Shell Hardware Detection Service Name:Spooler Display Name:Print Spooler Service Name:srservice Display Name:System Restore Service Service Name:SSDPSRV Display Name:SSDP Discovery Service Service Name:stisvc Display Name:Windows Image Acquisition (WIA) Service Name:TermService Display Name:Terminal Services Service Name:Themes Display Name:Themes Service Name:TrkWks Display Name:Distributed Link Tracking Client Service Name:upnphost Display Name:Universal Plug and Play Device Host Service Name:Viewpoint Manager Service Display Name:Viewpoint Manager Service Service Name:W32Time Display Name:Windows Time Service Name:WebClient Display Name:WebClient Service Name:winmgmt Display Name:Windows Management Instrumentation Service Name:wscsvc Display Name:Security Center Service Name:wuauserv Display Name:Automatic Updates Service Name:WudfSvc Display Name:Windows Driver Foundation - User-mode Driver Framework ----- Startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MSPY2002 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PHIME2002ASync C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PHIME2002A C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nwiz nwiz.exe /install HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DiskeeperSystray "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IntelliPoint "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run itype "C:\Program Files\Microsoft IntelliType Pro\itype.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SoundMan SOUNDMAN.EXE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HP Software Update C:\Program Files\HP\HP Software Update\HPWuSchd2.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LogitechCommunicationsManager "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LogitechQuickCamRibbon "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Launch Ai Booster C:\Program Files\ASUS\Ai Booster\OverClk.exe 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AVG8_TRAY C:\PROGRA~1\AVG\AVG8\avgtray.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run updateMgr "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Aim6 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run H/PC Connection Agent "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" C:\Documents and Settings\All Users\Start Menu\Programs\Startup desktop.ini C:\Documents and Settings\All Users\Start Menu\Programs\Startup HP Digital Imaging Monitor.lnk C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Remark��) C:\Documents and Settings\All Users\Start Menu\Programs\Startup Logitech Desktop Messenger.lnk C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Remark��Logitech Desktop Messenger) C:\Documents and Settings\Z1\Start Menu\Programs\Startup desktop.ini ------- ComboFix 08-05-29.1 - Z1 2008-06-05 17:42:43.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.285 [GMT -7:00] Running from: C:\Documents and Settings\Z1\Desktop\Combo-Fix.exe Command switches used :: C:\Documents and Settings\Z1\Desktop\CFScript.txt * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 ))))))))))))))))))))))))))))))) . 2008-06-04 00:13 . 2008-06-04 19:36 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs 2008-06-04 00:13 . 2008-06-04 19:36 0 --a------ C:\WINDOWS\system32\drivers\logiflt.iad 2008-06-01 22:04 . 2008-06-01 22:04 <DIR> d-------- C:\fsaua.data 2008-06-01 16:51 . 2008-06-01 16:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-06-01 16:51 . 2008-06-01 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-31 10:29 . 2008-05-31 10:53 <DIR> d-------- C:\Program Files\Windows Live 2008-05-31 08:31 . 2008-05-31 08:31 123 --a------ C:\WINDOWS\Winchat.ini 2008-05-31 08:04 . 2008-05-31 08:04 <DIR> d-------- C:\WINDOWS\nvidia icons 2008-05-31 08:03 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb 2008-05-30 00:26 . 2008-06-05 17:43 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-05-29 23:44 . 2008-06-05 15:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-05-29 23:44 . 2008-05-29 23:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-05-29 23:44 . 2008-05-29 23:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-05-29 23:44 . 2008-05-29 23:44 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys 2008-05-29 23:44 . 2008-05-29 23:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-05-29 23:43 . 2008-05-29 23:43 <DIR> d-------- C:\Program Files\AVG 2008-05-29 23:43 . 2008-05-30 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-05-29 23:43 . 2008-05-29 23:43 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll 2008-05-29 23:43 . 2008-05-29 23:43 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys 2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Documents and Settings\Z1\Application Data\SystemRequirementsLab 2008-05-28 19:02 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-28 19:02 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-18 19:40 . 2008-06-05 04:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-18 19:40 . 2008-05-18 19:40 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-17 08:34 . 2008-05-17 08:34 118 --a------ C:\WINDOWS\system32\MRT.INI . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-04 07:05 90,112 ----a-w C:\WINDOWS\DUMP542a.tmp 2008-06-04 06:38 --------- d-----w C:\Program Files\Soulseek 2008-06-03 03:10 --------- d-----w C:\Documents and Settings\Z1\Application Data\skypePM 2008-06-03 03:10 --------- d-----w C:\Documents and Settings\Z1\Application Data\Skype 2008-06-03 00:07 --------- d-----w C:\Program Files\Dust A Buddy 2008-05-31 17:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-31 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-30 05:23 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-05-30 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-05-29 02:05 --------- d-----w C:\Documents and Settings\Z1\Application Data\uTorrent 2008-05-29 02:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-05-29 01:43 --------- d-----w C:\Program Files\eMule 2008-05-21 04:01 --------- d-----w C:\Program Files\TagRename 2008-05-16 01:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\Watchtower 2008-05-16 01:29 --------- d-----w C:\Program Files\Watchtower 2008-05-13 03:12 --------- d-----w C:\Documents and Settings\Z1\Application Data\Camfrog 2008-05-04 22:48 --------- d-----w C:\Program Files\Common Files\Skype 2008-05-04 22:33 --------- d-----w C:\Program Files\Steam 2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE 2008-04-29 00:18 --------- d-----w C:\Program Files\Panda Security 2008-04-28 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-04-28 03:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-04-28 03:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\SUPERAntiSpyware.com 2008-04-28 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\Malwarebytes 2008-04-28 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-04-28 02:15 --------- d-----w C:\Program Files\Common Files\Download Manager 2008-04-27 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-27 15:37 --------- d-----w C:\Program Files\Lavasoft 2008-04-14 01:47 --------- d-----w C:\Program Files\Winamp 2008-04-14 00:42 --------- d-----w C:\Program Files\Java 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-24 06:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2007-07-07 22:06 24,192 ----a-w C:\Documents and Settings\Z1\usbsermptxp.sys 2007-07-07 22:06 22,768 ----a-w C:\Documents and Settings\Z1\usbsermpt.sys 2007-01-19 10:30 92,064 ----a-w C:\Documents and Settings\Z1\mqdmmdm.sys 2007-01-19 10:30 9,232 ----a-w C:\Documents and Settings\Z1\mqdmmdfl.sys 2007-01-19 10:30 79,328 ----a-w C:\Documents and Settings\Z1\mqdmserd.sys 2007-01-19 10:30 66,656 ----a-w C:\Documents and Settings\Z1\mqdmbus.sys 2007-01-19 10:30 6,208 ----a-w C:\Documents and Settings\Z1\mqdmcmnt.sys 2007-01-19 10:30 5,936 ----a-w C:\Documents and Settings\Z1\mqdmwhnt.sys 2007-01-19 10:30 4,048 ----a-w C:\Documents and Settings\Z1\mqdmcr.sys 2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll 2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . ((((((((((((((((((((((((((((( snapshot@2008-05-31_19.54.37.68 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-01 02:47:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-05 02:36:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-02-27 22:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll + 2008-02-27 22:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll + 2008-02-27 23:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll + 2008-02-27 22:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe + 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll + 2008-06-05 02:36:37 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_374.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "Aim6"="" [] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe] "DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52 184408] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584] "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984] "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832] "Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-11-30 17:10 1978368] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-29 23:44 1177368] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-22 02:14:59 66864] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-29 22:23 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-29 22:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "vidc.DIVF"= DivX412.dll "vidc.XVID"= xvid.dll "VIDC.HFYU"= huffyuv.dll "msacm.divxa32"= DivXa32.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ringo Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ringo Launcher.lnk backup=C:\WINDOWS\pss\Ringo Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] C:\Program Files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-03-10 18:57 155648 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YCentral] --a------ 2006-02-24 01:59 413208 c:\progra~1\yahoo!\YCentral\YahooCentral.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\ICQLite\\ICQLite.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-29 23:44] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-29 23:44] R2 AsusGIO;AsusGIO;C:\Program Files\ASUS\Ai Booster\AsusGIO.sys [2003-11-26 21:15] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 23:44] R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-05-29 23:44] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-29 23:44] R2 PurgProService;PurgPro XP Service;C:\Program Files\PurgeIE\PurgPro_Service.exe [2006-01-18 16:18] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38] R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43] R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 03:06] S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43] S3 UCEDRIVER53;UCEDRIVER53;C:\Program Files\Ultimate Hack Pack\UCE\cetc.sys [] . Contents of the 'Scheduled Tasks' folder "2008-06-05 04:16:14 C:\WINDOWS\Tasks\purgpro.job" - C:\Program Files\PurgeIE\purgpro.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-05 17:47:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-06-05 17:50:25 ComboFix-quarantined-files.txt 2008-06-06 00:50:17 ComboFix2.txt 2008-06-03 01:39:23 ComboFix3.txt 2008-06-01 23:21:30 ComboFix4.txt 2008-06-01 02:54:54 Pre-Run: 21,956,464,640 bytes free Post-Run: 21,945,442,304 bytes free 248 --- E O F --- 2008-05-31 10:06:29

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Vundo, malware, and flashing desktop problem [RESOLVED]	9 / 810	5th April 2008 - 11:04 AM r3lyons started - last by Rorschach112
Virus, Spyware and Trojan Removal Problem with Vundo and Trojan-Downloader.Delf [RESOLVED]	9 / 755	14th July 2008 - 04:28 PM NegativeZero started - last by Rorschach112
Virus, Spyware and Trojan Removal Explorer.exe Problem [RESOLVED]	11 / 975	4th August 2008 - 05:59 AM Redavni started - last by sage5
Virus, Spyware and Trojan Removal I have seen 2 names Trojan Vundo and Backdoor Trojan Agent ACFG and m	14 / 301	27th August 2009 - 10:45 AM tdc2719 started - last by Transience