hello, thanks for the quick response.
i do not have the OTMoveIt2 log, it dissapeared when combot rebooted and im not sure if i should run it again. here is the hjt log and combofix logs,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:33:15, on 8/19/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.gateway.c...h...DTP&M=T3604R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6383] command /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD836] cmd /c del "C:\WINDOWS\System32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Land Before Time Animated Moviebook.lnk = C:\LBT_MB\LBTMB.EXE
O4 - Startup: Land Before Time Help.lnk = C:\LBT_MB\Lbt.hlp
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://appldnld.appl...ex/qtplugin.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
http://www.fileplane...C_2.3.2.100.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -
http://lads.myspace....ploader1006.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx1.hotmail....NPUplden-us.cabO16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -
http://www.nick.com/.../GrooveAX27.cabO16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) -
http://legendofares....LauncherNew.cabO16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) -
http://cdn1.acclaimd...lidstateion.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.m...ash/swflash.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) -
http://a532.g.akamai...l/installer.exeO16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) -
http://imikimi.com/d...kimi_plugin.cabO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8859 bytes
ComboFix 08-08-18.05 - Angy 2008-08-19 17:09:21.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.91 [GMT -5:00]
Running from: C:\Users\Angy\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\screensavers.com
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Users\Angy\AppData\Roaming\macromedia\Flash Player\#SharedObjects\XG9UB3VF\interclick.com
C:\Users\Angy\AppData\Roaming\macromedia\Flash Player\#SharedObjects\XG9UB3VF\interclick.com\ud.sol
C:\Users\Angy\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\Angy\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Windows\Downloaded Program Files\setup.inf
C:\Windows\megavid.cdt
C:\Windows\muotr.so
C:\Windows\system32\drivers\core.cache.dsk
C:\Windows\system32\MSINET.oca
C:\Windows\system32\x64
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.
2008-08-19 16:49 . 2008-08-19 16:49 <DIR> d-------- C:\_OTMoveIt
2008-08-19 13:25 . 2008-08-19 13:25 2,164 --a------ C:\WINDOWS\System32\tmp.reg
2008-08-19 13:24 . 2008-08-19 13:25 <DIR> d-------- C:\WINDOWS\System32\SmitfraudFix
2008-08-19 12:47 . 2008-08-19 12:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-15 03:07 . 2008-07-15 18:48 2,048 --a------ C:\WINDOWS\System32\tzres.dll
2008-08-14 16:24 . 2008-04-10 00:01 737,792 --a------ C:\WINDOWS\System32\inetcomm.dll
2008-08-14 16:24 . 2008-04-09 21:43 84,480 --a------ C:\WINDOWS\System32\INETRES.dll
2008-08-14 16:07 . 2007-02-15 21:46 311,296 --a------ C:\WINDOWS\System32\mswmdm.dll
2008-08-14 16:07 . 2007-02-15 21:48 36,864 --a------ C:\WINDOWS\System32\wmdmps.dll
2008-08-14 16:07 . 2007-02-15 21:48 31,744 --a------ C:\WINDOWS\System32\wmdmlog.dll
2008-08-12 20:40 . 2008-08-12 20:40 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-08-12 20:40 . 2008-08-12 20:40 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-08-12 20:39 . 2008-08-19 13:13 <DIR> d-------- C:\Users\Angy\AppData\Roaming\SUPERAntiSpyware.com
2008-08-12 20:39 . 2008-08-19 13:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-06 20:49 . 2008-08-06 20:49 <DIR> d-------- C:\Users\Angy\AppData\Roaming\RealityRipple Software
2008-08-06 20:49 . 2008-08-12 14:28 <DIR> d-------- C:\Program Files\RealityRipple Software
2008-08-05 13:16 . 2008-08-12 23:45 420 --a------ C:\WINDOWS\wininit.ini
2008-08-02 13:29 . 2008-08-02 13:29 168,077,535 --a------ C:\WINDOWS\MEMORY.DMP
2008-07-31 20:12 . 2008-08-01 01:34 23 --a------ C:\Users\Angy\jagex_runescape_preferences.dat
2008-07-31 20:09 . 2008-07-31 20:09 <DIR> d-------- C:\Program Files\Sun
2008-07-31 04:43 . 2008-07-31 04:43 <DIR> d-------- C:\Program Files\LimeWire
2008-07-22 13:26 . 2008-07-22 13:28 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-07-22 13:26 . 2008-07-22 13:28 <DIR> d-------- C:\ProgramData\Lavasoft
2008-07-22 13:26 . 2008-07-22 13:26 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-22 12:49 . 2008-07-22 13:22 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-22 12:49 . 2008-07-22 13:22 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-07-22 12:49 . 2008-07-22 12:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 18:38 --------- d-----w C:\Program Files\Trend Micro
2008-08-19 18:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-19 18:11 --------- d-----w C:\Program Files\Diablo II
2008-08-19 01:15 --------- d-----w C:\ProgramData\Google Updater
2008-08-17 23:35 --------- d-----w C:\Users\Angy\AppData\Roaming\LimeWire
2008-08-15 08:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-15 08:02 --------- d-----w C:\Program Files\Windows Mail
2008-08-08 23:58 --------- d-----w C:\Program Files\Starcraft
2008-08-08 23:09 --------- d-----w C:\Program Files\Warcraft III
2008-08-07 01:57 69,632 ----a-w C:\Windows\System32\CheckRevision.dll
2008-08-05 18:16 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-08-02 18:52 --------- d-----w C:\Program Files\Google
2008-08-01 01:08 --------- d-----w C:\Program Files\Java
2008-07-19 00:08 36,368 ----a-w C:\Windows\system32\drivers\tmpreflt.sys
2008-07-19 00:08 205,328 ----a-w C:\Windows\system32\drivers\tmxpflt.sys
2008-07-18 23:51 1,195,448 ----a-w C:\Windows\system32\drivers\vsapint.sys
2008-07-18 18:24 --------- d-----w C:\Users\Angy\AppData\Roaming\WildTangent
2008-07-18 18:24 --------- d-----w C:\ProgramData\WildTangent
2008-07-18 17:40 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-11 22:02 --------- d-----w C:\ProgramData\Trend Micro
2008-07-09 08:09 174 --sha-w C:\Program Files\desktop.ini
2008-07-02 22:49 --------- d-----w C:\Users\Angy\AppData\Roaming\Apple Computer
2008-07-02 22:49 --------- d-----w C:\Program Files\iTunes
2008-07-02 22:49 --------- d-----w C:\Program Files\iPod
2008-07-02 22:48 --------- d-----w C:\ProgramData\Apple Computer
2008-07-02 22:47 --------- d-----w C:\Program Files\QuickTime
2008-07-02 22:47 --------- d-----w C:\Program Files\Bonjour
2008-07-02 22:44 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-02 20:27 --------- d-----w C:\Program Files\Davidson
2008-07-02 20:26 --------- d-----w C:\Program Files\LEGO Company
2008-07-02 20:26 --------- d-----w C:\Program Files\eMachines Games
2008-07-02 20:22 --------- d-----w C:\Program Files\Scratch
2008-07-02 20:20 --------- d-----w C:\Program Files\VstPlugins
2008-07-02 20:20 --------- d-----w C:\Program Files\Image-Line
2008-07-02 20:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-02 17:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-06-19 03:25 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-06-19 03:25 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll
2008-06-19 03:25 272,896 ----a-w C:\Windows\System32\polstore.dll
2008-06-12 06:54 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-12 06:54 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-12 01:21 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-06-01 00:17 43,520 ----a-w C:\Windows\System32\CmdLineExt03.dll
2008-05-28 21:50 21,840 ----atw C:\Windows\System32\SIntfNT.dll
2008-05-28 21:50 17,212 ----atw C:\Windows\System32\SIntf32.dll
2008-05-28 21:50 12,067 ----atw C:\Windows\System32\SIntf16.dll
2008-04-09 01:06 0 ----a-w C:\Users\Angy\AppData\Roaming\wklnhst.dat
2007-08-19 22:28 32 ----a-r C:\Users\All Users\hash.dat
2007-08-19 22:28 32 ----a-r C:\ProgramData\hash.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-17 05:31 68856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:34 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB6383"="command" [X]
"SpybotDeletingD836"="del" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 18:04 2348584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 18:07 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 18:06 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 18:07 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 14:57 1398024]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-02 15:38 303104 C:\WINDOWS\sttray.exe]
C:\Users\Angy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Land Before Time Animated Moviebook.lnk - C:\LBT_MB\LBTMB.EXE [2007-09-11 15:48:54 225584]
Land Before Time Help.lnk - C:\LBT_MB\Lbt.hlp [2007-09-11 15:48:54 28037]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2007-07-30 20:45:40 2348584]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-17 05:30:56 125624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.IV41"= ir41_32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1329484758-4271689960-3681140858-1000]
"EnableNotificationsRef"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1329484758-4271689960-3681140858-500]
"EnableNotificationsRef"=dword:00000002
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6A99951F-C3EE-4405-B45F-7CFA77E7C501}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{790C1EF5-A461-4EF8-B2C1-6BCE6EB13072}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BE9BC73E-656F-4762-81F1-B5021EC6C666}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{13E89A43-D79F-4311-B6FA-6C90114AA19B}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{ACF1F7AD-7969-48D4-83C5-7BB6E11E1619}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{6ED06C19-6CAA-4B6E-8A2D-3DC164459643}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{EB164B85-4076-4EC4-8DD6-364A6744E45F}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{FAF6929E-29FC-47B0-90AB-2468D79B632B}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7D6AD714-3F74-4AB3-A48A-9B727C000B6B}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{7F0563A1-56D3-4A33-AC06-F04203F205B4}"= UDP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{7FB9BB17-E620-4294-BC46-F70078485DBA}"= TCP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"TCP Query User{BFF8D71B-8D6B-4279-B93F-588C405FFC9C}C:\\windows\\system32\\java.exe"= UDP:C:\windows\system32\java.exe:Java Platform SE binary
"UDP Query User{144A6321-7F3D-47B4-AE65-17194986EA64}C:\\windows\\system32\\java.exe"= TCP:C:\windows\system32\java.exe:Java Platform SE binary
"TCP Query User{C18C7FA2-1AB8-4480-B89B-666CEB288CB1}C:\\program files\\warcraft iii demo\\war3demo.exe"= UDP:C:\program files\warcraft iii demo\war3demo.exe:Warcraft III Demo
"UDP Query User{BB4A6E4C-311D-4029-A0D5-64F61A999E69}C:\\program files\\warcraft iii demo\\war3demo.exe"= TCP:C:\program files\warcraft iii demo\war3demo.exe:Warcraft III Demo
"TCP Query User{97AD9D09-4861-4924-9E1A-CB578152B18A}C:\\program files\\dofus-arena beta 2\\dofusarena.exe"= Disabled:UDP:C:\program files\dofus-arena beta 2\dofusarena.exe:Dofus Arena Client
"UDP Query User{0A78C4E3-1C0E-450A-810C-342035DC46E7}C:\\program files\\dofus-arena beta 2\\dofusarena.exe"= Disabled:TCP:C:\program files\dofus-arena beta 2\dofusarena.exe:Dofus Arena Client
"TCP Query User{5BE9EB2D-77B9-4FD6-96E7-6087232A4948}C:\\program files\\ankama games\\dofus\\dofus.exe"= Disabled:UDP:C:\program files\ankama games\dofus\dofus.exe:Dofus Client
"UDP Query User{C363B028-1FE7-480F-A63B-AA2D424B5580}C:\\program files\\ankama games\\dofus\\dofus.exe"= Disabled:TCP:C:\program files\ankama games\dofus\dofus.exe:Dofus Client
"TCP Query User{B17372A8-C9FD-43A6-91DC-D6C519682C63}C:\\soldat\\soldat.exe"= Disabled:UDP:C:\soldat\soldat.exe:Soldat
"UDP Query User{0B80FCED-F064-45A3-B726-F91F04C6FB9F}C:\\soldat\\soldat.exe"= Disabled:TCP:C:\soldat\soldat.exe:Soldat
"TCP Query User{C586C1B8-403E-44C4-AD2A-1167F458BDF2}C:\\windows\\system32\\solidstatenetworks\\solidstateion\\solidnm.exe"= Disabled:UDP:C:\windows\system32\solidstatenetworks\solidstateion\solidnm.exe:solidnm
"UDP Query User{AA47B63E-D60D-419C-AFA8-13233B120918}C:\\windows\\system32\\solidstatenetworks\\solidstateion\\solidnm.exe"= Disabled:TCP:C:\windows\system32\solidstatenetworks\solidstateion\solidnm.exe:solidnm
"TCP Query User{239225F7-45A7-456C-8DF9-82CF8A19B48C}C:\\program files\\warcraft iii\\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{9C549068-77AE-442C-A345-6ADC5951886F}C:\\program files\\warcraft iii\\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{0EC3199F-EEFF-4210-971D-37C867A93A8D}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{75D85241-95EC-4ABE-90F6-6A6DA430C8DF}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{F5994CD8-04A4-48C3-A3BE-ED165C382281}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{3BF33C76-19B4-4486-BCB2-B9109C9D9B34}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{330D835A-9389-484E-910D-B80A1F3F8EF1}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{E275417C-F4C7-4B98-A1CF-131855D56112}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{2A2B72E3-40DD-4A5B-812C-AFE509BDFC0E}C:\\program files\\starcraft\\starcraft.exe"= UDP:C:\program files\starcraft\starcraft.exe:StarCraft
"UDP Query User{197BEC81-274F-4D8D-9243-34D44C040C92}C:\\program files\\starcraft\\starcraft.exe"= TCP:C:\program files\starcraft\starcraft.exe:StarCraft
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 02:30]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 02:30]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
2008-08-15 C:\Windows\Tasks\rpc.job
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Wipe Expert - C:\Program Files\Bodrag\Wipe Expert\WipeExpert.exe
HKLM-Run-NapsterShell - C:\Program Files\Napster\napster.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = google.com/
R0 -: HKLM-Main,Start Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3604
R1 -: HKCU-Internet Settings,ProxyOverride = <local>;*.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 -: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin.cab
C:\Windows\Downloaded Program Files\imikimi.inf
.
.
------- File Associations (Beta) -------
.
VBEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
VBSFile="%SystemRoot%\System32\WScript.exe" "%1" %*
vbefile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
vbsfile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
jsefile\shell\open\command=%SystemRoot%\System32\WScript.exe "%1" %*
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-19 17:21:15
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\SigmaTel\C-Major Audio\wdm\stacsv.exe
C:\WINDOWS\System32\drivers\XAudio.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-19 17:27:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-19 22:27:02
Pre-Run: 70,963,585,024 bytes free
Post-Run: 70,760,759,296 bytes free
255 --- E O F --- 2008-08-15 08:09:12
Thanks for your help, it is greatly appreciated!