View Full Version : please help i have - virtumonde
Please help i have a virtumode infection that i can't get rid of. here is my hjt log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:17 AM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Intel\IDU\IDUServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\IDU\iptray.exe
C:\WINDOWS\System32\winsys2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\G15NetSpeed.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1083F2B7-B03E-4364-A968-DCEE4F97323C} - C:\WINDOWS\system32\hgGXrSig.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {81A49258-0DF3-4258-9833-F1195026CA25} - C:\WINDOWS\system32\awtusqOf.dll (file missing)
O2 - BHO: (no name) - {89DE4B88-2C38-4005-B15E-9683F505CAF3} - C:\WINDOWS\system32\ljJCrOHB.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {24eae05a-bccf-bb7b-3ab4-bfdcceb61f9a} - {a9f16bec-cdfb-4ba3-b7bb-fccba50eae42} - C:\WINDOWS\system32\ohimxnfu.dll
O2 - BHO: (no name) - {B2B75C3A-F839-43FF-8713-E98130DBA144} - C:\WINDOWS\system32\jkkIXQKe.dll (file missing)
O2 - BHO: (no name) - {E83C6FA4-0DD8-42D9-AD24-2F9757A838AC} - C:\WINDOWS\system32\ddcApnLe.dll (file missing)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\System32\winsys2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [b89d63da] rundll32.exe "C:\WINDOWS\system32\xkrjmeib.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMbbae5046] Rundll32.exe "C:\WINDOWS\system32\vauybpxe.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_SA6.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212109198500
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212177678171
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 9352 bytes
pskelley
2008-06-22, 12:46
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.
Looks like Vundo to me also, but you have other junk including a backdoor trojan: C:\WINDOWS\System32\winsys2.exe
http://www.google.com/search?hl=en&q=winsys2.exe&btnG=Google+Search
Since it is a backdoor trojan, I believe for your security you should have this information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
I will start the cleanup and if you would prefer to reformat, just let me know, I will understand.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
her are the combofix and hjt logs.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:49 AM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Intel\IDU\IDUServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Intel\IDU\iptray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\G15NetSpeed.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1083F2B7-B03E-4364-A968-DCEE4F97323C} - C:\WINDOWS\system32\hgGXrSig.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {81A49258-0DF3-4258-9833-F1195026CA25} - C:\WINDOWS\system32\awtusqOf.dll (file missing)
O2 - BHO: (no name) - {89DE4B88-2C38-4005-B15E-9683F505CAF3} - C:\WINDOWS\system32\ljJCrOHB.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {24eae05a-bccf-bb7b-3ab4-bfdcceb61f9a} - {a9f16bec-cdfb-4ba3-b7bb-fccba50eae42} - C:\WINDOWS\system32\ohimxnfu.dll
O2 - BHO: (no name) - {B2B75C3A-F839-43FF-8713-E98130DBA144} - C:\WINDOWS\system32\jkkIXQKe.dll (file missing)
O2 - BHO: (no name) - {E83C6FA4-0DD8-42D9-AD24-2F9757A838AC} - C:\WINDOWS\system32\ddcApnLe.dll (file missing)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\System32\winsys2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [b89d63da] rundll32.exe "C:\WINDOWS\system32\xkrjmeib.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMbbae5046] Rundll32.exe "C:\WINDOWS\system32\vauybpxe.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_SA6.tmp" /EF "HKCU"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212109198500
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212177678171
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 8489 bytes
ComboFix 08-06-20.4 - Eric & Lori 2008-06-22 10:17:28.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1516 [GMT -4:00]
Running from: C:\Documents and Settings\Eric & Lori\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\taskkill.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.
2008-06-21 08:25 . 2008-06-21 08:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-20 16:11 . 2008-06-20 16:11 120,320 --a------ C:\WINDOWS\system32\xkrjmeib.dll
2008-06-20 16:02 . 2008-06-20 16:02 132,608 --a------ C:\WINDOWS\system32\ohimxnfu.dll
2008-06-20 16:02 . 2008-06-20 16:02 123,392 --a------ C:\WINDOWS\system32\vauybpxe.dll
2008-06-20 15:34 . 2008-06-20 15:34 132,608 --a------ C:\WINDOWS\system32\rvdynphi.dll
2008-06-20 15:34 . 2008-06-20 15:34 123,392 --a------ C:\WINDOWS\system32\jthqdsae.dll
2008-06-20 15:21 . 2008-06-20 15:25 354 ---hs---- C:\WINDOWS\system32\uhpjqbbc.ini
2008-06-19 19:19 . 2008-06-19 19:19 104,960 --a------ C:\WINDOWS\system32\oftnqjqm.dll
2008-06-19 17:57 . 2008-06-19 18:14 354 --ahs---- C:\WINDOWS\system32\ccitjnhj.ini
2008-06-19 17:31 . 2008-06-19 17:31 104,960 --a------ C:\WINDOWS\system32\uxreapdo.dll
2008-06-19 16:45 . 2008-06-19 16:45 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-19 16:26 . 2008-06-19 16:26 104,960 --a------ C:\WINDOWS\system32\mgivboef.dll
2008-06-19 16:20 . 2008-06-19 16:24 <DIR> d--hs---- C:\Documents and Settings\Eric & Lori\!
2008-06-15 08:52 . 2008-06-16 14:19 <DIR> d-------- C:\Program Files\Hidden Expedition - Everest
2008-06-15 08:52 . 2008-06-15 08:52 <DIR> d-------- C:\Program Files\BFG
2008-06-14 17:07 . 2008-06-14 17:07 39,936 --a------ C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2008-06-14 15:22 . 2008-06-19 17:15 267 --a------ C:\WINDOWS\wininit.ini
2008-06-14 12:57 . 2008-06-14 13:00 <DIR> d-------- C:\WINDOWS\system32\netrax18
2008-06-13 17:37 . 2008-06-13 17:37 <DIR> d-------- C:\TEMP\mechwarrior
2008-06-12 19:52 . 2008-06-12 19:52 <DIR> d-------- C:\Program Files\Atlantis
2008-06-12 19:47 . 2008-06-18 17:52 <DIR> d-------- C:\Program Files\Hidden Expedition - Titanic
2008-06-12 19:45 . 2008-06-19 18:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 19:42 . 2008-06-12 19:42 <DIR> d-------- C:\Program Files\bfgclient
2008-06-12 19:42 . 2008-06-12 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-06-11 16:11 . 2008-06-19 16:19 <DIR> d-------- C:\WINDOWS\system32\netrax05
2008-06-11 16:11 . 2008-06-11 16:11 <DIR> d-------- C:\TEMP\itmp4
2008-06-11 16:11 . 2008-06-21 13:22 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-11 06:21 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 15:41 . 2008-06-19 16:42 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\LimeWire
2008-06-10 15:40 . 2008-06-10 15:40 <DIR> d-------- C:\Program Files\Java
2008-06-10 15:40 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-10 15:39 . 2008-06-10 15:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-10 15:34 . 2008-06-19 17:35 <DIR> d-------- C:\Program Files\LimeWire
2008-06-02 20:56 . 2008-06-02 20:56 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-06-02 17:08 . 2008-06-02 17:08 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Command & Conquer 3 Tiberium Wars
2008-06-01 11:30 . 2008-06-01 11:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-06-01 11:30 . 2008-06-01 11:30 <DIR> dr-h----- C:\Documents and Settings\Eric & Lori\Application Data\SecuROM
2008-06-01 11:30 . 2008-06-01 11:30 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-01 10:03 . 2008-06-01 10:03 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\U3
2008-06-01 09:38 . 2008-06-18 21:35 <DIR> d-------- C:\Program Files\Xfire
2008-06-01 09:38 . 2008-06-01 09:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-06-01 09:38 . 2008-06-22 09:32 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Xfire
2008-06-01 09:29 . 2008-06-01 09:29 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Logitech
2008-06-01 09:26 . 2008-06-01 09:26 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-06-01 09:26 . 2004-10-21 13:30 71,535 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2008-06-01 09:26 . 2004-10-21 13:31 54,851 --a------ C:\WINDOWS\system32\drivers\L8042mou.Sys
2008-06-01 09:26 . 2004-10-21 13:32 13,107 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys
2008-05-31 11:53 . 2008-05-31 11:53 <DIR> d-------- C:\Program Files\Call of Duty 4 Multiplayer Backup
2008-05-31 11:09 . 2008-05-31 11:09 <DIR> d-------- C:\Documents and Settings\LocalService\World in Conflict
2008-05-31 11:09 . 2008-05-31 11:09 <DIR> d-------- C:\Documents and Settings\LocalService\Logitech
2008-05-31 11:08 . 2008-05-31 11:08 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Avocent AdminWorks
2008-05-31 10:20 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-31 10:20 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-30 21:25 . 2008-05-31 11:53 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-30 21:16 . 2008-05-30 21:16 <DIR> d-------- C:\Program Files\directx
2008-05-30 21:14 . 2008-05-30 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-30 21:13 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-30 21:13 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-30 21:13 . 2008-05-30 21:13 2,337,865 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-05-30 21:13 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-30 21:13 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-30 21:13 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-30 21:13 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-30 21:13 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-30 21:13 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-05-30 21:01 . 2008-05-30 21:01 <DIR> d-------- C:\Program Files\Ubisoft
2008-05-30 20:47 . 2008-05-30 21:16 <DIR> d-------- C:\Program Files\Microsoft Games
2008-05-30 20:42 . 2008-06-21 19:57 33,080 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-30 20:42 . 2008-05-30 21:13 22,328 --a------ C:\Documents and Settings\Eric & Lori\Application Data\PnkBstrK.sys
2008-05-30 20:41 . 2008-06-21 19:57 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-05-30 20:41 . 2008-05-31 20:33 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-05-30 20:41 . 2008-05-30 20:41 319 --a------ C:\WINDOWS\game.ini
2008-05-30 20:28 . 2008-05-30 20:28 <DIR> d-------- C:\Program Files\Activision
2008-05-30 20:25 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-05-30 20:25 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-05-30 20:25 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-05-30 20:25 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-05-30 20:25 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-05-30 20:20 . 2008-05-30 20:20 <DIR> d-------- C:\Program Files\Sierra Entertainment
2008-05-30 20:17 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-30 20:17 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-30 20:14 . 2008-05-30 20:14 <DIR> d-------- C:\Program Files\Saitek
2008-05-30 20:14 . 2008-05-30 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Saitek
2008-05-30 20:11 . 2007-05-01 15:49 18,512 -ra------ C:\WINDOWS\system32\SaiD5F0D.pr0
2008-05-30 20:07 . 2008-06-21 08:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 20:07 . 2008-06-21 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 17:39 . 2008-05-30 17:39 <DIR> d-------- C:\Program Files\LiveUpdate
2008-05-30 17:39 . 2004-08-04 02:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-05-30 17:39 . 2004-08-04 02:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-05-30 17:38 . 2008-05-30 17:39 <DIR> d-------- C:\Program Files\mobile PhoneTools
2008-05-30 17:38 . 2008-05-30 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-30 17:30 . 2008-05-30 17:30 <DIR> d-------- C:\EPSONREG
2008-05-30 17:30 . 2008-05-30 17:30 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Leadertech
2008-05-30 17:24 . 2008-05-30 17:24 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-05-30 17:23 . 2008-05-30 17:23 <DIR> d-------- C:\WINDOWS\system32\PhotoImpression Slideshow
2008-05-30 17:23 . 2008-05-30 17:23 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-05-30 17:23 . 2008-05-30 17:23 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-30 17:23 . 2008-05-30 17:23 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\ArcSoft
2008-05-30 17:23 . 2003-03-18 22:14 499,712 -ra------ C:\WINDOWS\system32\msvcp71.dll
2008-05-30 17:23 . 2004-08-04 07:52 413,696 -ra------ C:\WINDOWS\system32\msvc2071.rra
2008-05-30 17:23 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-05-30 17:23 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-05-30 17:23 . 2006-10-20 16:11 126,976 --a------ C:\WINDOWS\system32\PhotoImpression Slideshow.scr
2008-05-30 17:23 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-05-30 17:22 . 2008-05-30 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-05-30 17:22 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-30 17:22 . 2004-08-04 02:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-30 17:22 . 2004-08-04 02:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-30 17:22 . 2004-08-04 01:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-30 17:22 . 2004-08-04 01:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-30 17:19 . 2008-05-30 17:19 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\InstallShield
2008-05-30 17:17 . 2008-05-30 17:24 <DIR> d-------- C:\Program Files\epson
2008-05-30 17:17 . 2007-04-18 00:00 67,072 --a------ C:\WINDOWS\system32\escwiad.dll
2008-05-30 17:17 . 2008-05-30 17:30 44 --a------ C:\WINDOWS\EPSCX9400Fax.ini
2008-05-30 17:16 . 2008-05-30 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OLYMPUS
2008-05-30 17:13 . 2008-05-30 17:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-05-30 17:13 . 2008-05-30 17:13 <DIR> d-------- C:\Binaries
2008-05-30 17:13 . 2003-04-18 16:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-05-30 17:13 . 2003-05-01 17:49 402 --a------ C:\WINDOWS\system32\msxml4.inf
2008-05-30 17:12 . 2008-05-30 17:12 <DIR> d-------- C:\Program Files\iTunes
2008-05-30 17:12 . 2008-05-30 17:12 <DIR> d-------- C:\Program Files\iPod
2008-05-30 17:12 . 2008-05-30 17:12 <DIR> d-------- C:\Program Files\Bonjour
2008-05-30 17:12 . 2008-05-30 17:12 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Apple Computer
2008-05-30 17:11 . 2008-05-30 17:11 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-30 17:11 . 2008-05-30 17:11 <DIR> d-------- C:\Program Files\Apple Software Update
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 23:42 0 ----a-w C:\Program Files\temp01
2008-05-30 00:56 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-29 23:00 558,142 ----a-w C:\WINDOWS\java\Packages\D7VZ7V9Z.ZIP
2008-05-29 23:00 155,995 ----a-w C:\WINDOWS\java\Packages\1JPR97HZ.ZIP
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-16 23:56 524,288 ----a-w C:\WINDOWS\opuc.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-14_16.27.32.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 20:22:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 13:23:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2000-08-31 12:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 12:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1083F2B7-B03E-4364-A968-DCEE4F97323C}]
C:\WINDOWS\system32\hgGXrSig.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81A49258-0DF3-4258-9833-F1195026CA25}]
C:\WINDOWS\system32\awtusqOf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89DE4B88-2C38-4005-B15E-9683F505CAF3}]
C:\WINDOWS\system32\ljJCrOHB.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a9f16bec-cdfb-4ba3-b7bb-fccba50eae42}]
2008-06-20 16:02 132608 --a------ C:\WINDOWS\system32\ohimxnfu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2B75C3A-F839-43FF-8713-E98130DBA144}]
C:\WINDOWS\system32\jkkIXQKe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E83C6FA4-0DD8-42D9-AD24-2F9757A838AC}]
C:\WINDOWS\system32\ddcApnLe.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"EPSON Stylus CX9400Fax Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE" [2007-03-23 06:00 182272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"ipTray.exe"="C:\Program Files\Intel\IDU\iptray.exe" [2004-06-11 16:04 1226752]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-08-11 09:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 09:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"SW20"="C:\WINDOWS\System32\sw20.exe" [2006-09-07 06:13 208896]
"SW24"="C:\WINDOWS\System32\sw24.exe" [2006-09-07 06:14 69632]
"WinSys2"="C:\WINDOWS\System32\winsys2.exe" [2006-10-03 02:37 217088]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-08-11 09:43 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 17:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 17:57 2095640]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-13 16:42 36864]
"ProfilerU"="C:\Program Files\Saitek\SD6\Software\ProfilerU.exe" [2007-10-02 10:10 233472]
"SaiMfd"="C:\Program Files\Saitek\SD6\Software\SaiMfd.exe" [2007-10-02 10:10 131072]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"b89d63da"="C:\WINDOWS\system32\xkrjmeib.dll" [2008-06-20 16:11 120320]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-30 15:35 1177368]
"BMbbae5046"="C:\WINDOWS\system32\vauybpxe.dll" [2008-06-20 16:02 123392]
C:\Documents and Settings\Eric & Lori\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-06-02 20:56:46 3017040]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2008-06-01 09:26:41 581632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"C:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"C:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\MW4.ICD"=
"C:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\mw4x\\MW4x.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-30 15:35]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-30 15:35]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-30 15:35]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-30 15:35]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2004-06-01 15:28]
S3 SaiH5F0D;SaiH5F0D;C:\WINDOWS\system32\DRIVERS\SaiH5F0D.sys [2007-05-01 15:49]
S3 SaiU5F0D;SaiU5F0D;C:\WINDOWS\system32\DRIVERS\SaiU5F0D.sys [2007-05-01 15:49]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f523f0f0-2fdf-11dd-a80d-001320ca6693}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 21:11:41 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 10:18:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-22 10:18:46
ComboFix-quarantined-files.txt 2008-06-22 14:18:44
ComboFix2.txt 2008-06-22 14:09:59
ComboFix3.txt 2008-06-21 12:59:36
ComboFix4.txt 2008-06-21 02:36:30
ComboFix5.txt 2008-06-20 21:07:41
Pre-Run: 94,762,688,512 bytes free
Post-Run: 94,749,655,040 bytes free
269 --- E O F --- 2008-06-21 13:11:49
pskelley
2008-06-22, 17:39
Thanks for returning the information, seems combofix did not find what I thought it would? We will remove the junk (hopefully) with CFScript.
Before we start, I did more checking about this: C:\WINDOWS\System32\winsys2.exe
and find it may have to do with this: http://www.hardocp.com/article.html?art=ODAwLDI=
Make sure you can see all files and folder (direction #1) then scan that file with one or more of these free scanners and post the results.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
I am showing all of these old combofix runs, are you sure you removed the old version of combofix before you started as instructed?
ComboFix2.txt 2008-06-22 14:09:59
ComboFix3.txt 2008-06-21 12:59:36
ComboFix4.txt 2008-06-21 02:36:30
ComboFix5.txt 2008-06-20 21:07:41
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
(the CFScript directions must be followed exactly or it won't work)
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\ohimxnfu.dll
C:\WINDOWS\system32\xkrjmeib.dll
C:\WINDOWS\system32\vauybpxe.dll
C:\WINDOWS\system32\rvdynphi.dll
C:\WINDOWS\system32\jthqdsae.dll
C:\WINDOWS\system32\uhpjqbbc.ini
C:\WINDOWS\system32\oftnqjqm.dll
C:\WINDOWS\system32\ccitjnhj.ini
C:\WINDOWS\system32\uxreapdo.dll
C:\WINDOWS\system32\mgivboef.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1083F2B7-B03E-4364-A968-DCEE4F97323C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81A49258-0DF3-4258-9833-F1195026CA25}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89DE4B88-2C38-4005-B15E-9683F505CAF3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a9f16bec-cdfb-4ba3-b7bb-fccba50eae42}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2B75C3A-F839-43FF-8713-E98130DBA144}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E83C6FA4-0DD8-42D9-AD24-2F9757A838AC}]
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some may be gone, removed by CFScript)
O2 - BHO: (no name) - {1083F2B7-B03E-4364-A968-DCEE4F97323C} - C:\WINDOWS\system32\hgGXrSig.dll (file missing)
O2 - BHO: (no name) - {81A49258-0DF3-4258-9833-F1195026CA25} - C:\WINDOWS\system32\awtusqOf.dll (file missing)
O2 - BHO: (no name) - {89DE4B88-2C38-4005-B15E-9683F505CAF3} - C:\WINDOWS\system32\ljJCrOHB.dll (file missing)
O2 - BHO: {24eae05a-bccf-bb7b-3ab4-bfdcceb61f9a} - {a9f16bec-cdfb-4ba3-b7bb-fccba50eae42} - C:\WINDOWS\system32\ohimxnfu.dll
O2 - BHO: (no name) - {B2B75C3A-F839-43FF-8713-E98130DBA144} - C:\WINDOWS\system32\jkkIXQKe.dll (file missing)
O2 - BHO: (no name) - {E83C6FA4-0DD8-42D9-AD24-2F9757A838AC} - C:\WINDOWS\system32\ddcApnLe.dll (file missing)
O4 - HKLM\..\Run: [b89d63da] rundll32.exe "C:\WINDOWS\system32\xkrjmeib.dll",b
O4 - HKLM\..\Run: [BMbbae5046] Rundll32.exe "C:\WINDOWS\system32\vauybpxe.dll",s
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the combofix log from CFScript, a new HJT log and let me know how the computer is running.
Thanks
The winsys2.exe file is part of my msi video drivers.it passed all scans.here is the scan report from http://virusscan.jotti.org/
File: WinSys2.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 246ed5328f940e4fdaab0b2fc987da01
Packers detected: -
Scanner results
Scan taken on 22 Jun 2008 17:56:07 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Yes i thought I had combofix deleted. I deleted the combofix.exe file didn't know about the others. They are gone now.
k did the rest here are the log files. and I will let you know in a day or so how it is running so far so good. spybot comes up clean now.
ComboFix 08-06-20.4 - Eric & Lori 2008-06-22 14:19:25.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1365 [GMT -4:00]
Running from: C:\Documents and Settings\Eric & Lori\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eric & Lori\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\ccitjnhj.ini
C:\WINDOWS\system32\jthqdsae.dll
C:\WINDOWS\system32\mgivboef.dll
C:\WINDOWS\system32\oftnqjqm.dll
C:\WINDOWS\system32\ohimxnfu.dll
C:\WINDOWS\system32\rvdynphi.dll
C:\WINDOWS\system32\uhpjqbbc.ini
C:\WINDOWS\system32\uxreapdo.dll
C:\WINDOWS\system32\vauybpxe.dll
C:\WINDOWS\system32\xkrjmeib.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMbbae5046.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ccitjnhj.ini
C:\WINDOWS\system32\jthqdsae.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgivboef.dll
C:\WINDOWS\system32\oftnqjqm.dll
C:\WINDOWS\system32\ohimxnfu.dll
C:\WINDOWS\system32\rvdynphi.dll
C:\WINDOWS\system32\uhpjqbbc.ini
C:\WINDOWS\system32\uxreapdo.dll
C:\WINDOWS\system32\vauybpxe.dll
C:\WINDOWS\system32\xkrjmeib.dll
.
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.
2008-06-22 10:25 . 2008-06-22 10:29 354 ---hs---- C:\WINDOWS\system32\biemjrkx.ini
2008-06-21 08:25 . 2008-06-21 08:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-19 16:45 . 2008-06-19 16:45 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-19 16:20 . 2008-06-19 16:24 <DIR> d--hs---- C:\Documents and Settings\Eric & Lori\!
2008-06-15 08:52 . 2008-06-16 14:19 <DIR> d-------- C:\Program Files\Hidden Expedition - Everest
2008-06-15 08:52 . 2008-06-15 08:52 <DIR> d-------- C:\Program Files\BFG
2008-06-14 17:07 . 2008-06-14 17:07 39,936 --a------ C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2008-06-14 15:22 . 2008-06-19 17:15 267 --a------ C:\WINDOWS\wininit.ini
2008-06-14 12:57 . 2008-06-14 13:00 <DIR> d-------- C:\WINDOWS\system32\netrax18
2008-06-13 17:37 . 2008-06-13 17:37 <DIR> d-------- C:\TEMP\mechwarrior
2008-06-12 19:52 . 2008-06-12 19:52 <DIR> d-------- C:\Program Files\Atlantis
2008-06-12 19:47 . 2008-06-18 17:52 <DIR> d-------- C:\Program Files\Hidden Expedition - Titanic
2008-06-12 19:45 . 2008-06-19 18:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 19:42 . 2008-06-12 19:42 <DIR> d-------- C:\Program Files\bfgclient
2008-06-12 19:42 . 2008-06-12 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-06-11 16:11 . 2008-06-19 16:19 <DIR> d-------- C:\WINDOWS\system32\netrax05
2008-06-11 16:11 . 2008-06-11 16:11 <DIR> d-------- C:\TEMP\itmp4
2008-06-11 16:11 . 2008-06-21 13:22 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-11 06:21 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 15:41 . 2008-06-19 16:42 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\LimeWire
2008-06-10 15:40 . 2008-06-10 15:40 <DIR> d-------- C:\Program Files\Java
2008-06-10 15:40 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-10 15:39 . 2008-06-10 15:39 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-10 15:34 . 2008-06-19 17:35 <DIR> d-------- C:\Program Files\LimeWire
2008-06-02 20:56 . 2008-06-02 20:56 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-06-02 17:08 . 2008-06-02 17:08 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Command & Conquer 3 Tiberium Wars
2008-06-01 11:30 . 2008-06-01 11:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-06-01 11:30 . 2008-06-01 11:30 <DIR> dr-h----- C:\Documents and Settings\Eric & Lori\Application Data\SecuROM
2008-06-01 11:30 . 2008-06-01 11:30 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-01 10:03 . 2008-06-01 10:03 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\U3
2008-06-01 09:38 . 2008-06-18 21:35 <DIR> d-------- C:\Program Files\Xfire
2008-06-01 09:38 . 2008-06-01 09:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-06-01 09:38 . 2008-06-22 14:16 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Xfire
2008-06-01 09:29 . 2008-06-01 09:29 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Logitech
2008-06-01 09:26 . 2008-06-01 09:26 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-06-01 09:26 . 2004-10-21 13:30 71,535 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2008-06-01 09:26 . 2004-10-21 13:31 54,851 --a------ C:\WINDOWS\system32\drivers\L8042mou.Sys
2008-06-01 09:26 . 2004-10-21 13:32 13,107 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys
2008-05-31 11:53 . 2008-05-31 11:53 <DIR> d-------- C:\Program Files\Call of Duty 4 Multiplayer Backup
2008-05-31 11:09 . 2008-05-31 11:09 <DIR> d-------- C:\Documents and Settings\LocalService\World in Conflict
2008-05-31 11:09 . 2008-05-31 11:09 <DIR> d-------- C:\Documents and Settings\LocalService\Logitech
2008-05-31 11:08 . 2008-05-31 11:08 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Avocent AdminWorks
2008-05-31 10:20 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-31 10:20 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-30 21:25 . 2008-05-31 11:53 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-30 21:16 . 2008-05-30 21:16 <DIR> d-------- C:\Program Files\directx
2008-05-30 21:14 . 2008-05-30 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-30 21:13 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-30 21:13 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-30 21:13 . 2008-05-30 21:13 2,337,865 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-05-30 21:13 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-30 21:13 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-30 21:13 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-30 21:13 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-30 21:13 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-30 21:13 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-05-30 21:01 . 2008-05-30 21:01 <DIR> d-------- C:\Program Files\Ubisoft
2008-05-30 20:47 . 2008-05-30 21:16 <DIR> d-------- C:\Program Files\Microsoft Games
2008-05-30 20:42 . 2008-06-22 10:45 33,080 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-30 20:42 . 2008-05-30 21:13 22,328 --a------ C:\Documents and Settings\Eric & Lori\Application Data\PnkBstrK.sys
2008-05-30 20:41 . 2008-06-22 10:45 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-05-30 20:41 . 2008-05-31 20:33 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-05-30 20:41 . 2008-05-30 20:41 319 --a------ C:\WINDOWS\game.ini
2008-05-30 20:28 . 2008-05-30 20:28 <DIR> d-------- C:\Program Files\Activision
2008-05-30 20:25 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-05-30 20:25 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-05-30 20:25 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-05-30 20:25 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-05-30 20:25 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-05-30 20:20 . 2008-05-30 20:20 <DIR> d-------- C:\Program Files\Sierra Entertainment
2008-05-30 20:17 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-30 20:17 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-30 20:14 . 2008-05-30 20:14 <DIR> d-------- C:\Program Files\Saitek
2008-05-30 20:14 . 2008-05-30 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Saitek
2008-05-30 20:11 . 2007-05-01 15:49 18,512 -ra------ C:\WINDOWS\system32\SaiD5F0D.pr0
2008-05-30 20:07 . 2008-06-21 08:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 20:07 . 2008-06-21 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 17:39 . 2008-05-30 17:39 <DIR> d-------- C:\Program Files\LiveUpdate
2008-05-30 17:39 . 2004-08-04 02:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-05-30 17:39 . 2004-08-04 02:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-05-30 17:38 . 2008-05-30 17:39 <DIR> d-------- C:\Program Files\mobile PhoneTools
2008-05-30 17:38 . 2008-05-30 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-30 17:30 . 2008-05-30 17:30 <DIR> d-------- C:\EPSONREG
2008-05-30 17:30 . 2008-05-30 17:30 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Leadertech
2008-05-30 17:24 . 2008-05-30 17:24 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-05-30 17:23 . 2008-05-30 17:23 <DIR> d-------- C:\WINDOWS\system32\PhotoImpression Slideshow
2008-05-30 17:23 . 2008-05-30 17:23 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-05-30 17:23 . 2008-05-30 17:23 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-30 17:23 . 2008-05-30 17:23 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\ArcSoft
2008-05-30 17:23 . 2003-03-18 22:14 499,712 -ra------ C:\WINDOWS\system32\msvcp71.dll
2008-05-30 17:23 . 2004-08-04 07:52 413,696 -ra------ C:\WINDOWS\system32\msvc2071.rra
2008-05-30 17:23 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-05-30 17:23 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-05-30 17:23 . 2006-10-20 16:11 126,976 --a------ C:\WINDOWS\system32\PhotoImpression Slideshow.scr
2008-05-30 17:23 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-05-30 17:22 . 2008-05-30 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-05-30 17:22 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-30 17:22 . 2004-08-04 02:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-30 17:22 . 2004-08-04 02:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-30 17:22 . 2004-08-04 01:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-30 17:22 . 2004-08-04 01:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-30 17:19 . 2008-05-30 17:19 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\InstallShield
2008-05-30 17:17 . 2008-05-30 17:24 <DIR> d-------- C:\Program Files\epson
2008-05-30 17:17 . 2007-04-18 00:00 67,072 --a------ C:\WINDOWS\system32\escwiad.dll
2008-05-30 17:17 . 2008-05-30 17:30 44 --a------ C:\WINDOWS\EPSCX9400Fax.ini
2008-05-30 17:16 . 2008-05-30 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OLYMPUS
2008-05-30 17:13 . 2008-05-30 17:13 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-05-30 17:13 . 2008-05-30 17:13 <DIR> d-------- C:\Binaries
2008-05-30 17:13 . 2003-04-18 16:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-05-30 17:13 . 2003-05-01 17:49 402 --a------ C:\WINDOWS\system32\msxml4.inf
2008-05-30 17:12 . 2008-05-30 17:12 <DIR> d-------- C:\Program Files\iTunes
2008-05-30 17:12 . 2008-05-30 17:12 <DIR> d-------- C:\Program Files\iPod
2008-05-30 17:12 . 2008-05-30 17:12 <DIR> d-------- C:\Program Files\Bonjour
2008-05-30 17:12 . 2008-05-30 17:12 <DIR> d-------- C:\Documents and Settings\Eric & Lori\Application Data\Apple Computer
2008-05-30 17:11 . 2008-05-30 17:11 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-30 17:11 . 2008-05-30 17:11 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-30 17:11 . 2008-05-30 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-30 17:11 . 2008-05-30 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-30 17:08 . 2008-05-30 17:08 <DIR> d-------- C:\Program Files\OLYMPUS
2008-05-30 17:08 . 2008-06-20 15:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-30 17:08 . 2008-05-30 17:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-30 17:06 . 2008-05-30 17:12 <DIR> d-------- C:\Program Files\QuickTime
2008-05-30 17:06 . 2008-05-30 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-05-30 17:06 . 2008-05-30 17:06 361 --a------ C:\WINDOWS\system32\QuickTime.qtp
2008-05-30 17:02 . 2008-05-30 17:02 <DIR> d-------- C:\Program Files\Windows Live
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 23:42 0 ----a-w C:\Program Files\temp01
2008-05-30 00:56 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-16 23:56 524,288 ----a-w C:\WINDOWS\opuc.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-14_16.27.32.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 20:22:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 18:23:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2000-08-31 12:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 12:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"EPSON Stylus CX9400Fax Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE" [2007-03-23 06:00 182272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"ipTray.exe"="C:\Program Files\Intel\IDU\iptray.exe" [2004-06-11 16:04 1226752]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-08-11 09:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 09:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"SW20"="C:\WINDOWS\System32\sw20.exe" [2006-09-07 06:13 208896]
"SW24"="C:\WINDOWS\System32\sw24.exe" [2006-09-07 06:14 69632]
"WinSys2"="C:\WINDOWS\System32\winsys2.exe" [2006-10-03 02:37 217088]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-08-11 09:43 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 17:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 17:57 2095640]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-13 16:42 36864]
"ProfilerU"="C:\Program Files\Saitek\SD6\Software\ProfilerU.exe" [2007-10-02 10:10 233472]
"SaiMfd"="C:\Program Files\Saitek\SD6\Software\SaiMfd.exe" [2007-10-02 10:10 131072]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"b89d63da"="C:\WINDOWS\system32\xkrjmeib.dll" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-30 15:35 1177368]
"BMbbae5046"="C:\WINDOWS\system32\vauybpxe.dll" [ ]
C:\Documents and Settings\Eric & Lori\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-06-02 20:56:46 3017040]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2008-06-01 09:26:41 581632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"C:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"C:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\MW4.ICD"=
"C:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\mw4x\\MW4x.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-30 15:35]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-30 15:35]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-30 15:35]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-30 15:35]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2004-06-01 15:28]
S3 SaiH5F0D;SaiH5F0D;C:\WINDOWS\system32\DRIVERS\SaiH5F0D.sys [2007-05-01 15:49]
S3 SaiU5F0D;SaiU5F0D;C:\WINDOWS\system32\DRIVERS\SaiU5F0D.sys [2007-05-01 15:49]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f523f0f0-2fdf-11dd-a80d-001320ca6693}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 21:11:41 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 14:24:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Intel\IDU\IDUServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\G15NetSpeed.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-06-22 14:30:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 18:30:12
Pre-Run: 94,718,644,224 bytes free
Post-Run: 94,722,932,736 bytes free
290 --- E O F --- 2008-06-21 13:11:49Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:20 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Intel\IDU\IDUServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\IDU\iptray.exe
C:\WINDOWS\System32\winsys2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\G15NetSpeed.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\System32\winsys2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_SA6.tmp" /EF "HKCU"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212109198500
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212177678171
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 7983 bytes
pskelley
2008-06-22, 21:17
Thanks for the feedback, just a bit more before we finish. First, understand that combofix does not update and must be downloaded fresh to get the current malware databases. We are finished with it, remove it from your computer like this.
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Next to make sure the malware did not mess up your antivirus program, which the hackers love to do, I would like you to update AVG 8 and run a system scan. Let me know about any issues AVG cannot resolve. You can save the scan results to post now if you need to.
When that is finished, then do this:
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.
If you get that far with no problems, I'll post closing information and get you on the road.
Thanks...Phil
combo fix is uninstalled.
here is the avg and malwarebytes log files.
"Scan ""Scan whole computer"" was finished."
"Infections found:";"0"
"Infected objects removed or healed";"0"
"Not removed or healed.";"0"
"Spyware found:";"0"
"Spyware removed:";"0"
"Not removed:";"0"
"Warnings count:";"32"
"Information count:";"0"
"Scan started:";"Sunday, June 22, 2008, 5:20:12 PM"
"Total object scanned:";"718052"
"Time needed:";"45 minute(s) 46 second(s) "
"Errors encountered:";"0"
"Warnings"
"File";"Infection";"Result"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00110011-4B0B-44D5-9718-90C88817369B}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{086AE192-23A6-48D6-96EC-715F53797E85}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0EDC6C20-A31C-11DB-8AB9-0800200C9A66}";"Found Adware.RogueSuspect";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{11904CE8-632A-4856-A7CC-00B33FE71BD8}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{150FA160-130D-451F-B863-B655061432BA}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C4DA27D-4D52-4465-A089-98E01BB725CA}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C78AB3F-A857-482e-80C0-3A1E5238A565}";"Found Adware.Isearch";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2D38A51A-23C9-48a1-A33C-48675AA2B494}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3AAC4C68-AFC8-11DB-80EF-8AF955D89593}";"Found Adware.RogueSuspect";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B}";"Found Adware.TitanShieldAntispyware";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}";"Found Adware.NewDotNet";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8333C319-0669-4893-A418-F56D9249FCA6}";"Found Adware.TitanShieldAntispyware";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88D758A3-D33B-45FD-91E3-67749B4057FA}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}";"Found Adware.TitanShieldAntispyware";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A6F42CAD-2559-48DF-AF30-89E480AF5DFA}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CE7C3CF0-4B15-11D1-ABED-709549C10000}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CF021F40-3E14-23A5-CBA2-717765721306}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E2B2B5A1-B48C-4886-A318-723916A01024}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E3EEBBE8-9CAB-4C76-B26A-747E25EBB4C6}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E6D5237D-A6C7-4C83-A67F-F9F15586FA62}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E7AFFF2A-1B57-49C7-BF6B-E5123394C970}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FD9BC004-8331-4457-B830-4759FF704C22}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880}";"Found Adware.Generic";"Potentially dangerous object"
"HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FFD2825E-0785-40C5-9A41-518F53A8261F}";"Found Adware.TitanShieldAntispyware";"Potentially dangerous object"
Malwarebytes' Anti-Malware 1.18
Database version: 880
6:55:02 PM 6/22/2008
mbam-log-6-22-2008 (18-55-02).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 175002
Time elapsed: 39 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\run\WinSys2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b89d63da (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMbbae5046 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\netrax05 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netrax18 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\WinSys2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
pskelley
2008-06-23, 01:16
You put the junk AVG found in the Virus Vault? You can allow it to stay in the vault for a week just in case and then empty the vault.
If all else is running well, I'll wish you safe surfing:bigthumb: