Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

please help me [RESOLVED]


  • This topic is locked This topic is locked

#1
kirks

kirks

    Member

  • Member
  • PipPip
  • 16 posts
can someone please help me my pc has pop ups galore and is so slow, i just got the internet and didnt have any antivirus on it, I know im a muppet.
I have avg now but can one of you please help me

many thanks for your time

kirk

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:08:14, on 03/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\scntnkdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Documents and Settings\All Users\Application Data\ipd\tray.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Sky Broadband
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version55ie7fix.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,[email protected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WMAAD] C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [{5B-B7-75-51-DW}] C:\windows\system32\jmwnw64r.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\scntnkdm.exe DWram
O4 - HKLM\..\Run: [{712840cc-26a0-b06f-0789-6ac2d7c06ab8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{d793e081-9490-c7bf-92bd-534dad6710cf}.dll" DllStart
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BM2f768462] Rundll32.exe "C:\WINDOWS\system32\ptrexboj.dll",s
O4 - HKLM\..\Run: [2c45b7fe] rundll32.exe "C:\WINDOWS\system32\sesgwqcm.dll",b
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\kirk\lsass.exe
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\scntnkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jmwnw64r.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O4 - Global Startup: Start DonorLink System Tray App.lnk = C:\Documents and Settings\All Users\Application Data\ipd\tray.exe
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150892750343
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\a2lyaw\command.exe (file missing)
O23 - Service: Image Converter SCSI Service (ICScsiSV) - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe
O23 - Service: IcVzMonLauncher - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMon.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 10116 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
kirks

kirks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi miekiemoes

I am not very good with computers as I have just got this one, and the trouble that I am now in.
do I need to do the recovery thing before I run the combofix or can i just run the combofix?, as i am abit scared I may muck the recovery bit up.

I am currently not at home but will be tomorrow, thursday 5th evening

Many Thanks so far

Kirks
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes, you need the recovery console. Please read the Combofix instructions how to install the Recovery console with Combofix.
  • 0

#5
kirks

kirks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
i am still here sorry, i will try to post either today or tomorrow

many thanks

kirk
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Please don't wait too long with this, because as long malware is present, it will download and install more malware all the time.
Also keep in mind that malware damages a lot, so if you wait too long with this, then I cannot promise that we will still be able to repair your computer.
  • 0

#7
kirks

kirks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi miekiemoes

I will be posting when I return from work and have run the programs and recovery.

sorry for the delay and thank you so far.

Kirk
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
That's ok :)
  • 0

#9
kirks

kirks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hi

for some reason i cannot access the geeks page and most pages as it gets stuck whe trying.

i have asked a friend to download and save combo fix to disc , hope this is correct and on a differant disc is this what i need from microsoft as i bought a computer package and all i have is the xp serial number as it was already installed and do not have the disc.

is the one i need?
Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

is it ok to copy from a disc to my desktop from a cd the above

thanks
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

yes, that's what you need if you're indeed having XP Home.
As you have read on the Combofix page, it is explained there how to install the Recovery console with Combofix.
And yes, it's ok to save the tools onto disk. As long as you don't run them from the disk afterwards, but transfer them to the desktop of the infected computer first and run from there.
  • 0

Advertisements


#11
kirks

kirks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
miekiemoes

hi sorry for the delay in posting, i have installed the recovery and run combofix.
here are the logs that you requested



ComboFix 08-06-10.5 - kirk 2008-06-14 10:11:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT 1:00]
Running from: C:\Documents and Settings\kirk\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kirk\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\a2lyaw\
C:\WINDOWS\a2lyaw\\uZ5VuT.vbs
C:\WINDOWS\BM2f768462.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\{d793e081-9490-c7bf-92bd-534dad6710cf}.dll
C:\WINDOWS\system32\asfdvqbm.ini
C:\WINDOWS\system32\bnytoxjo.ini
C:\WINDOWS\system32\byduwpay.dll
C:\WINDOWS\system32\dvikusdg.ini
C:\WINDOWS\system32\eohagrwu.dll
C:\WINDOWS\system32\fhbbppin.dll
C:\WINDOWS\system32\g31.exe
C:\WINDOWS\system32\gbdkteap.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hurltaev.ini
C:\WINDOWS\system32\iaaigbyk.dll
C:\WINDOWS\system32\kygidruu.ini
C:\WINDOWS\system32\mcqwgses.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\oqpsnrtk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\picflftg.dll
C:\WINDOWS\system32\pjvmcgpo.dll
C:\WINDOWS\system32\prijrpck.dll
C:\WINDOWS\system32\qiyqrqqe.ini
C:\WINDOWS\system32\rvapplmv.dll
C:\WINDOWS\system32\tuvTmKCR.dll
C:\WINDOWS\system32\UpMedia
C:\WINDOWS\system32\UpMedia\ContentTool.dll
C:\WINDOWS\system32\UpMedia\SearchTool.dll
C:\WINDOWS\system32\UpMedia\uninstallSE.exe
C:\WINDOWS\system32\venmdjry.dll
C:\WINDOWS\system32\WFPrAcdd.ini
C:\WINDOWS\system32\WFPrAcdd.ini2
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xbhulnoc.dll
C:\WINDOWS\system32\xxyvutTk.dll
C:\WINDOWS\system32\yswxrhqi.ini
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-13 07:13 . 2008-06-14 07:58 <DIR> d--hs---- C:\742766417
2008-06-11 18:49 . 2008-06-11 18:49 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 18:40 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 18:40 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 13:41 . 2008-06-10 13:41 24,358 --a------ C:\WINDOWS\system32\pm_icon.ico
2008-06-08 20:31 . 2008-06-08 20:31 <DIR> d-------- C:\Documents and Settings\chantelle\Application Data\Grisoft
2008-06-08 20:31 . 2008-06-12 16:51 <DIR> d-------- C:\Documents and Settings\chantelle\Application Data\AVG7
2008-06-07 12:13 . 2008-06-14 10:13 162 --a------ C:\WINDOWS\system32\pinf.sys
2008-06-07 10:55 . 2008-06-07 10:55 <DIR> d-------- C:\Program Files\Platte Information Files
2008-06-07 10:55 . 2008-06-07 10:55 2,416,632 --a------ C:\WINDOWS\system32\pm_ax.ocx
2008-06-07 10:55 . 2008-06-07 10:55 1,112,064 --a------ C:\WINDOWS\system32\pm_setup_util.exe
2008-06-07 10:55 . 2008-06-07 10:55 707,072 --a------ C:\WINDOWS\system32\pm_proc1.exe
2008-06-07 10:55 . 2008-06-07 10:55 350,208 --a------ C:\WINDOWS\system32\pm_dll.dll
2008-06-07 10:55 . 2008-06-07 10:55 161,862 --a------ C:\WINDOWS\system32\Get Films Now.ico
2008-06-07 10:55 . 2008-06-07 10:55 94,720 --a------ C:\WINDOWS\system32\pm_proc2.exe
2008-06-07 10:55 . 2008-06-07 10:55 36,864 --a------ C:\WINDOWS\system32\jRegistryKey.dll
2008-06-07 10:55 . 2008-06-14 07:58 321 ---hs---- C:\WINDOWS\system32\742766417.sys
2008-06-03 18:53 . 2008-06-14 08:37 <DIR> dr-h----- C:\$VAULT$.AVG
2008-06-03 18:18 . 2008-06-03 18:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-06-03 18:18 . 2008-06-14 08:00 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\AVG7
2008-06-03 18:17 . 2008-06-03 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-03 18:17 . 2008-06-03 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-06-03 18:11 . 2008-06-03 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-02 18:53 . 2008-06-03 19:01 <DIR> d-------- C:\Program Files\VAV
2008-06-02 18:53 . 2008-05-28 09:10 45,056 --a------ C:\WINDOWS\system32\vav.cpl
2008-06-01 12:22 . 2008-06-02 19:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-01 12:00 . 2008-06-01 12:00 <DIR> d-------- C:\Program Files\AVG
2008-06-01 12:00 . 2008-06-01 12:24 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\AVGTOOLBAR
2008-05-30 09:52 . 2008-05-30 09:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\IBPlugin
2008-05-30 09:51 . 2008-05-30 09:51 <DIR> d-------- C:\Documents and Settings\chantelle\Application Data\IBPlugin
2008-05-30 09:06 . 2008-06-03 20:12 <DIR> d-------- C:\WINDOWS\system32\vntiho18
2008-05-30 09:05 . 2008-05-30 09:05 95,833 --a------ C:\WINDOWS\system32\{08ef4f7f-8771-4e3b-7542-ea4af967d7d8}.dll-uninst.exe
2008-05-30 08:56 . 2008-06-03 20:12 <DIR> d-------- C:\WINDOWS\system32\vntiho05
2008-05-30 08:56 . 2008-06-03 20:12 <DIR> d-------- C:\WINDOWS\system32\ore1
2008-05-30 08:56 . 2008-05-30 08:56 <DIR> d-------- C:\WINDOWS\system32\nIDb
2008-05-30 08:56 . 2008-06-03 20:12 <DIR> d-------- C:\WINDOWS\system32\aux3
2008-05-30 08:56 . 2008-06-14 10:11 <DIR> d-------- C:\Temp
2008-05-30 08:56 . 2008-05-30 08:56 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\IBPlugin
2008-05-30 08:56 . 2008-05-30 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tarma Installer
2008-05-30 08:56 . 2008-05-30 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ipd
2008-05-30 08:56 . 2008-05-30 08:56 687,592 --a------ C:\WINDOWS\system32\atmtd.dll._
2008-05-30 08:56 . 2008-05-30 08:56 687,592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-05-30 08:56 . 2008-05-30 08:57 63,918 --a------ C:\WINDOWS\system32\{d793e081-9490-c7bf-92bd-534dad6710cf}.dll-uninst.exe
2008-05-30 08:56 . 2006-01-03 17:45 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-05-28 12:33 . 2008-05-28 12:33 363,980 --a------ C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
2008-05-28 12:33 . 2008-05-28 12:33 139,264 --a------ C:\WINDOWS\MirarDownloader_876260.exe
2008-05-28 12:33 . 2008-05-28 12:33 32,768 --a------ C:\WINDOWS\system32\WinDmy.dll
2008-05-28 12:33 . 2008-05-31 06:58 18,432 --a------ C:\Documents and Settings\kirk\Application Data\internaldb41.dat
2008-05-28 12:33 . 2008-05-31 06:54 555 --a------ C:\Documents and Settings\kirk\Application Data\internaldb8467.dat
2008-05-28 12:33 . 2008-05-31 07:00 374 --a------ C:\Documents and Settings\kirk\Application Data\internaldb6334.dat
2008-05-28 12:33 . 2008-05-28 12:33 181 --a------ C:\WINDOWS\wininit.ini
2008-05-21 21:02 . 2008-06-03 18:14 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\LimeWire
2008-05-21 21:01 . 2008-05-21 21:01 <DIR> d-------- C:\WINDOWS\Sun
2008-05-21 21:01 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-21 21:00 . 2008-05-21 21:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-21 20:59 . 2008-06-03 18:40 <DIR> d-------- C:\Program Files\LimeWire
2008-05-21 08:34 . 2008-06-11 18:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 08:34 . 2008-05-21 08:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-21 08:05 . 2008-05-21 08:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-20 23:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-20 23:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-20 23:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-20 23:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-20 23:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-20 22:01 . 2008-04-23 05:16 6,066,176 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-20 22:01 . 2007-04-17 10:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-20 22:01 . 2007-03-08 06:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-20 22:01 . 2008-04-23 05:16 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-20 22:01 . 2008-04-23 05:16 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-20 22:01 . 2008-04-23 05:16 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-20 22:01 . 2008-04-23 05:16 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-20 22:01 . 2008-04-23 05:16 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-20 22:01 . 2008-04-22 08:39 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-20 18:08 . 2008-05-20 18:12 <DIR> d-------- C:\Program Files\McDonaldsFairies
2008-05-20 18:07 . 2008-05-20 18:07 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-18 13:29 . 2008-05-18 13:29 0 --a------ C:\WINDOWS\iPlayer.INI
2008-05-18 13:23 . 2008-05-18 13:23 <DIR> d-------- C:\Program Files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 09:15 --------- d-----w C:\Documents and Settings\kirk\Application Data\OpenOffice.org2
2008-06-12 15:51 --------- d-----w C:\Program Files\lx_cats
2008-06-12 15:51 --------- d-----w C:\Documents and Settings\chantelle\Application Data\OpenOffice.org2
2008-05-21 20:01 --------- d-----w C:\Program Files\Java
2008-05-13 14:14 --------- d-----w C:\Program Files\Sky Broadband
2008-05-13 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000051AF-07E2-461B-BA37-A2AF7E652E7D}]
2008-05-21 23:05 165376 --------- C:\Documents and Settings\All Users\Application Data\ipd\ipb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad045395-3219-6e79-a850-14c46036aad9}]
C:\WINDOWS\system32\{08ef4f7f-8771-4e3b-7542-ea4af967d7d8}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b41e66cc-8d73-4ae5-ac79-0f5c452548f9}]
C:\WINDOWS\system32\hkeifbyc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4B7860-DC25-4BB8-9301-81EADEC5CE87}]
C:\WINDOWS\system32\ddcArPFW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D810B78A-D010-44DF-8445-AC58086B600E}]
2008-06-07 10:55 350208 --a------ C:\WINDOWS\system32\pm_dll.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard 5.0"="C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" [2005-03-05 09:31 86016]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plsi"="C:\WINDOWS\system32\pm_proc1.exe" [2008-06-07 10:55 707072]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"VTTimer"="VTTimer.exe" [2005-03-07 18:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 08:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01 110592]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 11:39 90112 C:\WINDOWS\soundman.exe]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 18:45 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 06:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 09:11 290816]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 19:38 65536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-17 10:36 98304]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"WMAAD"="C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe" [2007-02-16 19:41 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"{5B-B7-75-51-DW}"="C:\windows\system32\jmwnw64r.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-03 18:37 579584]
"2c45b7fe"="C:\WINDOWS\system32\ojxotynb.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-06-03 18:17 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\cinetray.exe [2002-09-18 12:16:30 98304]
Start DonorLink System Tray App.lnk - C:\Documents and Settings\All Users\Application Data\ipd\tray.exe [2008-05-30 08:56:15 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHYoNd]
jkkHYoNd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDuUKC]
khfDuUKC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\Program Files\Common Files\Sony Shared\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 06:10]
S3 FileSpy5;BullGuard File Monitor;C:\Program Files\BullGuard Software\BullGuard 5.0\filespy5.sys [2004-10-29 16:00]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []
S3 ICScsiSV;Image Converter SCSI Service;C:\Program Files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe [2007-01-26 12:39]
S3 IcVzMonLauncher;IcVzMonLauncher;"C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe" [2007-01-26 12:38]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMon.exe [2007-01-26 12:38]
S3 Reconn;BullGuard Mail Monitor;C:\Program Files\BullGuard Software\BullGuard 5.0\reconn.sys [2004-09-28 17:50]
S3 USBCamera;DigitalCam Pro Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 10:28]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 10:14:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\pm_proc2.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-06-14 10:17:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 09:17:11

Pre-Run: 60,589,740,032 bytes free
Post-Run: 60,608,200,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

267 --- E O F --- 2008-06-14 06:42:32







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:04, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\pm_proc1.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
c:\windows\system32\pm_proc2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Documents and Settings\All Users\Application Data\ipd\tray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: IP - {000051AF-07E2-461B-BA37-A2AF7E652E7D} - C:\Documents and Settings\All Users\Application Data\ipd\ipb.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: mysidesearch browser optimizer - {ad045395-3219-6e79-a850-14c46036aad9} - C:\WINDOWS\system32\{08ef4f7f-8771-4e3b-7542-ea4af967d7d8}.dll (file missing)
O2 - BHO: {9f845254-c5f0-97ca-5ea4-37d8cc66e14b} - {b41e66cc-8d73-4ae5-ac79-0f5c452548f9} - C:\WINDOWS\system32\hkeifbyc.dll (file missing)
O2 - BHO: (no name) - {CD4B7860-DC25-4BB8-9301-81EADEC5CE87} - C:\WINDOWS\system32\ddcArPFW.dll (file missing)
O2 - BHO: (no name) - {D810B78A-D010-44DF-8445-AC58086B600E} - C:\WINDOWS\system32\pm_dll.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [plsi] C:\WINDOWS\system32\pm_proc1.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,[email protected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WMAAD] C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [{5B-B7-75-51-DW}] C:\windows\system32\jmwnw64r.exe DWram
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [2c45b7fe] rundll32.exe "C:\WINDOWS\system32\ojxotynb.dll",b
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\scntnkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jmwnw64r.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O4 - Global Startup: Start DonorLink System Tray App.lnk = C:\Documents and Settings\All Users\Application Data\ipd\tray.exe
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150892750343
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: jkkHYoNd - jkkHYoNd.dll (file missing)
O20 - Winlogon Notify: khfDuUKC - khfDuUKC.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Image Converter SCSI Service (ICScsiSV) - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe
O23 - Service: IcVzMonLauncher - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMon.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 10083 bytes
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start DonorLink System Tray App.lnk
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\{d793e081-9490-c7bf-92bd-534dad6710cf}.dll-uninst.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
C:\WINDOWS\MirarDownloader_876260.exe
C:\WINDOWS\system32\WinDmy.dll
C:\Documents and Settings\kirk\Application Data\internaldb41.dat
C:\Documents and Settings\kirk\Application Data\internaldb8467.dat
C:\Documents and Settings\kirk\Application Data\internaldb6334.dat
C:\WINDOWS\system32\{08ef4f7f-8771-4e3b-7542-ea4af967d7d8}.dll-uninst.exe
C:\WINDOWS\system32\pm_icon.ico
C:\WINDOWS\system32\pinf.sys
C:\WINDOWS\system32\pm_ax.ocx
C:\WINDOWS\system32\pm_setup_util.exe
C:\WINDOWS\system32\pm_proc1.exe
C:\WINDOWS\system32\pm_dll.dll
C:\WINDOWS\system32\Get Films Now.ico
C:\WINDOWS\system32\pm_proc2.exe
C:\WINDOWS\system32\jRegistryKey.dll
C:\WINDOWS\system32\vav.cpl
Folder::
C:\Documents and Settings\All Users\Application Data\ipd
C:\Documents and Settings\LocalService\Application Data\IBPlugin
C:\Documents and Settings\chantelle\Application Data\IBPlugin
C:\WINDOWS\system32\vntiho18
C:\WINDOWS\system32\vntiho05
C:\WINDOWS\system32\ore1
C:\WINDOWS\system32\nIDb
C:\WINDOWS\system32\aux3
C:\Program Files\VAV
C:\Documents and Settings\kirk\Application Data\IBPlugin
C:\Documents and Settings\All Users\Application Data\Tarma Installer
C:\Program Files\Platte Information Files
Filelook::
C:\WINDOWS\system32\742766417.sys
dirlook::
C:\742766417
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000051AF-07E2-461B-BA37-A2AF7E652E7D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad045395-3219-6e79-a850-14c46036aad9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b41e66cc-8d73-4ae5-ac79-0f5c452548f9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4B7860-DC25-4BB8-9301-81EADEC5CE87}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D810B78A-D010-44DF-8445-AC58086B600E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plsi"=-
"{5B-B7-75-51-DW}"=-
"2c45b7fe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHYoNd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDuUKC]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#13
kirks

kirks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hi

here are the logs that you asked for

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:36, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,[email protected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WMAAD] C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150892750343
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Image Converter SCSI Service (ICScsiSV) - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe
O23 - Service: IcVzMonLauncher - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMon.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8881 bytes




ComboFix 08-06-10.5 - kirk 2008-06-15 11:25:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.155 [GMT 1:00]
Running from: C:\Documents and Settings\kirk\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kirk\Desktop\CFScript .txt
* Created a new restore point

FILE ::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start DonorLink System Tray App.lnk
C:\Documents and Settings\kirk\Application Data\internaldb41.dat
C:\Documents and Settings\kirk\Application Data\internaldb6334.dat
C:\Documents and Settings\kirk\Application Data\internaldb8467.dat
C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
C:\WINDOWS\MirarDownloader_876260.exe
C:\WINDOWS\system32\{08ef4f7f-8771-4e3b-7542-ea4af967d7d8}.dll-uninst.exe
C:\WINDOWS\system32\{d793e081-9490-c7bf-92bd-534dad6710cf}.dll-uninst.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\Get Films Now.ico
C:\WINDOWS\system32\jRegistryKey.dll
C:\WINDOWS\system32\pinf.sys
C:\WINDOWS\system32\pm_ax.ocx
C:\WINDOWS\system32\pm_dll.dll
C:\WINDOWS\system32\pm_icon.ico
C:\WINDOWS\system32\pm_proc1.exe
C:\WINDOWS\system32\pm_proc2.exe
C:\WINDOWS\system32\pm_setup_util.exe
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\WinDmy.dll
C:\WINDOWS\uninstall_nmon.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ipd
C:\Documents and Settings\All Users\Application Data\ipd\interprom_enabled.ico
C:\Documents and Settings\All Users\Application Data\ipd\ipb.dll
C:\Documents and Settings\All Users\Application Data\ipd\MSVCP71.DLL
C:\Documents and Settings\All Users\Application Data\ipd\MSVCR71.DLL
C:\Documents and Settings\All Users\Application Data\ipd\tray.exe
C:\Documents and Settings\All Users\Application Data\Tarma Installer
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{FE5B4D78-069A-4F1E-B2C9-0BE2D0A53E6E}\_Setup.dll
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{FE5B4D78-069A-4F1E-B2C9-0BE2D0A53E6E}\_Setupx.dll
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{FE5B4D78-069A-4F1E-B2C9-0BE2D0A53E6E}\Setup.dat
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{FE5B4D78-069A-4F1E-B2C9-0BE2D0A53E6E}\Setup.exe
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{FE5B4D78-069A-4F1E-B2C9-0BE2D0A53E6E}\Setup.ico
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start DonorLink System Tray App.lnk
C:\Documents and Settings\chantelle\Application Data\IBPlugin
C:\Documents and Settings\chantelle\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\chantelle\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\kirk\Application Data\IBPlugin
C:\Documents and Settings\kirk\Application Data\IBPlugin\ipbcfg.bin
C:\Documents and Settings\kirk\Application Data\IBPlugin\ipbsite.bin
C:\Documents and Settings\kirk\Application Data\internaldb41.dat
C:\Documents and Settings\kirk\Application Data\internaldb6334.dat
C:\Documents and Settings\kirk\Application Data\internaldb8467.dat
C:\Documents and Settings\kirk\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\kirk\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\LocalService\Application Data\IBPlugin
C:\Program Files\Platte Information Files
C:\Program Files\Platte Information Files\Get Films Now.htm
C:\Program Files\Platte Information Files\Platte Utility.lnk
C:\Program Files\Platte Information Files\pm_viewer.exe
C:\Program Files\VAV
C:\Program Files\VAV\vav.cpl
C:\Program Files\VAV\vav.ooo
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
C:\WINDOWS\MirarDownloader_876260.exe
C:\WINDOWS\system32\{08ef4f7f-8771-4e3b-7542-ea4af967d7d8}.dll-uninst.exe
C:\WINDOWS\system32\{d793e081-9490-c7bf-92bd-534dad6710cf}.dll-uninst.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\aux3
C:\WINDOWS\system32\Get Films Now.ico
C:\WINDOWS\system32\jRegistryKey.dll
C:\WINDOWS\system32\nIDb
C:\WINDOWS\system32\nIDb\hvpll3.exe
C:\WINDOWS\system32\ore1
C:\WINDOWS\system32\pinf.sys
C:\WINDOWS\system32\pm_ax.ocx
C:\WINDOWS\system32\pm_dll.dll
C:\WINDOWS\system32\pm_icon.ico
C:\WINDOWS\system32\pm_proc1.exe
C:\WINDOWS\system32\pm_proc2.exe
C:\WINDOWS\system32\pm_setup_util.exe
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\vntiho05
C:\WINDOWS\system32\vntiho18
C:\WINDOWS\system32\WinDmy.dll
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 11:11 . 2008-06-14 11:11 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\Grisoft
2008-06-14 11:11 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-06-14 10:52 . 2008-06-14 11:06 <DIR> d-------- C:\Program Files\nbpro
2008-06-14 10:52 . 2008-06-14 10:52 12,499 --a------ C:\WINDOWS\system32\Seagate.bin
2008-06-14 10:45 . 2008-06-14 10:45 <DIR> d-------- C:\ie-spyad
2008-06-13 07:13 . 2008-06-14 07:58 <DIR> d--hs---- C:\742766417
2008-06-11 18:49 . 2008-06-11 18:49 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 18:40 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 18:40 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 20:31 . 2008-06-08 20:31 <DIR> d-------- C:\Documents and Settings\chantelle\Application Data\Grisoft
2008-06-08 20:31 . 2008-06-12 16:51 <DIR> d-------- C:\Documents and Settings\chantelle\Application Data\AVG7
2008-06-07 10:55 . 2008-06-15 11:19 321 ---hs---- C:\WINDOWS\system32\742766417.sys
2008-06-03 18:53 . 2008-06-14 08:37 <DIR> dr-h----- C:\$VAULT$.AVG
2008-06-03 18:18 . 2008-06-03 18:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-06-03 18:18 . 2008-06-15 11:19 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\AVG7
2008-06-03 18:17 . 2008-06-03 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-03 18:17 . 2008-06-03 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-06-03 18:11 . 2008-06-03 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-01 12:22 . 2008-06-02 19:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-01 12:00 . 2008-06-01 12:00 <DIR> d-------- C:\Program Files\AVG
2008-06-01 12:00 . 2008-06-01 12:24 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\AVGTOOLBAR
2008-05-30 08:56 . 2008-06-14 10:11 <DIR> d-------- C:\Temp
2008-05-28 12:33 . 2008-05-28 12:33 181 --a------ C:\WINDOWS\wininit.ini
2008-05-21 21:02 . 2008-06-03 18:14 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\LimeWire
2008-05-21 21:01 . 2008-05-21 21:01 <DIR> d-------- C:\WINDOWS\Sun
2008-05-21 21:01 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-21 21:00 . 2008-05-21 21:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-21 20:59 . 2008-06-03 18:40 <DIR> d-------- C:\Program Files\LimeWire
2008-05-21 08:34 . 2008-06-11 18:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 08:34 . 2008-05-21 08:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-21 08:05 . 2008-05-21 08:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-20 23:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-20 23:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-20 23:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-20 23:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-20 23:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-20 22:01 . 2008-04-23 05:16 6,066,176 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-20 22:01 . 2007-04-17 10:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-20 22:01 . 2007-03-08 06:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-20 22:01 . 2008-04-23 05:16 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-20 22:01 . 2008-04-23 05:16 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-20 22:01 . 2008-04-23 05:16 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-20 22:01 . 2008-04-23 05:16 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-20 22:01 . 2008-04-23 05:16 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-20 22:01 . 2008-04-22 08:39 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-20 18:08 . 2008-05-20 18:12 <DIR> d-------- C:\Program Files\McDonaldsFairies
2008-05-20 18:07 . 2008-05-20 18:07 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-18 13:29 . 2008-05-18 13:29 0 --a------ C:\WINDOWS\iPlayer.INI
2008-05-18 13:23 . 2008-05-18 13:23 <DIR> d-------- C:\Program Files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 10:20 --------- d-----w C:\Documents and Settings\kirk\Application Data\OpenOffice.org2
2008-06-12 15:51 --------- d-----w C:\Program Files\lx_cats
2008-06-12 15:51 --------- d-----w C:\Documents and Settings\chantelle\Application Data\OpenOffice.org2
2008-05-21 20:01 --------- d-----w C:\Program Files\Java
2008-05-13 14:14 --------- d-----w C:\Program Files\Sky Broadband
2008-05-13 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\742766417.sys -- Not a PE file.
MD5: 8063fb3156760ad7c89ce0d57abe26b5

---- Directory of C:\742766417 ----

2008-06-14 07:58 8286 ---hs---- C:\742766417\COnBlokoCdGpRiGg.htm
2008-06-13 07:13 8220 --a------ C:\742766417\style.css
2008-06-13 07:13 689 --a------ C:\742766417\images\box_bl.png
2008-06-13 07:13 650 --a------ C:\742766417\images\tab_l.png
2008-06-13 07:13 479 --a------ C:\742766417\images\box_br2.png
2008-06-13 07:13 474 --a------ C:\742766417\images\box_bl2.png
2008-06-13 07:13 472 --a------ C:\742766417\images\box_br.png
2008-06-13 07:13 4554 --a------ C:\742766417\images\postalorder.png
2008-06-13 07:13 4473 --a------ C:\742766417\images\operator4.png
2008-06-13 07:13 3960 --a------ C:\742766417\images\debitcard.png
2008-06-13 07:13 364 --a------ C:\742766417\images\bar_r5.png
2008-06-13 07:13 348 --a------ C:\742766417\images\bar_l2.png
2008-06-13 07:13 343 --a------ C:\742766417\images\tab_r.png
2008-06-13 07:13 310 --a------ C:\742766417\images\bar_r2.png
2008-06-13 07:13 307 --a------ C:\742766417\images\bar_l3.png
2008-06-13 07:13 302 --a------ C:\742766417\images\bar_l5.png
2008-06-13 07:13 2848 --a------ C:\742766417\images\cheque.png
2008-06-13 07:13 2803 --a------ C:\742766417\images\phonebank.png
2008-06-13 07:13 2726 --a------ C:\742766417\images\onlinebank.png
2008-06-13 07:13 265 --a------ C:\742766417\images\bar_r3.png
2008-06-13 07:13 21122 --a------ C:\742766417\images\logo.png
2008-06-13 07:13 1984 --a------ C:\742766417\images\box_tl.png
2008-06-13 07:13 193 --a------ C:\742766417\images\box_ml.png
2008-06-13 07:13 186 --a------ C:\742766417\images\box_ml2.png
2008-06-13 07:13 1758 --a------ C:\742766417\images\box_tl2.png
2008-06-13 07:13 155 --a------ C:\742766417\images\box_mr2.png
2008-06-13 07:13 153 --a------ C:\742766417\images\bar_m3.png
2008-06-13 07:13 153 --a------ C:\742766417\images\bar_m2.png
2008-06-13 07:13 151 --a------ C:\742766417\images\box_mr.png
2008-06-13 07:13 1413 --a------ C:\742766417\images\box_tr2.png
2008-06-13 07:13 139 --a------ C:\742766417\images\question.gif
2008-06-13 07:13 138 --a------ C:\742766417\images\bar_m.png
2008-06-13 07:13 1165 --a------ C:\742766417\images\box_tr.png


((((((((((((((((((((((((((((( [email protected]_10.16.59.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 09:14:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 09:28:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-07-14 22:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_aspnet_isapi.dll
+ 2004-07-14 21:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_CORPerfMonExt.dll
+ 2004-07-14 21:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_fusion.dll
+ 2004-07-14 21:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorjit.dll
+ 2004-07-15 11:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorlib.dll
+ 2003-02-20 16:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorsn.dll
+ 2004-07-14 21:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorsvr.dll
+ 2004-07-14 21:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorwks.dll
+ 2003-02-21 01:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_msvcr71.dll
+ 2004-07-14 21:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_PerfCounter.dll
+ 2004-07-14 22:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_aspnet_isapi.dll
+ 2004-07-14 21:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_CORPerfMonExt.dll
+ 2004-07-14 21:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_fusion.dll
+ 2004-07-14 21:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorjit.dll
+ 2004-07-15 11:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorlib.dll
+ 2003-02-20 16:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorsn.dll
+ 2004-07-14 21:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorsvr.dll
+ 2004-07-14 21:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorwks.dll
+ 2003-02-21 01:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_msvcr71.dll
+ 2004-07-14 21:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_PerfCounter.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard 5.0"="C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" [2005-03-05 09:31 86016]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"VTTimer"="VTTimer.exe" [2005-03-07 18:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 08:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01 110592]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 11:39 90112 C:\WINDOWS\soundman.exe]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 18:45 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 06:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 09:11 290816]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 19:38 65536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-17 10:36 98304]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"WMAAD"="C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe" [2007-02-16 19:41 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-03 18:37 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-06-03 18:17 219136]

C:\Documents and Settings\chantelle\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-09-23 11:36:42 61440]

C:\Documents and Settings\kirk\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-09-23 11:36:42 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\cinetray.exe [2002-09-18 12:16:30 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\Program Files\Common Files\Sony Shared\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 06:10]
S3 FileSpy5;BullGuard File Monitor;C:\Program Files\BullGuard Software\BullGuard 5.0\filespy5.sys [2004-10-29 16:00]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []
S3 ICScsiSV;Image Converter SCSI Service;C:\Program Files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe [2007-01-26 12:39]
S3 IcVzMonLauncher;IcVzMonLauncher;"C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe" [2007-01-26 12:38]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMon.exe [2007-01-26 12:38]
S3 Reconn;BullGuard Mail Monitor;C:\Program Files\BullGuard Software\BullGuard 5.0\reconn.sys [2004-09-28 17:50]
S3 USBCamera;DigitalCam Pro Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 10:28]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 11:27:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-15 11:28:28
ComboFix-quarantined-files.txt 2008-06-15 10:28:25
ComboFix2.txt 2008-06-14 09:17:16

Pre-Run: 60,465,635,328 bytes free
Post-Run: 60,476,682,240 bytes free

293 --- E O F --- 2008-06-14 16:55:11
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Almost done...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\742766417.sys
Folder::
C:\74276641


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#15
kirks

kirks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hi

here is the logs you asked for



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:34:25, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - C:\PROGRA~1\orange4\orange4.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,[email protected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WMAAD] C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150892750343
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Image Converter SCSI Service (ICScsiSV) - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe
O23 - Service: IcVzMonLauncher - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMon.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8652 bytes



ComboFix 08-06-10.5 - kirk 2008-06-15 17:27:18.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.105 [GMT 1:00]
Running from: C:\Documents and Settings\kirk\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kirk\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\742766417.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\742766417.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 11:11 . 2008-06-14 11:11 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\Grisoft
2008-06-14 11:11 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-06-14 10:52 . 2008-06-14 11:06 <DIR> d-------- C:\Program Files\nbpro
2008-06-14 10:52 . 2008-06-14 10:52 12,499 --a------ C:\WINDOWS\system32\Seagate.bin
2008-06-14 10:45 . 2008-06-14 10:45 <DIR> d-------- C:\ie-spyad
2008-06-13 07:13 . 2008-06-14 07:58 <DIR> d--hs---- C:\742766417
2008-06-11 18:49 . 2008-06-11 18:49 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-11 18:40 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 18:40 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 20:31 . 2008-06-08 20:31 <DIR> d-------- C:\Documents and Settings\chantelle\Application Data\Grisoft
2008-06-08 20:31 . 2008-06-12 16:51 <DIR> d-------- C:\Documents and Settings\chantelle\Application Data\AVG7
2008-06-03 18:53 . 2008-06-14 08:37 <DIR> dr-h----- C:\$VAULT$.AVG
2008-06-03 18:18 . 2008-06-03 18:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-06-03 18:18 . 2008-06-15 11:19 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\AVG7
2008-06-03 18:17 . 2008-06-03 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-03 18:17 . 2008-06-03 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-06-03 18:11 . 2008-06-03 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-01 12:22 . 2008-06-02 19:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-01 12:00 . 2008-06-01 12:00 <DIR> d-------- C:\Program Files\AVG
2008-06-01 12:00 . 2008-06-01 12:24 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\AVGTOOLBAR
2008-05-30 08:56 . 2008-06-14 10:11 <DIR> d-------- C:\Temp
2008-05-28 12:33 . 2008-05-28 12:33 181 --a------ C:\WINDOWS\wininit.ini
2008-05-21 21:02 . 2008-06-03 18:14 <DIR> d-------- C:\Documents and Settings\kirk\Application Data\LimeWire
2008-05-21 21:01 . 2008-05-21 21:01 <DIR> d-------- C:\WINDOWS\Sun
2008-05-21 21:01 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-21 21:00 . 2008-05-21 21:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-21 08:34 . 2008-06-11 18:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 08:34 . 2008-05-21 08:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-21 08:05 . 2008-05-21 08:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-20 23:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-20 23:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-20 23:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-20 23:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-20 23:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-20 22:01 . 2008-04-23 05:16 6,066,176 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-20 22:01 . 2007-04-17 10:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-20 22:01 . 2007-03-08 06:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-20 22:01 . 2008-04-23 05:16 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-20 22:01 . 2008-04-23 05:16 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-20 22:01 . 2008-04-23 05:16 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-20 22:01 . 2008-04-23 05:16 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-20 22:01 . 2008-04-23 05:16 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-20 22:01 . 2008-04-22 08:39 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-20 18:08 . 2008-05-20 18:12 <DIR> d-------- C:\Program Files\McDonaldsFairies
2008-05-20 18:07 . 2008-05-20 18:07 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-18 13:29 . 2008-05-18 13:29 0 --a------ C:\WINDOWS\iPlayer.INI
2008-05-18 13:23 . 2008-05-18 13:23 <DIR> d-------- C:\Program Files\InterActual

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 15:53 --------- d-----w C:\Documents and Settings\kirk\Application Data\OpenOffice.org2
2008-06-12 15:51 --------- d-----w C:\Program Files\lx_cats
2008-06-12 15:51 --------- d-----w C:\Documents and Settings\chantelle\Application Data\OpenOffice.org2
2008-05-21 20:01 --------- d-----w C:\Program Files\Java
2008-05-13 14:14 --------- d-----w C:\Program Files\Sky Broadband
2008-05-13 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( [email protected]_10.16.59.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 09:14:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 15:51:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-07-14 22:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_aspnet_isapi.dll
+ 2004-07-14 21:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_CORPerfMonExt.dll
+ 2004-07-14 21:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_fusion.dll
+ 2004-07-14 21:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorjit.dll
+ 2004-07-15 11:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorlib.dll
+ 2003-02-20 16:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorsn.dll
+ 2004-07-14 21:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorsvr.dll
+ 2004-07-14 21:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_mscorwks.dll
+ 2003-02-21 01:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_msvcr71.dll
+ 2004-07-14 21:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW252\_PerfCounter.dll
+ 2004-07-14 22:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_aspnet_isapi.dll
+ 2004-07-14 21:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_CORPerfMonExt.dll
+ 2004-07-14 21:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_fusion.dll
+ 2004-07-14 21:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_mscorjit.dll
+ 2004-07-15 11:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_mscorlib.dll
+ 2003-02-20 16:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_mscorsn.dll
+ 2004-07-14 21:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_mscorsvr.dll
+ 2004-07-14 21:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_mscorwks.dll
+ 2003-02-21 01:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_msvcr71.dll
+ 2004-07-14 21:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2616\_PerfCounter.dll
+ 2004-07-14 22:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_aspnet_isapi.dll
+ 2004-07-14 21:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_CORPerfMonExt.dll
+ 2004-07-14 21:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_fusion.dll
+ 2004-07-14 21:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorjit.dll
+ 2004-07-15 11:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorlib.dll
+ 2003-02-20 16:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorsn.dll
+ 2004-07-14 21:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorsvr.dll
+ 2004-07-14 21:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_mscorwks.dll
+ 2003-02-21 01:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_msvcr71.dll
+ 2004-07-14 21:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3604\_PerfCounter.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard 5.0"="C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" [2005-03-05 09:31 86016]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"VTTimer"="VTTimer.exe" [2005-03-07 18:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 08:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01 110592]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 11:39 90112 C:\WINDOWS\soundman.exe]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 18:45 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 06:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 09:11 290816]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 19:38 65536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-17 10:36 98304]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"WMAAD"="C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe" [2007-02-16 19:41 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-03 18:37 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-06-03 18:17 219136]

C:\Documents and Settings\chantelle\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-09-23 11:36:42 61440]

C:\Documents and Settings\kirk\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-09-23 11:36:42 61440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\cinetray.exe [2002-09-18 12:16:30 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\Program Files\Common Files\Sony Shared\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 06:10]
S3 FileSpy5;BullGuard File Monitor;C:\Program Files\BullGuard Software\BullGuard 5.0\filespy5.sys [2004-10-29 16:00]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []
S3 ICScsiSV;Image Converter SCSI Service;C:\Program Files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe [2007-01-26 12:39]
S3 IcVzMonLauncher;IcVzMonLauncher;"C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe" [2007-01-26 12:38]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMon.exe [2007-01-26 12:38]
S3 Reconn;BullGuard Mail Monitor;C:\Program Files\BullGuard Software\BullGuard 5.0\reconn.sys [2004-09-28 17:50]
S3 USBCamera;DigitalCam Pro Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 10:28]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 17:28:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-15 17:29:44
ComboFix-quarantined-files.txt 2008-06-15 16:29:41
ComboFix2.txt 2008-06-15 10:28:29
ComboFix3.txt 2008-06-14 09:17:16

Pre-Run: 60,469,395,456 bytes free
Post-Run: 60,463,595,520 bytes free

186 --- E O F --- 2008-06-15 14:14:33
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP