Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I have an I-Worm/Bagle, Vundo.k, and Wintems.exe problem. [RESOLVED]

Started by Spiff_Johnson , May 31 2008 01:35 PM

This topic is locked

#1
Spiff_Johnson

Posted 31 May 2008 - 01:35 PM

Member

Member
14 posts

Hello,

When I go into windows explorer and go to the folder options menu, unchecking hide system files and folders still will not allow me to see hidden files and folders. My system was infected with vundo and bagle (at least that's what avg told me) and although my av software has claimed that it cleaned those infections, I still think that something is still lurking around on my pc.
Other concerns:

* in msconfig, I had to uncheck wintems.exe from running at startup, how do I remove this completely?

* "latent" vundo in my system restore volume. How do I remove this as well?

So if you could, please help.

Thank you for your time,

- Spiff

Edited by Spiff_Johnson, 31 May 2008 - 01:36 PM.

#2
Rorschach112

Posted 31 May 2008 - 05:03 PM

Ralphie

Retired Staff
47,710 posts

Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

#3
Spiff_Johnson

Posted 01 June 2008 - 03:17 PM

Member

Topic Starter
Member
14 posts

Thank you for your quick reply.
-------

ComboFix 08-05-29.1 - Z1 2008-05-31 19:41:10.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.790 [GMT -7:00]
Running from: C:\Documents and Settings\Z1\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Z1\Application Data\m
C:\Documents and Settings\Z1\Application Data\m\list.oct
C:\Documents and Settings\Z1\Application Data\m\shared
C:\Documents and Settings\Z1\Application Data\m\srvlist.oct
C:\WINDOWS\BM9753eb6e.xml
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\1062546.exe
C:\WINDOWS\system32\drivers\downld\106671.exe
C:\WINDOWS\system32\drivers\downld\1311046.exe
C:\WINDOWS\system32\drivers\downld\1375859.exe
C:\WINDOWS\system32\drivers\downld\1413046.exe
C:\WINDOWS\system32\drivers\downld\2336578.exe
C:\WINDOWS\system32\drivers\downld\2495234.exe
C:\WINDOWS\system32\drivers\downld\2717734.exe
C:\WINDOWS\system32\drivers\downld\2731062.exe
C:\WINDOWS\system32\drivers\downld\2738546.exe
C:\x.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA
-------\Service_srosa

((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 10:29 . 2008-05-31 10:53 <DIR> d-------- C:\Program Files\Windows Live
2008-05-31 08:31 . 2008-05-31 08:31 123 --a------ C:\WINDOWS\Winchat.ini
2008-05-31 08:04 . 2008-05-31 08:04 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-31 08:03 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-30 00:26 . 2008-05-31 17:58 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-29 23:44 . 2008-05-31 07:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-29 23:44 . 2008-05-29 23:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-29 23:44 . 2008-05-29 23:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-29 23:44 . 2008-05-29 23:44 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-29 23:44 . 2008-05-29 23:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-29 23:43 . 2008-05-29 23:43 <DIR> d-------- C:\Program Files\AVG
2008-05-29 23:43 . 2008-05-30 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-29 23:43 . 2008-05-29 23:43 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-05-29 23:43 . 2008-05-29 23:43 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Documents and Settings\Z1\Application Data\SystemRequirementsLab
2008-05-28 19:02 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 19:02 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-18 19:40 . 2008-05-18 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-18 19:40 . 2008-05-18 19:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-17 08:34 . 2008-05-17 08:34 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-04 15:49 . 2008-05-04 15:49 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-04 15:48 . 2008-05-04 15:48 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-02 22:46 . 2008-05-02 22:46 1,241,088 --a------ C:\WINDOWS\system32\nvcuda.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 02:47 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-06-01 02:47 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-05-31 22:16 --------- d-----w C:\Program Files\Soulseek
2008-05-31 19:56 --------- d-----w C:\Documents and Settings\Z1\Application Data\Skype
2008-05-31 19:55 --------- d-----w C:\Documents and Settings\Z1\Application Data\skypePM
2008-05-31 17:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-31 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-31 02:37 --------- d-----w C:\Program Files\Dust A Buddy
2008-05-30 05:23 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-30 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-29 02:05 --------- d-----w C:\Documents and Settings\Z1\Application Data\uTorrent
2008-05-29 02:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 01:43 --------- d-----w C:\Program Files\eMule
2008-05-21 04:01 --------- d-----w C:\Program Files\TagRename
2008-05-16 01:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\Watchtower
2008-05-16 01:29 --------- d-----w C:\Program Files\Watchtower
2008-05-13 03:12 --------- d-----w C:\Documents and Settings\Z1\Application Data\Camfrog
2008-05-04 22:33 --------- d-----w C:\Program Files\Steam
2008-05-03 05:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-04-29 00:18 --------- d-----w C:\Program Files\Panda Security
2008-04-28 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-28 03:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 03:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\SUPERAntiSpyware.com
2008-04-28 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\Malwarebytes
2008-04-28 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 02:15 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-27 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 15:37 --------- d-----w C:\Program Files\Lavasoft
2008-04-14 01:47 --------- d-----w C:\Program Files\Winamp
2008-04-14 00:42 --------- d-----w C:\Program Files\Java
2008-04-05 21:00 --------- d-----w C:\Program Files\Soulseek-Test
2008-04-05 20:23 --------- d-----w C:\Program Files\Opera
2008-04-05 01:41 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-24 06:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-07-07 22:06 24,192 ----a-w C:\Documents and Settings\Z1\usbsermptxp.sys
2007-07-07 22:06 22,768 ----a-w C:\Documents and Settings\Z1\usbsermpt.sys
2007-01-19 10:30 92,064 ----a-w C:\Documents and Settings\Z1\mqdmmdm.sys
2007-01-19 10:30 9,232 ----a-w C:\Documents and Settings\Z1\mqdmmdfl.sys
2007-01-19 10:30 79,328 ----a-w C:\Documents and Settings\Z1\mqdmserd.sys
2007-01-19 10:30 66,656 ----a-w C:\Documents and Settings\Z1\mqdmbus.sys
2007-01-19 10:30 6,208 ----a-w C:\Documents and Settings\Z1\mqdmcmnt.sys
2007-01-19 10:30 5,936 ----a-w C:\Documents and Settings\Z1\mqdmwhnt.sys
2007-01-19 10:30 4,048 ----a-w C:\Documents and Settings\Z1\mqdmcr.sys
2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Aim6"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52 184408]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-11-30 17:10 1978368]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-29 23:44 1177368]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-22 02:14:59 66864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-29 22:23 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-29 22:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.DIVF"= DivX412.dll
"vidc.XVID"= xvid.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ringo Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ringo Launcher.lnk
backup=C:\WINDOWS\pss\Ringo Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\german.exe]
C:\WINDOWS\system32\wintems.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-03-10 18:57 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YCentral]
--a------ 2006-02-24 01:59 413208 c:\progra~1\yahoo!\YCentral\YahooCentral.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-29 23:44]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-29 23:44]
R2 AsusGIO;AsusGIO;C:\Program Files\ASUS\Ai Booster\AsusGIO.sys [2003-11-26 21:15]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 23:44]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-05-29 23:44]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-29 23:44]
R2 PurgProService;PurgPro XP Service;C:\Program Files\PurgeIE\PurgPro_Service.exe [2006-01-18 16:18]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 03:06]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43]
S3 UCEDRIVER53;UCEDRIVER53;C:\Program Files\Ultimate Hack Pack\UCE\cetc.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Opendisc.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{310143ee-6d7b-11dc-bb5f-0013d41913fe}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall

.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 04:16:16 C:\WINDOWS\Tasks\purgpro.job"
- C:\Program Files\PurgeIE\purgpro.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 19:49:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-05-31 19:54:53 - machine was rebooted [Z1]
ComboFix-quarantined-files.txt 2008-06-01 02:54:50

Pre-Run: 23,350,202,368 bytes free
Post-Run: 22,287,663,104 bytes free

286 --- E O F --- 2008-05-31 10:06:29

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:03 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PurgeIE\PurgPro_Service.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Z1\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe 1
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....026/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spiffj.spaces...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128724499203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1164751532823
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15028/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PurgPro XP Service (PurgProService) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgPro_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14038 bytes

#4
Rorschach112

Posted 01 June 2008 - 03:20 PM

Ralphie

Retired Staff
47,710 posts

Few things for you

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\drivers\logiflt.iad
C:\WINDOWS\system32\wintems.exe
D:\Opendisc.exe
G:\Autorun.exe

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\german.exe]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{310143ee-6d7b-11dc-bb5f-0013d41913fe}]

SysRst::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Click here to use the F-Secure Online Scanner

Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.

Edited by Rorschach112, 01 June 2008 - 03:20 PM.

#5
Spiff_Johnson

Posted 01 June 2008 - 03:25 PM

Member

Topic Starter
Member
14 posts

By the way, since running combofix, my hidden folders option works the way it's supposed to

#6
Rorschach112

Posted 01 June 2008 - 03:27 PM

Ralphie

Retired Staff
47,710 posts

Yeah ComboFix should have fixed a lot of stuff, but there is still a bit of work to do

You will need two posts to fit these logs in

#7
Spiff_Johnson

Posted 02 June 2008 - 06:08 PM

Member

Topic Starter
Member
14 posts

ComboFix 08-05-29.1 - Z1 2008-06-01 16:13:36.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.786 [GMT -7:00]
Running from: C:\Documents and Settings\Z1\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Z1\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\drivers\logiflt.iad
C:\WINDOWS\system32\drivers\lvuvc.hs
C:\WINDOWS\system32\wintems.exe
D:\Opendisc.exe
G:\Autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\logiflt.iad
C:\WINDOWS\system32\drivers\lvuvc.hs

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 10:29 . 2008-05-31 10:53 <DIR> d-------- C:\Program Files\Windows Live
2008-05-31 08:31 . 2008-05-31 08:31 123 --a------ C:\WINDOWS\Winchat.ini
2008-05-31 08:04 . 2008-05-31 08:04 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-31 08:03 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-30 00:26 . 2008-06-01 14:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-29 23:44 . 2008-06-01 15:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-29 23:44 . 2008-05-29 23:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-29 23:44 . 2008-05-29 23:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-29 23:44 . 2008-05-29 23:44 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-29 23:44 . 2008-05-29 23:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-29 23:43 . 2008-05-29 23:43 <DIR> d-------- C:\Program Files\AVG
2008-05-29 23:43 . 2008-05-30 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-29 23:43 . 2008-05-29 23:43 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-05-29 23:43 . 2008-05-29 23:43 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Documents and Settings\Z1\Application Data\SystemRequirementsLab
2008-05-28 19:02 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 19:02 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-18 19:40 . 2008-05-18 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-18 19:40 . 2008-05-18 19:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-17 08:34 . 2008-05-17 08:34 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-04 15:49 . 2008-05-04 15:49 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-04 15:48 . 2008-05-04 15:48 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-02 22:46 . 2008-05-02 22:46 1,241,088 --a------ C:\WINDOWS\system32\nvcuda.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 22:16 --------- d-----w C:\Program Files\Soulseek
2008-05-31 19:56 --------- d-----w C:\Documents and Settings\Z1\Application Data\Skype
2008-05-31 19:55 --------- d-----w C:\Documents and Settings\Z1\Application Data\skypePM
2008-05-31 17:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-31 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-31 02:37 --------- d-----w C:\Program Files\Dust A Buddy
2008-05-30 05:23 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-30 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-29 02:05 --------- d-----w C:\Documents and Settings\Z1\Application Data\uTorrent
2008-05-29 02:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 01:43 --------- d-----w C:\Program Files\eMule
2008-05-21 04:01 --------- d-----w C:\Program Files\TagRename
2008-05-16 01:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\Watchtower
2008-05-16 01:29 --------- d-----w C:\Program Files\Watchtower
2008-05-13 03:12 --------- d-----w C:\Documents and Settings\Z1\Application Data\Camfrog
2008-05-04 22:33 --------- d-----w C:\Program Files\Steam
2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-29 00:18 --------- d-----w C:\Program Files\Panda Security
2008-04-28 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-28 03:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 03:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\SUPERAntiSpyware.com
2008-04-28 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\Malwarebytes
2008-04-28 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 02:15 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-27 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 15:37 --------- d-----w C:\Program Files\Lavasoft
2008-04-14 01:47 --------- d-----w C:\Program Files\Winamp
2008-04-14 00:42 --------- d-----w C:\Program Files\Java
2008-04-05 21:00 --------- d-----w C:\Program Files\Soulseek-Test
2008-04-05 20:23 --------- d-----w C:\Program Files\Opera
2008-04-05 01:41 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-24 06:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-07-07 22:06 24,192 ----a-w C:\Documents and Settings\Z1\usbsermptxp.sys
2007-07-07 22:06 22,768 ----a-w C:\Documents and Settings\Z1\usbsermpt.sys
2007-01-19 10:30 92,064 ----a-w C:\Documents and Settings\Z1\mqdmmdm.sys
2007-01-19 10:30 9,232 ----a-w C:\Documents and Settings\Z1\mqdmmdfl.sys
2007-01-19 10:30 79,328 ----a-w C:\Documents and Settings\Z1\mqdmserd.sys
2007-01-19 10:30 66,656 ----a-w C:\Documents and Settings\Z1\mqdmbus.sys
2007-01-19 10:30 6,208 ----a-w C:\Documents and Settings\Z1\mqdmcmnt.sys
2007-01-19 10:30 5,936 ----a-w C:\Documents and Settings\Z1\mqdmwhnt.sys
2007-01-19 10:30 4,048 ----a-w C:\Documents and Settings\Z1\mqdmcr.sys
2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-31_19.54.37.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 02:47:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 23:04:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Aim6"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52 184408]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-11-30 17:10 1978368]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-29 23:44 1177368]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-22 02:14:59 66864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-29 22:23 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-29 22:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.DIVF"= DivX412.dll
"vidc.XVID"= xvid.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ringo Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ringo Launcher.lnk
backup=C:\WINDOWS\pss\Ringo Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-03-10 18:57 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YCentral]
--a------ 2006-02-24 01:59 413208 c:\progra~1\yahoo!\YCentral\YahooCentral.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-29 23:44]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-29 23:44]
S2 AsusGIO;AsusGIO;C:\Program Files\ASUS\Ai Booster\AsusGIO.sys [2003-11-26 21:15]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 23:44]
S2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-05-29 23:44]
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-29 23:44]
S2 PurgProService;PurgPro XP Service;C:\Program Files\PurgeIE\PurgPro_Service.exe [2006-01-18 16:18]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 03:06]
S3 UCEDRIVER53;UCEDRIVER53;C:\Program Files\Ultimate Hack Pack\UCE\cetc.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 04:16:04 C:\WINDOWS\Tasks\purgpro.job"
- C:\Program Files\PurgeIE\purgpro.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 16:17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 16:21:29
ComboFix-quarantined-files.txt 2008-06-01 23:21:23
ComboFix2.txt 2008-06-01 02:54:54

Pre-Run: 23,508,160,512 bytes free
Post-Run: 23,499,374,592 bytes free

251 --- E O F --- 2008-05-31 10:06:29

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 9:58:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/06/2008
Kaspersky Anti-Virus database records: 821471
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 198674
Number of viruses found: 9
Number of infected objects: 23
Number of suspicious objects: 2
Duration of the scan process: 04:29:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\AvgAm\avgam.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgam.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgfw8u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpub.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\00583a8603e3e3620e5d5f9068f64450_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ba6d9253a71ac8a152afc996b68bfbf_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3eb188c73c38a5d7518dc831f3cbb328_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4427b503cc51d3d745e4a0535e693db6_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\64ebafcabc175a02baa9d53760efc56c_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b91e4e69304cd4fa3921ac849788fec_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\74565ebb402ff4cdea448fdcd94e2881_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b7a4558591a3cb0683e603f5a850627e_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c46ef3fa61a34800231ad7e2898e7a23_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf6bac28535ffa8ac8e731d0f57e2fb4_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\daeeb4a87bca21c3f3d0c2081e94b983_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff86bc441877073baa99bc64824649b0_56c5dc0e-ed5d-4041-9974-884f62ab6f7d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Z1\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\cert8.db Object is locked skipped
C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\history.dat Object is locked skipped
C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\key3.db Object is locked skipped
C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\parent.lock Object is locked skipped
C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Z1\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Z1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Application Data\Mozilla\Firefox\Profiles\dnh8yq5p.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\History\History.IE5\MSHist012008060120080602\index.dat Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Temp\Perflib_Perfdata_9c4.dat Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Z1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe/data.rar/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe/data.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Z1\ntuser.dat Object is locked skipped
C:\Documents and Settings\Z1\ntuser.dat.LOG Object is locked skipped
C:\Excursion9.5\mIRC.ExCurSioN.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\L0000004.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Z1\Data\storydb.idx Object is locked skipped
C:\QooBox\Quarantine\Registry_backups\Service_srosa.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0045306.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0045313.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0045337.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046339.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046553.exe Infected: Email-Worm.Win32.Bagle.vr skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046554.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046555.exe Infected: Email-Worm.Win32.Bagle.vr skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046556.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046571.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046592.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046608.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046609.sys Infected: Trojan-Downloader.Win32.Bagle.mm skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP445\A0046612.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047958.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047959.exe Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047960.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047961.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP447\A0047962.exe Infected: Trojan-Downloader.Win32.Bagle.qt skipped
C:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP449\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\Hosts.bak Object is locked skipped
C:\WINDOWS\system32\Logfiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_23c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\found.001\dir0000.chk\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{B27AED19-6964-49B6-93C6-F87E6CC7F19F}\RP449\change.log Object is locked skipped

Scan process completed.

#8
Spiff_Johnson

Posted 02 June 2008 - 06:09 PM

Member

Topic Starter
Member
14 posts

Scanning Report
Monday, June 02, 2008 05:33:08 - 17:07:40

Computer name: ZACK
Scanning type: Scan system for malware, rootkits
Target: C:\ F:\
Result: 3 malware found
Client-IRC.Win32.mIRC (spyware)

* System

Trojan-Spy:W32/Agent.BPQ (virus)

* System
* C:\PROGRAM FILES\DUST A BUDDY\YMSG12ENCRYPT.DLL

Statistics
Scanned:

* Files: 95793
* System: 6476
* Not scanned: 20

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 3
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\00583A8603E3E3620E5D5F9068F64450_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3BA6D9253A71AC8A152AFC996B68BFBF_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3EB188C73C38A5D7518DC831F3CBB328_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4427B503CC51D3D745E4A0535E693DB6_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\64EBAFCABC175A02BAA9D53760EFC56C_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6B91E4E69304CD4FA3921AC849788FEC_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\74565EBB402FF4CDEA448FDCD94E2881_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B7A4558591A3CB0683E603F5A850627E_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\C46EF3FA61A34800231AD7E2898E7A23_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\CF6BAC28535FFA8AC8E731D0F57E2FB4_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\DAEEB4A87BCA21C3F3D0C2081E94B983_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FF86BC441877073BAA99BC64824649B0_56C5DC0E-ED5D-4041-9974-884F62AB6F7D
* F:\FOUND.001\DIR0000.CHK\MOUNTPOINTMANAGERREMOTEDATABASE

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Blacklight: 1.0.68
* F-Secure Hydra: 2.8.8110, 2008-06-02
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure AVP: 7.0.171, 2008-06-02

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

#9
Spiff_Johnson

Posted 02 June 2008 - 06:11 PM

Member

Topic Starter
Member
14 posts

My avg automatically scans at 3am and it broke the F-Secure scan the first time through. Thanks again.

#10
Rorschach112

Posted 02 June 2008 - 06:14 PM

Ralphie

Retired Staff
47,710 posts

Ok looking good

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe

DirLook::
C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's

SysRst::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please download and unzip Icesword to its own folder on your desktop

If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

Also post a new HijackThis log

#11
Spiff_Johnson

Posted 02 June 2008 - 08:05 PM

Member

Topic Starter
Member
14 posts

For message hooks, am I writing down red entries under WH_Keyboard or all entries under WH_Keyboard? Thanks in advance

#12
Rorschach112

Posted 03 June 2008 - 06:57 AM

Ralphie

Retired Staff
47,710 posts

Write down all entries under WH_Keyboard

#13
Spiff_Johnson

Posted 03 June 2008 - 07:54 PM

Member

Topic Starter
Member
14 posts

ComboFix 08-05-29.1 - Z1 2008-06-02 17:46:05.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.636 [GMT -7:00]
Running from: C:\Documents and Settings\Z1\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Z1\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-01 22:04 . 2008-06-01 22:04 <DIR> d-------- C:\fsaua.data
2008-06-01 16:51 . 2008-06-01 16:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-01 16:51 . 2008-06-01 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 10:29 . 2008-05-31 10:53 <DIR> d-------- C:\Program Files\Windows Live
2008-05-31 08:31 . 2008-05-31 08:31 123 --a------ C:\WINDOWS\Winchat.ini
2008-05-31 08:04 . 2008-05-31 08:04 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-31 08:03 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-30 00:26 . 2008-06-01 20:30 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-29 23:44 . 2008-06-02 15:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-29 23:44 . 2008-05-29 23:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-29 23:44 . 2008-05-29 23:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-29 23:44 . 2008-05-29 23:44 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-29 23:44 . 2008-05-29 23:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-29 23:43 . 2008-05-29 23:43 <DIR> d-------- C:\Program Files\AVG
2008-05-29 23:43 . 2008-05-30 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-29 23:43 . 2008-05-29 23:43 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-05-29 23:43 . 2008-05-29 23:43 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Documents and Settings\Z1\Application Data\SystemRequirementsLab
2008-05-28 19:02 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 19:02 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-18 19:40 . 2008-05-18 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-18 19:40 . 2008-05-18 19:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-17 08:34 . 2008-05-17 08:34 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-04 15:49 . 2008-05-04 15:49 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-04 15:48 . 2008-05-04 15:48 <DIR> d-------- C:\Program Files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 00:07 --------- d-----w C:\Program Files\Dust A Buddy
2008-06-02 02:36 --------- d-----w C:\Documents and Settings\Z1\Application Data\Skype
2008-06-02 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\skypePM
2008-05-31 22:16 --------- d-----w C:\Program Files\Soulseek
2008-05-31 17:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-31 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-30 05:23 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-30 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-29 02:05 --------- d-----w C:\Documents and Settings\Z1\Application Data\uTorrent
2008-05-29 02:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 01:43 --------- d-----w C:\Program Files\eMule
2008-05-21 04:01 --------- d-----w C:\Program Files\TagRename
2008-05-16 01:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\Watchtower
2008-05-16 01:29 --------- d-----w C:\Program Files\Watchtower
2008-05-13 03:12 --------- d-----w C:\Documents and Settings\Z1\Application Data\Camfrog
2008-05-04 22:33 --------- d-----w C:\Program Files\Steam
2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-29 00:18 --------- d-----w C:\Program Files\Panda Security
2008-04-28 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-28 03:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 03:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\SUPERAntiSpyware.com
2008-04-28 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\Malwarebytes
2008-04-28 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 02:15 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-27 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 15:37 --------- d-----w C:\Program Files\Lavasoft
2008-04-14 01:47 --------- d-----w C:\Program Files\Winamp
2008-04-14 00:42 --------- d-----w C:\Program Files\Java
2008-04-05 21:00 --------- d-----w C:\Program Files\Soulseek-Test
2008-04-05 20:23 --------- d-----w C:\Program Files\Opera
2008-04-05 01:41 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-24 06:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-07-07 22:06 24,192 ----a-w C:\Documents and Settings\Z1\usbsermptxp.sys
2007-07-07 22:06 22,768 ----a-w C:\Documents and Settings\Z1\usbsermpt.sys
2007-01-19 10:30 92,064 ----a-w C:\Documents and Settings\Z1\mqdmmdm.sys
2007-01-19 10:30 9,232 ----a-w C:\Documents and Settings\Z1\mqdmmdfl.sys
2007-01-19 10:30 79,328 ----a-w C:\Documents and Settings\Z1\mqdmserd.sys
2007-01-19 10:30 66,656 ----a-w C:\Documents and Settings\Z1\mqdmbus.sys
2007-01-19 10:30 6,208 ----a-w C:\Documents and Settings\Z1\mqdmcmnt.sys
2007-01-19 10:30 5,936 ----a-w C:\Documents and Settings\Z1\mqdmwhnt.sys
2007-01-19 10:30 4,048 ----a-w C:\Documents and Settings\Z1\mqdmcr.sys
2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's ----

2005-01-31 19:42 23819897 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4.rar
2005-01-14 22:40 1314498 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\sysreset253.exe
2004-11-30 02:37 30 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\Setup\SN.txt
2004-11-30 02:37 30 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\Setup\Setup\SN.txt
2004-08-08 08:38 2901673 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\HH\HC-Swift3D40-fxj.exe
2004-07-26 12:40 24467538 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\Setup\Setup\Swift3DV4Release-301.exe
2004-07-26 12:38 3941 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Swift3Dv4\Swift3Dv4B301\Setup\Setup\buildhistory.txt
2004-05-31 00:35 3412995 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\Microangelo v5.59 setup.exe
2004-04-11 19:09 1366 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\wuh.txt
2004-04-11 19:07 29 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\duh.txt
2004-04-11 19:03 29 --a------ C:\Documents and Settings\Z1\My Documents\~nior\dl\Dl's\uh.txt

((((((((((((((((((((((((((((( snapshot@2008-05-31_19.54.37.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 02:47:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 12:27:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-27 22:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 22:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 23:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 22:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-06-02 12:27:36 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Aim6"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52 184408]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-11-30 17:10 1978368]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-29 23:44 1177368]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-29 22:23 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-29 22:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.DIVF"= DivX412.dll
"vidc.XVID"= xvid.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ringo Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ringo Launcher.lnk
backup=C:\WINDOWS\pss\Ringo Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-03-10 18:57 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YCentral]
--a------ 2006-02-24 01:59 413208 c:\progra~1\yahoo!\YCentral\YahooCentral.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-29 23:44]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-29 23:44]
R2 AsusGIO;AsusGIO;C:\Program Files\ASUS\Ai Booster\AsusGIO.sys [2003-11-26 21:15]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 23:44]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-05-29 23:44]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-29 23:44]
R2 PurgProService;PurgPro XP Service;C:\Program Files\PurgeIE\PurgPro_Service.exe [2006-01-18 16:18]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 03:06]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43]
S3 UCEDRIVER53;UCEDRIVER53;C:\Program Files\Ultimate Hack Pack\UCE\cetc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 04:16:42 C:\WINDOWS\Tasks\purgpro.job"
- C:\Program Files\PurgeIE\purgpro.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 18:35:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-02 18:39:22
ComboFix-quarantined-files.txt 2008-06-03 01:39:16
ComboFix2.txt 2008-06-01 23:21:30
ComboFix3.txt 2008-06-01 02:54:54

Pre-Run: 22,267,121,664 bytes free
Post-Run: 22,328,164,352 bytes free

270 --- E O F --- 2008-05-31 10:06:29

C:\WINDOWS\explorer.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\soundman.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Microsoft InelliType Pro\itype.exe
C:\Program Files\Quickcam\Quickcam.exe
C:\Program Files\Microsoft InelliType Pro\ipoint.exe
C:\Program Files\Microsoft InelliType Pro\itype.exe
C:\Program Files\Quickcam\Quickcam.exe
C:\PROGRA~\MI3AA1~\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft InelliType Pro\ipoint.exe
C:\Program Files\Microsoft InelliType Pro\ipoint.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Logitech\Desktop Messenger\88766480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\Desktop Messenger\88766480\Program\LogitechDesktopMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alarm Clock\Alarm Clock.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alarm Clock\Alarm Clock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alarm Clock\Alarm Clock.exe
C:\WINDOWS\NOTEPAD.exe
C:\Program Files\ManyCam2.2\ManyCam.exe
C:\Program Files\ManyCam2.2\ManyCam.exe
C:\Program Files\ManyCam2.2\ManyCam.exe
C:\Program Files\ManyCam2.2\ManyCam.exe

WH_KEYBOARD_LL
C:\Program Files\Microsoft InelliType Pro\ipoint.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:49 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PurgeIE\PurgPro_Service.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Z1\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe 1
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualap...rg/activegs.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....026/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spiffj.spaces...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128724499203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1164751532823
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab47946.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15028/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PurgPro XP Service (PurgProService) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgPro_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14415 bytes

#14
Rorschach112

Posted 04 June 2008 - 05:40 AM

Ralphie

Retired Staff
47,710 posts

Can you post the IceSword logs from

Win32 Services
Startup

Also tell me how your PC is running

And do this

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Sysrst::

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Edited by Rorschach112, 04 June 2008 - 05:42 AM.

#15
Spiff_Johnson

Posted 05 June 2008 - 06:57 PM

Member

Topic Starter
Member
14 posts

My PC is running better than it has in a while thanks to you

sorry for being so late in posting this. Also, my AVG has crashed about 2 times lately when it tries to autoscan and my pc rebooted itself abruptly for no reason yesterday, but other than that, I've been fine. Also, I forgot to turn off my avg when combofix was running and I got a virus alert (probably just from combofix right?)

Thanks

--------------------
Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:avg8wd Display Name:AVG8 WatchDog
Service Name:avgfws8 Display Name:AVG8 Firewall
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:Browser Display Name:Computer Browser
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Diskeeper Display Name:Diskeeper
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:LVCOMSer Display Name:LVCOMSer
Service Name:LVPrcSrv Display Name:Process Monitor
Service Name:MDM Display Name:Machine Debug Manager
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:PurgProService Display Name:PurgPro XP Service
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:upnphost Display Name:Universal Plug and Play Device Host
Service Name:Viewpoint Manager Service Display Name:Viewpoint Manager Service
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WudfSvc Display Name:Windows Driver Foundation - User-mode Driver Framework

-----

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.1
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSPY2002
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002ASync
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PHIME2002A
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DiskeeperSystray
"C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acrobat Assistant 7.0
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelliPoint
"C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
itype
"C:\Program Files\Microsoft IntelliType Pro\itype.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan
SOUNDMAN.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HP Software Update
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechCommunicationsManager
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechQuickCamRibbon
"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Launch Ai Booster
C:\Program Files\ASUS\Ai Booster\OverClk.exe 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG8_TRAY
C:\PROGRA~1\AVG\AVG8\avgtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
updateMgr
"C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Aim6

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
H/PC Connection Agent
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech Desktop Messenger.lnk
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Remark£ºLogitech Desktop Messenger)

C:\Documents and Settings\Z1\Start Menu\Programs\Startup
desktop.ini

-------

ComboFix 08-05-29.1 - Z1 2008-06-05 17:42:43.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.285 [GMT -7:00]
Running from: C:\Documents and Settings\Z1\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Z1\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-04 00:13 . 2008-06-04 19:36 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2008-06-04 00:13 . 2008-06-04 19:36 0 --a------ C:\WINDOWS\system32\drivers\logiflt.iad
2008-06-01 22:04 . 2008-06-01 22:04 <DIR> d-------- C:\fsaua.data
2008-06-01 16:51 . 2008-06-01 16:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-01 16:51 . 2008-06-01 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 10:29 . 2008-05-31 10:53 <DIR> d-------- C:\Program Files\Windows Live
2008-05-31 08:31 . 2008-05-31 08:31 123 --a------ C:\WINDOWS\Winchat.ini
2008-05-31 08:04 . 2008-05-31 08:04 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-31 08:03 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-30 00:26 . 2008-06-05 17:43 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-29 23:44 . 2008-06-05 15:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-29 23:44 . 2008-05-29 23:44 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-29 23:44 . 2008-05-29 23:44 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-29 23:44 . 2008-05-29 23:44 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-29 23:44 . 2008-05-29 23:44 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-29 23:43 . 2008-05-29 23:43 <DIR> d-------- C:\Program Files\AVG
2008-05-29 23:43 . 2008-05-30 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-29 23:43 . 2008-05-29 23:43 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-05-29 23:43 . 2008-05-29 23:43 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-29 21:22 . 2008-05-29 21:22 <DIR> d-------- C:\Documents and Settings\Z1\Application Data\SystemRequirementsLab
2008-05-28 19:02 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 19:02 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-18 19:40 . 2008-06-05 04:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-18 19:40 . 2008-05-18 19:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-17 08:34 . 2008-05-17 08:34 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 07:05 90,112 ----a-w C:\WINDOWS\DUMP542a.tmp
2008-06-04 06:38 --------- d-----w C:\Program Files\Soulseek
2008-06-03 03:10 --------- d-----w C:\Documents and Settings\Z1\Application Data\skypePM
2008-06-03 03:10 --------- d-----w C:\Documents and Settings\Z1\Application Data\Skype
2008-06-03 00:07 --------- d-----w C:\Program Files\Dust A Buddy
2008-05-31 17:53 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-31 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-30 05:23 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-30 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-29 02:05 --------- d-----w C:\Documents and Settings\Z1\Application Data\uTorrent
2008-05-29 02:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 01:43 --------- d-----w C:\Program Files\eMule
2008-05-21 04:01 --------- d-----w C:\Program Files\TagRename
2008-05-16 01:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\Watchtower
2008-05-16 01:29 --------- d-----w C:\Program Files\Watchtower
2008-05-13 03:12 --------- d-----w C:\Documents and Settings\Z1\Application Data\Camfrog
2008-05-04 22:48 --------- d-----w C:\Program Files\Common Files\Skype
2008-05-04 22:33 --------- d-----w C:\Program Files\Steam
2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-29 00:18 --------- d-----w C:\Program Files\Panda Security
2008-04-28 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-28 03:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 03:43 --------- d-----w C:\Documents and Settings\Z1\Application Data\SUPERAntiSpyware.com
2008-04-28 02:16 --------- d-----w C:\Documents and Settings\Z1\Application Data\Malwarebytes
2008-04-28 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 02:15 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-27 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 15:37 --------- d-----w C:\Program Files\Lavasoft
2008-04-14 01:47 --------- d-----w C:\Program Files\Winamp
2008-04-14 00:42 --------- d-----w C:\Program Files\Java
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-24 06:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-07-07 22:06 24,192 ----a-w C:\Documents and Settings\Z1\usbsermptxp.sys
2007-07-07 22:06 22,768 ----a-w C:\Documents and Settings\Z1\usbsermpt.sys
2007-01-19 10:30 92,064 ----a-w C:\Documents and Settings\Z1\mqdmmdm.sys
2007-01-19 10:30 9,232 ----a-w C:\Documents and Settings\Z1\mqdmmdfl.sys
2007-01-19 10:30 79,328 ----a-w C:\Documents and Settings\Z1\mqdmserd.sys
2007-01-19 10:30 66,656 ----a-w C:\Documents and Settings\Z1\mqdmbus.sys
2007-01-19 10:30 6,208 ----a-w C:\Documents and Settings\Z1\mqdmcmnt.sys
2007-01-19 10:30 5,936 ----a-w C:\Documents and Settings\Z1\mqdmwhnt.sys
2007-01-19 10:30 4,048 ----a-w C:\Documents and Settings\Z1\mqdmcr.sys
2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-31_19.54.37.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 02:47:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 02:36:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-27 22:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 22:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 23:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 22:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-06-05 02:36:37 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_374.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Aim6"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52 184408]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 18:09 842584]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2004-11-30 17:10 1978368]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-29 23:44 1177368]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-22 02:14:59 66864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-29 22:23 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-29 22:23 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.DIVF"= DivX412.dll
"vidc.XVID"= xvid.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ringo Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ringo Launcher.lnk
backup=C:\WINDOWS\pss\Ringo Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-03-10 18:57 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YCentral]
--a------ 2006-02-24 01:59 413208 c:\progra~1\yahoo!\YCentral\YahooCentral.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-29 23:44]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-29 23:44]
R2 AsusGIO;AsusGIO;C:\Program Files\ASUS\Ai Booster\AsusGIO.sys [2003-11-26 21:15]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 23:44]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-05-29 23:44]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-29 23:44]
R2 PurgProService;PurgPro XP Service;C:\Program Files\PurgeIE\PurgPro_Service.exe [2006-01-18 16:18]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 03:06]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-29 23:43]
S3 UCEDRIVER53;UCEDRIVER53;C:\Program Files\Ultimate Hack Pack\UCE\cetc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 04:16:14 C:\WINDOWS\Tasks\purgpro.job"
- C:\Program Files\PurgeIE\purgpro.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 17:47:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-05 17:50:25
ComboFix-quarantined-files.txt 2008-06-06 00:50:17
ComboFix2.txt 2008-06-03 01:39:23
ComboFix3.txt 2008-06-01 23:21:30
ComboFix4.txt 2008-06-01 02:54:54

Pre-Run: 21,956,464,640 bytes free
Post-Run: 21,945,442,304 bytes free

248 --- E O F --- 2008-05-31 10:06:29