Victor mccarthy
2008-04-24, 11:05
Hi!
Im extremely new here :laugh: and i read over the terms and cond. so i hope im not infringing on any policies etc..
ANYWAY!
Ok so, ran an SB:S&D Check, and came up with a Virtumonde that just wont go away, i read about it in the other posts and got myself a copy of ComboFix, ran it and heres what came up in the log:
ComboFix 08-04-22.5 - Victor 2008-04-24 18:34:01.1 - NTFSx86
Running from: C:\Documents and Settings\Victor\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\khfFYOEx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qoMffEVL.dll
C:\WINDOWS\system32\VuDccMoq.ini
C:\WINDOWS\system32\VuDccMoq.ini2
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-24 13:09 . 2008-04-24 13:14 211 --a------ C:\WINDOWS\wininit.ini
2008-04-24 10:18 . 2008-04-24 10:18 32,320 --a------ C:\WINDOWS\system32\__c005A529.dat
2008-04-24 10:15 . 2008-04-24 13:09 1,540,617 --ahs---- C:\WINDOWS\system32\lhlojlgu.ini
2008-04-24 10:14 . 2008-04-24 10:14 32,320 --a------ C:\WINDOWS\system32\__c0059309.dat
2008-04-24 06:21 . 2008-04-24 15:42 38 --a------ C:\WINDOWS\AviSplitter.INI
2008-04-23 10:10 . 2008-04-24 10:10 109,669 --a------ C:\WINDOWS\BM53615677.xml
2008-04-22 22:12 . 2008-04-22 22:12 0 --------- C:\WINDOWS\WB.ini
2008-04-22 22:06 . 2008-04-22 22:06 <DIR> d-------- C:\Program Files\Stardock
2008-04-22 22:06 . 2007-07-11 14:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-04-22 19:16 . 2008-04-22 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MediaWidget
2008-04-22 19:16 . 2007-11-04 19:01 1,369,600 --a------ C:\WINDOWS\bsdsetup.dll
2008-04-22 19:15 . 2008-04-22 19:15 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-22 18:20 . 2008-04-22 18:20 <DIR> d-------- C:\Program Files\iTunes
2008-04-22 18:20 . 2008-04-22 18:20 <DIR> d-------- C:\Program Files\iPod
2008-04-22 18:19 . 2008-04-22 18:19 <DIR> d-------- C:\Program Files\Bonjour
2008-04-22 18:18 . 2008-04-22 18:19 <DIR> d-------- C:\Program Files\QuickTime
2008-04-22 18:15 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-04-22 18:14 . 2008-04-22 18:14 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-20 09:42 . 2008-04-20 09:42 126 --a------ C:\WINDOWS\kaillera.ini
2008-04-19 16:45 . 2008-04-21 19:01 <DIR> d-------- C:\Program Files\EA Games
2008-04-16 18:31 . 2008-04-16 18:31 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-04-11 22:51 . 2008-04-11 22:51 <DIR> d-------- C:\Program Files\Wise Registry Cleaner 3 Pro
2008-04-10 18:38 . 2008-04-10 18:44 <DIR> d-------- C:\Documents and Settings\Victor\Application Data\FreeCall
2008-04-10 18:36 . 2008-04-10 18:36 <DIR> d-------- C:\Program Files\FreeCall.com
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d-------- C:\Program Files\UnH Solutions
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 08:48 --------- d-----w C:\Documents and Settings\Victor\Application Data\Skype
2008-04-24 08:43 --------- d-----w C:\Program Files\Steam
2008-04-24 07:12 --------- d-----w C:\Documents and Settings\Victor\Application Data\skypePM
2008-04-23 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-23 20:21 --------- d-----w C:\Documents and Settings\Victor\Application Data\uTorrent
2008-04-23 03:19 --------- d-----w C:\Documents and Settings\Victor\Application Data\shrink_pic
2008-04-23 03:08 --------- d-----w C:\Program Files\Lx_cats
2008-04-23 03:04 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-04-22 08:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 08:15 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 08:01 --------- d-----w C:\Program Files\Common Files\EasyInfo
2008-04-17 08:14 --------- d-----w C:\Program Files\Windows Live
2008-04-17 08:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-17 08:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-12 02:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 22:08 --------- d-----w C:\Documents and Settings\Victor\Application Data\AVG7
2008-03-29 06:34 --------- d-----w C:\Documents and Settings\Victor\Application Data\Moyea
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 11:44 --------- d-----w C:\Program Files\XP Codec Pack
2008-03-10 13:46 --------- d-----w C:\Documents and Settings\Victor\Application Data\Creative
2008-03-10 13:41 --------- d-----w C:\Program Files\Image-Line
2008-03-10 08:38 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-10 08:38 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-09 19:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 19:48 --------- d-----w C:\Program Files\AGEIA Technologies
2008-03-09 05:06 --------- d-----w C:\Program Files\VstPlugins
2008-03-09 00:55 --------- d-----w C:\Program Files\Common Files\Logitech
2008-03-09 00:54 --------- d-----w C:\Program Files\Logitech
2008-03-09 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-06 15:29 962,560 ----a-w C:\WINDOWS\system32\VSFilter.dll
2008-03-06 03:51 --------- d-----w C:\Program Files\MagicDisc
2008-03-05 14:14 --------- d-----w C:\Program Files\uTorrent
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 11:41 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2008-02-27 01:17 --------- d-----w C:\Program Files\Google
2008-02-26 10:52 --------- d-----w C:\Program Files\ATI Technologies
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 08:29 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-29 02:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-11 03:32 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
------- Sigcheck -------
2005-03-02 10:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2005-03-02 10:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 19:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2005-03-02 10:36 1955840 62c353c0449fd961ef7814973fc2fd30 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2002-09-04 05:56 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\$NtUninstallKB885835_0$\ntkrnlpa.exe
2004-08-04 15:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2004-10-22 17:29 1955840 efa7883018f42295d927121808ae6cee C:\WINDOWS\$NtUninstallKB890859_0$\ntkrnlpa.exe
2006-10-06 14:47 2014208 ebd922bbf31251df55713c90ac2e09b6 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 18:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 18:38 2014976 e288993ae2900f19cc734d4676d99116 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2007-06-20 12:37 2014976 de78108955046f767e14c1ed7761f57e C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 18:38 2014976 e288993ae2900f19cc734d4676d99116 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2005-03-02 10:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2005-03-02 11:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 19:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2005-03-02 11:33 2040832 a15a2ee0be2f71fc1752a05660b8ebdc C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2002-09-04 05:50 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe
2004-08-04 16:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2004-10-22 18:33 2088448 5a7eb0c9f96917b7ecf5adf70c4b1bae C:\WINDOWS\$NtUninstallKB890859_0$\ntoskrnl.exe
2006-10-06 14:47 2136704 a9215afeb1261d47b75d4b9ca466a425 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 19:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 19:10 2137728 1e46b7a0c9547a321c4e2468025cb0f7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2007-06-20 12:37 2137728 6ac9ba89d04d16b5d4f67528e3fa5327 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 19:10 2137728 1e46b7a0c9547a321c4e2468025cb0f7 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20903DEB-F2F4-2559-78D7-F000B0DDEDAE}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFB33878-76D3-4B56-96E1-3E70F52D7DD6}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C67FB8D3-CAF6-42D5-8AE1-AD527FCB3A1D}]
C:\WINDOWS\system32\qoMccDuV.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-07 14:08 4670968]
"RK Launcher"="C:\Program Files\RK Launcher\RKLauncher.exe" [2005-10-19 17:40 393216]
"Yz Shadow"="C:\Program Files\YzShadow\YzShadow.exe" [2006-02-24 12:51 172032]
"Steam"="c:\program files\steam\steam.exe" [2008-03-28 18:11 1271032]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 10:43 2097488]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-12 14:20 21686568]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"FreeCall"="C:\Program Files\FreeCall.com\FreeCall\FreeCall.exe" [2007-04-17 14:28 7247408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 07:59 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 07:59 126976]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 18:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-23 08:10 579584]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-04-28 00:21 69632]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-05-05 09:24 200704]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-06-09 02:19 94208]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 09:42 1519616]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 49152]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 08:46 497200]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 09:34 614960]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 09:33 243248]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BM53615677"="C:\WINDOWS\system32\vmlwbeqn.dll" [ ]
"505265eb"="C:\WINDOWS\system32\ugljolhl.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-29 07:10 219136]
C:\Documents and Settings\Victor\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-03-06 13:50:51 546816]
Shrink Pic.lnk - C:\Program Files\Shrink Pic\shrink_pic.exe [2007-04-19 00:53:54 3027019]
ęTorrent.lnk - C:\Program Files\uTorrent\uTorrent.exe [2007-10-18 21:46:35 219952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bqiubfkb]
bqiubfkb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\myccmhto]
myccmhto.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c005A529]
__c005A529.dat 2008-04-24 10:18 32320 C:\WINDOWS\system32\__c005A529.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"aux"= ctwdm32.dll
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\condition zero\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\condition zero deleted scenes\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\WINDOWS\\system32\\lxcgcoms.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\garrysmod\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
S3 DCamUSBPremier;Digital Camera;C:\WINDOWS\system32\Drivers\mpixvid.sys []
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 14:07]
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\Victor\LOCALS~1\Temp\iMSPCLOj.sys []
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2005-03-25 17:28]
S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\DRIVERS\H10USB.sys [2004-06-24 14:52]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 00:57:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-23 23:24:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 18:43:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\__c005A529.dat
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\__c005A529.dat
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-04-24 18:53:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 08:53:24
Pre-Run: 10,246,193,152 bytes free
Post-Run: 13,390,385,152 bytes free
250 --- E O F --- 2008-04-09 17:05:22
Ok so any help before i try anything (Not a very Confident computer fixer-upper) would be GREAT!
Im extremely new here :laugh: and i read over the terms and cond. so i hope im not infringing on any policies etc..
ANYWAY!
Ok so, ran an SB:S&D Check, and came up with a Virtumonde that just wont go away, i read about it in the other posts and got myself a copy of ComboFix, ran it and heres what came up in the log:
ComboFix 08-04-22.5 - Victor 2008-04-24 18:34:01.1 - NTFSx86
Running from: C:\Documents and Settings\Victor\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\khfFYOEx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qoMffEVL.dll
C:\WINDOWS\system32\VuDccMoq.ini
C:\WINDOWS\system32\VuDccMoq.ini2
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-24 13:09 . 2008-04-24 13:14 211 --a------ C:\WINDOWS\wininit.ini
2008-04-24 10:18 . 2008-04-24 10:18 32,320 --a------ C:\WINDOWS\system32\__c005A529.dat
2008-04-24 10:15 . 2008-04-24 13:09 1,540,617 --ahs---- C:\WINDOWS\system32\lhlojlgu.ini
2008-04-24 10:14 . 2008-04-24 10:14 32,320 --a------ C:\WINDOWS\system32\__c0059309.dat
2008-04-24 06:21 . 2008-04-24 15:42 38 --a------ C:\WINDOWS\AviSplitter.INI
2008-04-23 10:10 . 2008-04-24 10:10 109,669 --a------ C:\WINDOWS\BM53615677.xml
2008-04-22 22:12 . 2008-04-22 22:12 0 --------- C:\WINDOWS\WB.ini
2008-04-22 22:06 . 2008-04-22 22:06 <DIR> d-------- C:\Program Files\Stardock
2008-04-22 22:06 . 2007-07-11 14:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-04-22 19:16 . 2008-04-22 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MediaWidget
2008-04-22 19:16 . 2007-11-04 19:01 1,369,600 --a------ C:\WINDOWS\bsdsetup.dll
2008-04-22 19:15 . 2008-04-22 19:15 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-22 18:20 . 2008-04-22 18:20 <DIR> d-------- C:\Program Files\iTunes
2008-04-22 18:20 . 2008-04-22 18:20 <DIR> d-------- C:\Program Files\iPod
2008-04-22 18:19 . 2008-04-22 18:19 <DIR> d-------- C:\Program Files\Bonjour
2008-04-22 18:18 . 2008-04-22 18:19 <DIR> d-------- C:\Program Files\QuickTime
2008-04-22 18:15 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-04-22 18:14 . 2008-04-22 18:14 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-20 09:42 . 2008-04-20 09:42 126 --a------ C:\WINDOWS\kaillera.ini
2008-04-19 16:45 . 2008-04-21 19:01 <DIR> d-------- C:\Program Files\EA Games
2008-04-16 18:31 . 2008-04-16 18:31 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-04-11 22:51 . 2008-04-11 22:51 <DIR> d-------- C:\Program Files\Wise Registry Cleaner 3 Pro
2008-04-10 18:38 . 2008-04-10 18:44 <DIR> d-------- C:\Documents and Settings\Victor\Application Data\FreeCall
2008-04-10 18:36 . 2008-04-10 18:36 <DIR> d-------- C:\Program Files\FreeCall.com
2008-04-07 22:24 . 2008-04-07 22:24 <DIR> d-------- C:\Program Files\UnH Solutions
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 08:48 --------- d-----w C:\Documents and Settings\Victor\Application Data\Skype
2008-04-24 08:43 --------- d-----w C:\Program Files\Steam
2008-04-24 07:12 --------- d-----w C:\Documents and Settings\Victor\Application Data\skypePM
2008-04-23 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-23 20:21 --------- d-----w C:\Documents and Settings\Victor\Application Data\uTorrent
2008-04-23 03:19 --------- d-----w C:\Documents and Settings\Victor\Application Data\shrink_pic
2008-04-23 03:08 --------- d-----w C:\Program Files\Lx_cats
2008-04-23 03:04 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-04-22 08:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 08:15 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 08:01 --------- d-----w C:\Program Files\Common Files\EasyInfo
2008-04-17 08:14 --------- d-----w C:\Program Files\Windows Live
2008-04-17 08:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-17 08:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-12 02:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 22:08 --------- d-----w C:\Documents and Settings\Victor\Application Data\AVG7
2008-03-29 06:34 --------- d-----w C:\Documents and Settings\Victor\Application Data\Moyea
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 11:44 --------- d-----w C:\Program Files\XP Codec Pack
2008-03-10 13:46 --------- d-----w C:\Documents and Settings\Victor\Application Data\Creative
2008-03-10 13:41 --------- d-----w C:\Program Files\Image-Line
2008-03-10 08:38 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-10 08:38 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-09 19:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 19:48 --------- d-----w C:\Program Files\AGEIA Technologies
2008-03-09 05:06 --------- d-----w C:\Program Files\VstPlugins
2008-03-09 00:55 --------- d-----w C:\Program Files\Common Files\Logitech
2008-03-09 00:54 --------- d-----w C:\Program Files\Logitech
2008-03-09 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-06 15:29 962,560 ----a-w C:\WINDOWS\system32\VSFilter.dll
2008-03-06 03:51 --------- d-----w C:\Program Files\MagicDisc
2008-03-05 14:14 --------- d-----w C:\Program Files\uTorrent
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-27 11:41 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2008-02-27 01:17 --------- d-----w C:\Program Files\Google
2008-02-26 10:52 --------- d-----w C:\Program Files\ATI Technologies
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 08:29 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-29 02:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-11 03:32 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
------- Sigcheck -------
2005-03-02 10:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2005-03-02 10:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 19:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2005-03-02 10:36 1955840 62c353c0449fd961ef7814973fc2fd30 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2002-09-04 05:56 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\$NtUninstallKB885835_0$\ntkrnlpa.exe
2004-08-04 15:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2004-10-22 17:29 1955840 efa7883018f42295d927121808ae6cee C:\WINDOWS\$NtUninstallKB890859_0$\ntkrnlpa.exe
2006-10-06 14:47 2014208 ebd922bbf31251df55713c90ac2e09b6 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 18:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 18:38 2014976 e288993ae2900f19cc734d4676d99116 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2007-06-20 12:37 2014976 de78108955046f767e14c1ed7761f57e C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 18:38 2014976 e288993ae2900f19cc734d4676d99116 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2005-03-02 10:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2005-03-02 11:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 19:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2005-03-02 11:33 2040832 a15a2ee0be2f71fc1752a05660b8ebdc C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2002-09-04 05:50 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe
2004-08-04 16:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2004-10-22 18:33 2088448 5a7eb0c9f96917b7ecf5adf70c4b1bae C:\WINDOWS\$NtUninstallKB890859_0$\ntoskrnl.exe
2006-10-06 14:47 2136704 a9215afeb1261d47b75d4b9ca466a425 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 19:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 19:10 2137728 1e46b7a0c9547a321c4e2468025cb0f7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2007-06-20 12:37 2137728 6ac9ba89d04d16b5d4f67528e3fa5327 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 19:10 2137728 1e46b7a0c9547a321c4e2468025cb0f7 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20903DEB-F2F4-2559-78D7-F000B0DDEDAE}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFB33878-76D3-4B56-96E1-3E70F52D7DD6}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C67FB8D3-CAF6-42D5-8AE1-AD527FCB3A1D}]
C:\WINDOWS\system32\qoMccDuV.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-07 14:08 4670968]
"RK Launcher"="C:\Program Files\RK Launcher\RKLauncher.exe" [2005-10-19 17:40 393216]
"Yz Shadow"="C:\Program Files\YzShadow\YzShadow.exe" [2006-02-24 12:51 172032]
"Steam"="c:\program files\steam\steam.exe" [2008-03-28 18:11 1271032]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 10:43 2097488]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-12 14:20 21686568]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"FreeCall"="C:\Program Files\FreeCall.com\FreeCall\FreeCall.exe" [2007-04-17 14:28 7247408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 07:59 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 07:59 126976]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 18:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-23 08:10 579584]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-04-28 00:21 69632]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-05-05 09:24 200704]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-06-09 02:19 94208]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 09:42 1519616]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 49152]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 08:46 497200]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 09:34 614960]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 09:33 243248]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BM53615677"="C:\WINDOWS\system32\vmlwbeqn.dll" [ ]
"505265eb"="C:\WINDOWS\system32\ugljolhl.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-29 07:10 219136]
C:\Documents and Settings\Victor\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-03-06 13:50:51 546816]
Shrink Pic.lnk - C:\Program Files\Shrink Pic\shrink_pic.exe [2007-04-19 00:53:54 3027019]
ęTorrent.lnk - C:\Program Files\uTorrent\uTorrent.exe [2007-10-18 21:46:35 219952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bqiubfkb]
bqiubfkb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\myccmhto]
myccmhto.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c005A529]
__c005A529.dat 2008-04-24 10:18 32320 C:\WINDOWS\system32\__c005A529.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"aux"= ctwdm32.dll
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\condition zero\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\condition zero deleted scenes\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\WINDOWS\\system32\\lxcgcoms.exe"=
"C:\\Program Files\\Steam\\steamapps\\victorydance\\garrysmod\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
S3 DCamUSBPremier;Digital Camera;C:\WINDOWS\system32\Drivers\mpixvid.sys []
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 14:07]
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\Victor\LOCALS~1\Temp\iMSPCLOj.sys []
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2005-03-25 17:28]
S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\DRIVERS\H10USB.sys [2004-06-24 14:52]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 00:57:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-23 23:24:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 18:43:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\__c005A529.dat
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\__c005A529.dat
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-04-24 18:53:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 08:53:24
Pre-Run: 10,246,193,152 bytes free
Post-Run: 13,390,385,152 bytes free
250 --- E O F --- 2008-04-09 17:05:22
Ok so any help before i try anything (Not a very Confident computer fixer-upper) would be GREAT!