Evil Virtumonde [Archive] - Safer-Networking Forums

spudmasher

2008-07-19, 23:23

Salutations!

I have attempted to get rid of this on numerous occasions before i finally found this site. Seeing as how there are so many cases, i am eagerly awaiting aid. I did run HJT, and attempted to fix it, once again, before i found this site. Below is my HJT log, and my ComboFix log. I know i got off to the wrong start by running CF...and i do appologize. Hopefully, this won't cause problems later.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:48 PM, on 7/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {292A3E22-F243-43EF-AF99-1A6E9AEDB528} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7EBB7DA6-2369-450D-980F-9A2311A99ACF} - C:\WINDOWS\system32\wvUOiGWp.dll
O2 - BHO: (no name) - {A0F539EB-EEB2-48E0-8913-FB184CD365A4} - C:\WINDOWS\system32\cbXQjIAt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\acrobat8pro\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TVTray] C:\PROGRA~1\ENLTV\TVTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"
O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"
O4 - HKLM\..\Run: [Lexmark 6500 Series Fax Server] "C:\Program Files\Lexmark 6500 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\acrobat8pro\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Snsicon.lnk = C:\SLIDESHW\Snsicon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Append to existing PDF - res://D:\acrobat8pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\acrobat8pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\acrobat8pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\acrobat8pro\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\acrobat8pro\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\acrobat8pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\acrobat8pro\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\acrobat8pro\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2007\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210022131609
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--0ac8a2ed-27e6-4c7d-b84e-94fc4c446ae2/online/bejeweled_2/en/popcaploader_v10.cab
O20 - Winlogon Notify: wvUOiGWp - C:\WINDOWS\SYSTEM32\wvUOiGWp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 12738 bytes

ComboFix 08-07-17.4 - spudmasher 2008-07-19 11:12:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1465 [GMT -7:00]
Running from: C:\Documents and Settings\spudmasher\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\ampmrvvl.ini
C:\WINDOWS\system32\bncfbnov.dll
C:\WINDOWS\system32\bvbrjcel.dll
C:\WINDOWS\system32\cbXQjIAt.dll
C:\WINDOWS\system32\dflrws.dll
C:\WINDOWS\system32\exuianfd.ini
C:\WINDOWS\system32\gtsfyq.dll
C:\WINDOWS\system32\joogipdy.ini
C:\WINDOWS\system32\jupiflll.dll
C:\WINDOWS\system32\kthgdyai.dll
C:\WINDOWS\system32\lgcopgut.dll
C:\WINDOWS\system32\osnfxvxb.dll
C:\WINDOWS\system32\pybpiiel.dll
C:\WINDOWS\system32\ryypdrgf.dll
C:\WINDOWS\system32\shnwidhp.ini
C:\WINDOWS\system32\tAIjQXbc.ini
C:\WINDOWS\system32\tAIjQXbc.ini2
C:\WINDOWS\system32\tpijje.dll
C:\WINDOWS\system32\vonbfcnb.ini
C:\WINDOWS\system32\wvUOiGWp.dll
C:\WINDOWS\system32\ydpigooj.dll

----- BITS: Possible infected sites -----

hxxp://www.graboid.com
.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-19 10:38 . 2008-07-19 10:39 8,192 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-07-17 13:34 . 2008-07-17 13:34 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-07-17 12:32 . 2008-07-17 12:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-17 12:32 . 2008-07-17 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 12:23 . 2008-07-17 12:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-17 11:11 . 2008-07-17 11:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-17 11:10 . 2008-07-17 11:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 11:05 . 2008-07-17 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-17 03:45 . 2008-07-17 03:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-17 02:14 . 2008-07-17 02:14 <DIR> d-------- C:\Documents and Settings\spudmasher\Application Data\DivX
2008-07-16 20:04 . 2008-06-10 17:07 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-07-16 20:04 . 2008-06-10 17:07 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-07-15 11:55 . 2008-07-15 11:55 <DIR> d-------- C:\Program Files\BillP Studios
2008-07-15 11:55 . 2008-07-15 11:55 <DIR> d-------- C:\Documents and Settings\spudmasher\Application Data\WinPatrol
2008-07-15 11:35 . 2008-07-15 11:35 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-15 11:35 . 2008-07-15 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-15 11:02 . 2008-07-18 11:15 110,437 --a------ C:\WINDOWS\BM93517ae6.xml
2008-07-14 15:15 . 2008-07-14 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-14 15:13 . 2008-07-14 15:15 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-14 13:48 . 2008-07-16 11:16 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-12 13:59 . 2008-07-12 14:12 274 --a------ C:\WINDOWS\SIERRA.INI
2008-07-12 08:38 . 2008-07-12 08:38 <DIR> d-------- C:\Documents and Settings\spudmasher\Application Data\Lexmark Productivity Studio
2008-07-11 12:10 . 2008-07-11 12:10 0 --a------ C:\CONFIG.112
2008-07-11 12:10 . 2008-07-11 12:10 0 --a------ C:\AUTOEXEC.112
2008-07-11 01:51 . 2008-07-11 01:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-07-10 19:05 . 2008-07-10 19:05 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-10 18:21 . 2008-07-10 18:22 <DIR> d-------- C:\Documents and Settings\spudmasher\Contacts
2008-07-10 18:19 . 2008-07-10 18:19 <DIR> d-------- C:\Program Files\MSN Messenger
2008-07-09 23:16 . 2008-07-09 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-07-09 13:31 . 2008-07-09 13:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-09 13:31 . 2008-07-09 13:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-09 12:06 . 2008-07-16 11:02 <DIR> d-------- C:\Program Files\Conduit
2008-07-08 22:02 . 2008-07-08 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-07-08 17:38 . 2008-07-08 17:38 <DIR> d-------- C:\Documents and Settings\spudmasher\Application Data\6500 Series
2008-06-30 11:40 . 2008-06-30 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-06-30 11:37 . 2008-06-30 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Launcher
2008-06-30 11:36 . 2008-06-30 11:38 <DIR> d-------- C:\Documents and Settings\spudmasher\Application Data\MozillaControl
2008-06-30 11:33 . 2008-07-17 14:36 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-30 11:33 . 2008-06-30 11:33 <DIR> d-------- C:\Program Files\Graboid
2008-06-28 12:28 . 2008-07-01 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Lx_cats
2008-06-28 12:25 . 2008-06-28 12:25 <DIR> d-------- C:\logs
2008-06-28 12:25 . 2007-05-03 20:50 348,160 --a------ C:\WINDOWS\system32\lxdfcoin.dll
2008-06-28 12:25 . 2006-08-01 06:53 40,960 --a------ C:\WINDOWS\system32\lxdfvs.dll
2008-06-28 12:23 . 2008-06-28 12:23 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-06-28 12:23 . 2008-06-28 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\6500 Series
2008-06-28 12:22 . 2007-05-28 03:03 503,808 --a------ C:\WINDOWS\system32\lxdfutil.dll
2008-06-28 12:22 . 2007-05-17 18:53 434,176 --a------ C:\WINDOWS\system32\lxdfhcp.dll
2008-06-28 12:22 . 2007-05-17 19:00 356,352 --a------ C:\WINDOWS\system32\lxdfinpa.dll
2008-06-28 12:22 . 2007-05-17 18:52 348,160 --a------ C:\WINDOWS\system32\lxdfinst.dll
2008-06-28 12:22 . 2007-05-17 18:52 339,968 --a------ C:\WINDOWS\system32\lxdfiesc.dll
2008-06-28 12:22 . 2007-01-22 10:53 60 --a------ C:\WINDOWS\system32\lxdfrwrd.ini
2008-06-28 12:21 . 2008-06-29 16:18 <DIR> d-------- C:\Program Files\Lexmark 6500 Series
2008-06-26 23:40 . 2008-06-26 23:40 <DIR> d-------- C:\Program Files\MySpace
2008-06-26 23:40 . 2008-06-26 23:40 <DIR> d-------- C:\Documents and Settings\spudmasher\Application Data\MySpace
2008-06-20 21:30 . 2008-06-20 21:30 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-20 10:46 . 2008-06-20 10:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 10:46 . 2008-06-20 10:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 04:51 . 2008-06-20 04:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 04:40 . 2008-06-20 04:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 04:08 . 2008-06-20 04:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 00:57 . 2008-06-19 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative Home
2008-06-19 00:42 . 2008-06-19 00:42 <DIR> d-------- C:\Program Files\Common Files\Nova Development
2008-06-19 00:31 . 2008-06-21 23:10 <DIR> d-------- C:\Program Files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 00:25 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\OpenOffice.org2
2008-07-18 21:56 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\Azureus
2008-07-18 21:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 23:32 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-07-17 21:34 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\Move Networks
2008-07-17 09:02 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\IGN_DLM
2008-07-17 03:05 --------- d-----w C:\Program Files\DivX
2008-07-15 18:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-15 03:21 --------- d-----w C:\Program Files\Java
2008-07-02 22:41 --------- d-----w C:\Program Files\Azureus
2008-06-25 18:18 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\Roxio
2008-06-23 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 04:59 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-18 04:59 --------- d-----w C:\Program Files\MediaFACE II
2008-06-18 04:59 --------- d-----w C:\Program Files\ENLTV
2008-06-16 18:35 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:07 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-06-10 08:09 --------- d-----w C:\Program Files\Red Kawa
2008-06-08 05:28 --------- d-----w C:\Program Files\Active Images Express
2008-06-05 05:45 --------- d-----w C:\Program Files\Disney
2008-06-04 14:05 --------- d-----w C:\Program Files\Second Nature
2008-06-04 14:05 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\Second Nature
2008-06-04 13:57 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-06-04 13:57 --------- d-----w C:\Program Files\AVSMedia
2008-06-03 02:59 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\ImgBurn
2008-06-03 02:24 --------- d-----w C:\Program Files\ImgBurn
2008-05-29 22:43 --------- d-----w C:\Program Files\Dvd-cloner
2008-05-29 19:38 16,512 ----a-w C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-05-26 20:40 --------- d-----w C:\Program Files\Guild Wars
2008-05-25 01:19 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-05-23 17:05 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\AVS4YOU
2008-05-23 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-23 04:14 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\fltk.org
2008-05-22 18:31 --------- d-----w C:\Program Files\Real
2008-05-22 18:31 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-22 18:31 --------- d-----w C:\Program Files\Common Files\Real
2008-05-22 05:33 --------- d-----w C:\Documents and Settings\spudmasher\Application Data\Sony Corporation
2008-05-22 05:03 --------- d-----w C:\Program Files\Sony
2008-05-22 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-05-22 05:02 --------- d-----w C:\Program Files\Common Files\Sony Shared
2008-05-20 16:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2008-05-14 18:59 82,774 ----a-w C:\WINDOWS\Uninstall Jade Empire.exe
2008-05-14 03:19 3,699,424 ----atw C:\WINDOWS\DXMB.tmp
2008-05-13 19:29 3,699,424 ----atw C:\WINDOWS\DXM1B.tmp
2008-05-13 16:57 3,699,424 ----atw C:\WINDOWS\DXM43C.tmp
2008-05-05 08:18 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57 1103480]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 07:16 171464]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 13:43 472632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TVTray"="C:\PROGRA~1\ENLTV\TVTray.exe" [2007-11-08 16:21 688128]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2006-08-14 14:52 137216]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 10:43 57344]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-11-21 21:47 1687552]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-11-22 09:34 163840]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-22 11:31 185896]
"lxdfmon.exe"="C:\Program Files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 18:53 455600]
"lxdfamon"="C:\Program Files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 13:06 20480]
"Lexmark 6500 Series Fax Server"="C:\Program Files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 18:56 308144]
"Acrobat Assistant 8.0"="D:\acrobat8pro\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 22:38 316728]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 18:30 16855552 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 16:27 9117696]

C:\Documents and Settings\spudmasher\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]
Snsicon.lnk - C:\SLIDESHW\Snsicon.exe [2008-06-04 07:08:11 69632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-04-28 11:20:00 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iyuv"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"D:\\LOTRO\\lotroclient.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\Rohan\\rohanclient.exe"=
"D:\\Trillian\\trillian.exe"=
"G:\\Games\\Console\\NES\\NESTCL95.EXE"=
"C:\\WINDOWS\\system32\\lxdfcoms.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"C:\\WINDOWS\\system32\\lxdfcfg.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\TmNationsForever\\TmForever.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"D:\\nDoors\\Atlantica\\AtlanticaRun.exe"=
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-15 23:23]
R1 BS_I2cIo;BS_I2cIo;C:\WINDOWS\system32\drivers\BS_I2cIo.sys [2006-12-11 21:02]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 lxdf_device;lxdf_device;C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 11:06]
R3 3xHybrid;Philips SAA713x PCI Card;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2007-06-15 08:59]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 11:06]
S3 BS_Flash;BS_Flash;C:\Program Files\Tseries BIOS Update\Award\BS_Flash.sys [2007-08-16 10:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LeechGet - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 11:27:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
.
Completion time: 2008-07-19 11:30:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-19 18:30:19

Pre-Run: 9,152,692,224 bytes free
Post-Run: 9,066,917,888 bytes free

275 --- E O F --- 2008-07-08 23:53:13