I just received a horrible virus that now randomly loads iexplore.exe and plays noises. However, no windows open or anything. I know it is through this because when I open task manager and close that task, that the noise then goes away. Please help me it is driving me crazy!
Below is the Hijack Log and Combo-Fix Log.
Thank you!
-Stephen
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:37 PM, on 8/11/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16890)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Stephen\Downloads\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\Windows\system32\msxml71.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....NPUplden-us.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8552 bytes
ComboFix 09-08-10.06 - Stephen 08/11/2009 20:22.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1284 [GMT -4:00]
Running from: c:\users\Stephen\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1188938763-780217356-4040173663-500
c:\$recycle.bin\S-1-5-21-2769266890-3668698308-309083660-500
C:\LHTEAAB.tmp
c:\windows\Installer\4627645.msi
c:\windows\RM.exe
c:\windows\system32\drivers\SKYNETbdkofxlg.sys
c:\windows\system32\drivers\UACabxutjvpnp.sys
c:\windows\system32\msxml71.dll
c:\windows\system32\net.net
c:\windows\system32\SKYNETbihnfvpv.dll
c:\windows\system32\SKYNETdogqngbq.dll
c:\windows\system32\SKYNETepqmiwij.dat
c:\windows\system32\SKYNETpjeekgfm.dat
c:\windows\system32\UACbvcyugyvon.dll
c:\windows\system32\UACgxutrwhbes.dat
c:\windows\system32\UACiiqrpcicbe.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjofshgkqab.dll
c:\windows\system32\UACposgmqdyqs.dll
c:\windows\system32\UACxnxejpdhav.db
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETnsusukpm
-------\Service_UACd.sys
-------\Legacy_SKYNETnsusukpm
-------\Legacy_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.
2009-08-12 00:35 . 2009-08-12 01:25 -------- d-----w- c:\users\Stephen\AppData\Local\temp
2009-08-12 00:35 . 2009-08-12 00:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-02 23:01 . 2008-06-20 01:18 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-02 23:01 . 2008-06-20 01:17 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-08-02 23:01 . 2008-06-20 01:18 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-08-02 23:01 . 2008-06-20 01:17 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-08-02 23:01 . 2008-06-20 01:17 11264 ----a-w- c:\windows\system32\icardres.dll
2009-08-02 23:01 . 2008-06-20 01:18 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-08-02 23:01 . 2008-06-20 01:18 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-08-02 22:50 . 2008-07-27 18:00 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-08-02 22:50 . 2008-07-27 18:00 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-08-02 22:50 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-08-02 22:50 . 2008-07-27 18:00 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-08-02 22:49 . 2008-07-27 18:00 83968 ----a-w- c:\windows\system32\mscories.dll
2009-08-02 22:41 . 2009-06-15 15:29 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-08-02 22:40 . 2008-06-05 04:50 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-08-02 22:40 . 2008-06-05 04:50 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-08-02 22:40 . 2008-11-27 04:42 269824 ----a-w- c:\windows\system32\schannel.dll
2009-08-02 22:35 . 2009-04-23 13:01 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2009-07-30 21:54 . 2009-07-30 21:54 207872 ----a-w- c:\users\Stephen\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-07-30 21:54 . 2009-07-30 21:54 207872 ----a-w- c:\users\Stephen\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-07-30 21:54 . 2009-07-30 21:54 207872 ----a-w- c:\users\Stephen\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-07-30 21:54 . 2009-07-30 21:54 207872 ----a-w- c:\users\Stephen\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 01:25 . 2009-08-02 23:37 28029 ----a-w- c:\progra~2\nvModes.dat
2009-08-12 00:36 . 2008-02-14 06:26 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-11 19:43 . 2009-06-21 22:55 -------- d-----w- c:\users\Stephen\AppData\Roaming\DNA
2009-08-11 19:43 . 2009-06-21 22:55 -------- d-----w- c:\program files\DNA
2009-08-08 01:59 . 2008-03-11 04:15 -------- d-----w- c:\users\Stephen\AppData\Roaming\LimeWire
2009-08-03 15:27 . 2008-02-15 21:49 151416 ----a-w- c:\users\Stephen\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-03 00:19 . 2008-05-30 12:20 -------- d-----w- c:\progra~2\NVIDIA
2009-08-03 00:14 . 2008-02-16 02:25 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-08-02 23:30 . 2008-02-14 07:30 -------- d-----w- c:\program files\Microsoft Works
2009-08-02 23:29 . 2008-02-14 07:33 -------- d-----w- c:\progra~2\Microsoft Help
2009-08-02 23:14 . 2008-09-21 19:47 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-01 20:12 . 2008-02-14 06:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-01 19:40 . 2008-09-23 01:19 -------- d-----w- c:\progra~2\Media Center Programs
2009-08-01 19:38 . 2008-07-02 00:06 -------- d-----w- c:\program files\THQ
2009-07-30 21:54 . 2008-05-30 11:33 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-30 21:54 . 2008-05-30 11:33 -------- d-----w- c:\users\Stephen\AppData\Roaming\SystemRequirementsLab
2009-07-18 12:17 . 2009-08-02 22:42 827392 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 12:10 . 2009-08-02 22:42 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-07-18 12:10 . 2009-08-02 22:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 12:07 . 2009-08-02 22:42 72704 ----a-w- c:\windows\system32\admparse.dll
2009-07-18 10:00 . 2009-08-02 22:42 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-18 08:34 . 2009-08-02 22:42 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-07-11 23:48 . 2008-02-14 07:14 -------- d-----w- c:\progra~2\Roxio
2009-06-30 19:36 . 2009-07-28 18:04 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryReplaceNew.exe
2009-06-30 19:10 . 2009-07-28 18:04 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryNoTravel.exe
2009-06-30 19:03 . 2009-07-28 18:04 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryAccessories.exe
2009-06-30 16:44 . 2009-07-28 18:04 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryWeakNew.exe
2009-06-26 22:36 . 2009-07-28 18:04 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryUpgrade.exe
2009-06-22 01:46 . 2009-06-21 22:56 -------- d-----w- c:\users\Stephen\AppData\Roaming\BitTorrent
2009-06-21 22:55 . 2009-06-21 22:55 -------- d-----w- c:\program files\BitTorrent
2009-06-15 15:23 . 2009-08-02 22:41 24064 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 15:22 . 2009-08-02 22:41 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:21 . 2009-08-02 22:41 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 15:20 . 2009-08-02 22:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-06-15 13:03 . 2009-08-02 22:41 289792 ----a-w- c:\windows\system32\atmfd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Stephen^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Stephen^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exe.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Stephen^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Sprint media monitor.lnk]
path=c:\users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sprint media monitor.lnk
backup=c:\windows\pss\Sprint media monitor.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{846B6448-48BA-42BF-95C4-5140346688CA}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{F4EF8254-4E5B-4952-9833-DC8428097650}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{4DD3BF92-37CE-4EA8-A5A7-E78E3B124E4C}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{DFFCC6FD-4C28-4B89-89C5-4B7696A0002F}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{90219B99-721F-4638-9001-798A3500C344}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{CE3BC2DC-2ABB-4E3C-9E3A-31D696752ADF}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{FE8879B7-0658-46AE-B3A2-C26DD9932C40}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3DDF2E6F-DF30-4555-B02E-829584D40B73}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EC721093-AEC4-4567-8200-039C2421847E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{F0BC4863-33F6-454D-B916-CE613F2EC87A}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{C55D98C3-CED6-4A28-983C-DE5AF90BB2B9}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7E87A3A5-842C-4557-915B-20FFF0506C33}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{56085566-5067-4C67-BF86-8E48A464FEAB}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{570075C7-1CA0-4092-9FD3-1F4AD425FC12}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{7A8C839A-0C2C-4F40-963B-D8B256B0E205}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{C781D183-FABE-4E3A-9C69-A713767CF3F1}"= UDP:c:\program files\Steam\Steam.exe:Steam
"{18E361C7-A3E7-4F67-87C0-8E24C65E163B}"= TCP:c:\program files\Steam\Steam.exe:Steam
"TCP Query User{62E386AC-47EF-47CD-B4E1-1801C4D03469}c:\\program files\\red storm entertainment\\ravenshield\\system\\ravenshield.exe"= UDP:c:\program files\red storm entertainment\ravenshield\system\ravenshield.exe:ravenshield
"UDP Query User{F1868F11-B0FC-44CE-B19C-447E71E2FFC3}c:\\program files\\red storm entertainment\\ravenshield\\system\\ravenshield.exe"= TCP:c:\program files\red storm entertainment\ravenshield\system\ravenshield.exe:ravenshield
"{BAF75A9E-1D09-4A53-AFD7-D6EF0284453C}"= UDP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{53A52AB8-C65B-46BF-8485-CD8C1644188D}"= TCP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{11BC7BB9-3E92-4E45-895E-39EA4666E344}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B2D99E61-39FC-4EE7-94C9-76FB47087697}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AFFEC8FA-1D2E-408E-BF87-DCFADE21A190}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3E192AA0-FA16-4DB3-91D4-72170E003C27}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{73E7643C-3C53-42A4-B0C6-49C534ABA199}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{62F2BEAD-FA48-4149-A9C0-C9EDF8F18D78}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{16030245-10BF-461D-AAFF-7E5A8FB041D7}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{4F01EBA0-37E9-443F-AD2E-19C1196EF538}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{30CF4644-FAC2-436E-9633-56DE260B3A3A}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 6:50 PM 30312]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 12:49 AM 204800]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [2/14/2008 3:21 AM 212280]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Stephen\AppData\Roaming\Mozilla\Firefox\Profiles\8coarlwx.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 21:25
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(2712)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
c:\windows\System32\PnkBstrA.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-12 21:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-12 01:30
Pre-Run: 72,118,681,600 bytes free
Post-Run: 71,996,530,688 bytes free
292 --- E O F --- 2009-08-02 23:37
Edited by steve_o_ice, 11 August 2009 - 07:51 PM.