View Full Version : help w/ removal of virtumonde
ericv222
2008-08-18, 23:32
i've been trying to get rid of virtumonde on my own for the past few days but have failed miserably. how can i get rid of it?
ericv222
2008-08-18, 23:34
also, every time i restart i get a blue screen. are these two problems related?
ericv222
2008-08-18, 23:40
i ran combofix.exe, it rebooted my computer and did a scan. this is the log:
ComboFix 08-08-17.05 - Eric 2008-08-18 15:17:47.1 - NTFSx86
Running from: C:\Documents and Settings\Eric\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\#SharedObjects\URC2PZ5U\interclick.com
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\#SharedObjects\URC2PZ5U\interclick.com\ud.sol
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Eric\Application Data\rhcgw5j0erej
C:\WINDOWS\BMe7defac8.txt
C:\WINDOWS\BMe7defac8.xml
C:\WINDOWS\mrofinu2000352.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ukwxgrqy.exe
C:\WINDOWS\system32\winzbb32.dll
----- BITS: Possible infected sites -----
http://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
2008-08-18 15:11 . 2008-08-18 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 15:11 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 15:42 . 2008-08-14 15:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-14 14:08 . 2008-08-14 14:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 10:09 . 2008-08-14 10:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Program Files\AVG
2008-08-14 10:01 . 2008-08-14 10:22 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\AVGTOOLBAR
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 10:01 . 2008-08-14 10:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 10:01 . 2008-08-14 10:01 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-13 02:07 . 2008-08-13 08:56 <DIR> d-------- C:\VundoFix Backups
2008-08-13 01:18 . 2008-08-14 09:57 <DIR> d-------- C:\Program Files\ESET
2008-08-12 22:10 . 2008-08-13 03:18 261 --a------ C:\WINDOWS\wininit.ini
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11E.tmp
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11D.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11C.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11B.tmp
2008-08-11 14:58 . 2008-08-11 16:24 <DIR> d-------- C:\Program Files\Microsoft Games
2008-08-06 04:01 . 2008-08-06 04:01 <DIR> d-------- C:\Program Files\Real
2008-08-05 01:44 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-05 01:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-05 01:42 . 2008-08-05 01:43 <DIR> d-------- C:\Program Files\Java
2008-08-05 01:41 . 2008-08-05 01:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 01:29 . 2008-08-06 04:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-05 01:29 . 2008-08-06 04:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-07-27 03:02 . 2008-07-27 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-27 03:01 . 2008-07-27 03:01 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-07-27 03:00 . 2008-07-27 03:02 <DIR> d-------- C:\Program Files\CyberLink
2008-07-27 03:00 . 2008-07-27 02:59 29,480 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-25 18:06 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\Autobahn
2008-07-25 18:05 . 2008-07-25 18:40 <DIR> d-------- C:\Documents and Settings\Eric\.autobahn
2008-07-25 18:04 . 2008-07-25 18:06 <DIR> d-------- C:\Program Files\MLB TV Mosaic
2008-07-25 17:49 . 2008-07-25 17:49 <DIR> d-------- C:\Program Files\MSBuild
2008-07-25 17:48 . 2008-07-25 17:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-25 15:44 . 2008-07-25 15:44 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-25 03:36 . 2008-07-25 03:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-07-25 03:36 . 2008-07-25 03:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-24 20:29 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-24 20:29 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-24 20:29 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-24 20:29 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-24 20:29 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-24 20:29 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-24 20:29 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-24 20:29 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-24 20:29 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 17:37 . 2008-07-23 17:37 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Research In Motion
2008-07-23 17:21 . 2008-07-24 03:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-23 16:39 . 2008-07-23 16:39 256 --a------ C:\Documents and Settings\Eric\pool.bin
2008-07-23 12:45 . 2008-07-23 17:22 <DIR> d-------- C:\Program Files\Common Files\Pumatech Shared
2008-07-23 12:45 . 2008-07-23 17:21 54 --a------ C:\WINDOWS\system32\pumahlp.err
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:29 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-23 11:50 . 2008-07-23 11:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 11:48 . 2008-07-23 11:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 11:48 . 2008-07-23 11:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 11:46 . 2008-07-23 11:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-23 10:16 . 2008-07-23 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-23 10:15 . 2008-07-23 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-23 10:08 . 2004-08-06 08:50 17,920 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-07-23 09:36 . 2008-07-23 09:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-23 07:49 . 2008-07-23 07:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-23 07:48 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-07-23 07:41 . 2008-08-05 01:58 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DivX
2008-07-23 07:37 . 2008-07-25 01:32 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-23 07:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-23 07:36 . 2008-08-06 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-07-23 07:26 . 2008-08-05 01:05 <DIR> d-------- C:\Program Files\DivX
2008-07-23 07:26 . 2008-06-10 19:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\Red Kawa
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-23 07:19 . 2008-07-23 07:19 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-23 07:12 . 2008-08-06 04:54 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-23 06:16 . 2008-07-23 06:19 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-07-23 05:18 . 2008-07-23 08:16 <DIR> d-------- C:\Media
2008-07-23 05:18 . 2008-07-23 05:18 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-23 05:07 . 2008-07-23 05:07 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Media Player Classic
2008-07-23 04:53 . 2008-07-23 05:03 <DIR> d-------- C:\Program Files\SoundTaxi
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 12:42 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe
2008-07-23 04:53 . 2007-10-09 12:52 9,472 --a------ C:\WINDOWS\system32\MovRVDrv32.dll
2008-07-23 04:53 . 2007-10-09 17:04 3,993 --a------ C:\WINDOWS\system32\SndTDriverV32.inf
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 17:04 2,584 --a------ C:\WINDOWS\system32\MovRVDrv32.inf
2008-07-23 04:35 . 2008-08-11 18:10 <DIR> d-------- C:\Program Files\Steam
2008-07-23 04:27 . 2008-07-23 06:48 <DIR> d-------- C:\Documents and Settings\Eric\Contacts
2008-07-23 04:24 . 2008-07-23 04:24 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 04:23 . 2008-08-13 01:27 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\uTorrent
2008-07-23 04:20 . 2008-07-23 04:49 <DIR> d-------- C:\Program Files\Windows Live
2008-07-23 04:20 . 2008-07-23 04:25 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-23 04:20 . 2008-07-23 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-23 04:10 . 2008-07-23 04:10 <DIR> d-------- C:\Program Files\Synaptics
2008-07-23 04:10 . 2004-05-20 13:52 184,768 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-07-23 04:10 . 2004-05-20 13:53 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-07-23 04:10 . 2004-05-20 13:54 90,112 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-07-23 04:10 . 2004-05-20 13:59 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll
2008-07-23 04:10 . 2004-05-20 13:53 77,824 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-07-23 04:10 . 2004-05-20 13:57 66,048 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-07-23 03:54 . 2008-07-23 03:54 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iPod
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 03:52 . 2008-07-23 03:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-23 03:51 . 2008-07-23 04:26 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-23 03:51 . 2008-07-10 09:35 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-23 02:02 . 2008-07-23 02:02 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-23 02:01 . 2008-07-25 13:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-27 08:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 07:59 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-27 07:59 353,576 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-23 15:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-23 00:35 --------- d-----w C:\Program Files\Intel
2008-07-22 23:31 --------- d-----w C:\Program Files\Broadcom
2008-07-22 23:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2008-01-15 09:17 277960]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 10:01 1172760]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 13:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 13:57 532480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 20:23 83240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 11:36 50472]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 18:51 118784]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-06-27 16:50 91432]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-02-18 16:38 169984]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autobahn.lnk - C:\Program Files\Autobahn\autobahn.exe [2008-07-09 14:26:28 708824]
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 18:52:34 799496]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\flipmaster380\\counter-strike\\hl.exe"=
"C:\\Program Files\\Autobahn\\autobahn.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\AGE2_X1.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 10:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 10:01]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 08:57]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-06-27 16:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-14 10:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 10:01]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 10:01]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 12:52]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 08:50]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-03 18:07]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 17:04]
S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\system32\snmvtsvc.exe [2007-10-09 12:42]
.
Contents of the 'Scheduled Tasks' folder
2008-08-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-{FE81757C-5AAE-4E1F-9385-BEE54DE2F55E} - C:\WINDOWS\system32\awttqqNH.dll
HKLM-Run-Media Codec Update Service - C:\Program Files\Essentials Codec Pack\update.exe
Notify-winzbb32 - winzbb32.dll
MSConfigStartUp-BMe7defac8 - C:\WINDOWS\system32\imnsxlgw.dll
MSConfigStartUp-e4edc954 - C:\WINDOWS\system32\pjtqpvdj.dll
MSConfigStartUp-lphclw5j0erej - C:\WINDOWS\system32\lphclw5j0erej.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\o2n18mc6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - my.yahoo.com
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 15:28:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-18 15:36:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-18 20:36:07
Pre-Run: 9,399,832,576 bytes free
Post-Run: 9,348,005,888 bytes free
288 --- E O F --- 2008-08-07 08:01:36
ericv222
2008-08-18, 23:43
this is the hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:41 PM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Autobahn\autobahn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: autobahn.lnk = C:\Program Files\Autobahn\autobahn.exe
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
--
End of file - 6799 bytes
ericv222
2008-08-18, 23:57
i ran Combofix again, this time using the recovery console. i don't know if it changes anything, but hopefully it will be more helpful. also, last time combofix ran while my other anti-virus/spyware/malware programs were running. i made sure to close/disable them this time.
New combofix log:
ComboFix 08-08-17.05 - Eric 2008-08-18 15:50:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.166 [GMT -5:00]
Running from: C:\Documents and Settings\Eric\Desktop\ComboFix.exe
Command switches used :: E:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
http://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
2008-08-18 15:11 . 2008-08-18 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 15:11 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 15:42 . 2008-08-14 15:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-14 14:08 . 2008-08-14 14:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 10:09 . 2008-08-14 10:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Program Files\AVG
2008-08-14 10:01 . 2008-08-14 10:22 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\AVGTOOLBAR
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 10:01 . 2008-08-14 10:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 10:01 . 2008-08-14 10:01 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-13 02:07 . 2008-08-13 08:56 <DIR> d-------- C:\VundoFix Backups
2008-08-13 01:18 . 2008-08-14 09:57 <DIR> d-------- C:\Program Files\ESET
2008-08-12 22:10 . 2008-08-13 03:18 261 --a------ C:\WINDOWS\wininit.ini
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11E.tmp
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11D.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11C.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11B.tmp
2008-08-11 14:58 . 2008-08-11 16:24 <DIR> d-------- C:\Program Files\Microsoft Games
2008-08-06 04:01 . 2008-08-06 04:01 <DIR> d-------- C:\Program Files\Real
2008-08-05 01:44 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-05 01:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-05 01:42 . 2008-08-05 01:43 <DIR> d-------- C:\Program Files\Java
2008-08-05 01:41 . 2008-08-05 01:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 01:29 . 2008-08-06 04:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-05 01:29 . 2008-08-06 04:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-07-27 03:02 . 2008-07-27 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-27 03:01 . 2008-07-27 03:01 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-07-27 03:00 . 2008-07-27 03:02 <DIR> d-------- C:\Program Files\CyberLink
2008-07-27 03:00 . 2008-07-27 02:59 29,480 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-25 18:06 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\Autobahn
2008-07-25 18:05 . 2008-07-25 18:40 <DIR> d-------- C:\Documents and Settings\Eric\.autobahn
2008-07-25 18:04 . 2008-07-25 18:06 <DIR> d-------- C:\Program Files\MLB TV Mosaic
2008-07-25 17:49 . 2008-07-25 17:49 <DIR> d-------- C:\Program Files\MSBuild
2008-07-25 17:48 . 2008-07-25 17:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-25 15:44 . 2008-07-25 15:44 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-25 03:36 . 2008-07-25 03:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-07-25 03:36 . 2008-07-25 03:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-24 20:29 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-24 20:29 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-24 20:29 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-24 20:29 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-24 20:29 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-24 20:29 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-24 20:29 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-24 20:29 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-24 20:29 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 17:37 . 2008-07-23 17:37 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Research In Motion
2008-07-23 17:21 . 2008-07-24 03:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-23 16:39 . 2008-07-23 16:39 256 --a------ C:\Documents and Settings\Eric\pool.bin
2008-07-23 12:45 . 2008-07-23 17:22 <DIR> d-------- C:\Program Files\Common Files\Pumatech Shared
2008-07-23 12:45 . 2008-07-23 17:21 54 --a------ C:\WINDOWS\system32\pumahlp.err
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:29 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-23 11:50 . 2008-07-23 11:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 11:48 . 2008-07-23 11:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 11:48 . 2008-07-23 11:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 11:46 . 2008-07-23 11:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-23 10:16 . 2008-07-23 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-23 10:15 . 2008-07-23 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-23 10:08 . 2004-08-06 08:50 17,920 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-07-23 09:36 . 2008-07-23 09:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-23 07:49 . 2008-07-23 07:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-23 07:48 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-07-23 07:41 . 2008-08-05 01:58 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DivX
2008-07-23 07:37 . 2008-07-25 01:32 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-23 07:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-23 07:36 . 2008-08-06 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-07-23 07:26 . 2008-08-05 01:05 <DIR> d-------- C:\Program Files\DivX
2008-07-23 07:26 . 2008-06-10 19:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\Red Kawa
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-23 07:19 . 2008-07-23 07:19 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-23 07:12 . 2008-08-06 04:54 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-23 06:16 . 2008-07-23 06:19 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-07-23 05:18 . 2008-07-23 08:16 <DIR> d-------- C:\Media
2008-07-23 05:18 . 2008-07-23 05:18 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-23 05:07 . 2008-07-23 05:07 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Media Player Classic
2008-07-23 04:53 . 2008-07-23 05:03 <DIR> d-------- C:\Program Files\SoundTaxi
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 12:42 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe
2008-07-23 04:53 . 2007-10-09 12:52 9,472 --a------ C:\WINDOWS\system32\MovRVDrv32.dll
2008-07-23 04:53 . 2007-10-09 17:04 3,993 --a------ C:\WINDOWS\system32\SndTDriverV32.inf
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 17:04 2,584 --a------ C:\WINDOWS\system32\MovRVDrv32.inf
2008-07-23 04:35 . 2008-08-11 18:10 <DIR> d-------- C:\Program Files\Steam
2008-07-23 04:27 . 2008-07-23 06:48 <DIR> d-------- C:\Documents and Settings\Eric\Contacts
2008-07-23 04:24 . 2008-07-23 04:24 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 04:23 . 2008-08-13 01:27 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\uTorrent
2008-07-23 04:20 . 2008-07-23 04:49 <DIR> d-------- C:\Program Files\Windows Live
2008-07-23 04:20 . 2008-07-23 04:25 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-23 04:20 . 2008-07-23 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-23 04:10 . 2008-07-23 04:10 <DIR> d-------- C:\Program Files\Synaptics
2008-07-23 04:10 . 2004-05-20 13:52 184,768 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-07-23 04:10 . 2004-05-20 13:53 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-07-23 04:10 . 2004-05-20 13:54 90,112 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-07-23 04:10 . 2004-05-20 13:59 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll
2008-07-23 04:10 . 2004-05-20 13:53 77,824 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-07-23 04:10 . 2004-05-20 13:57 66,048 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-07-23 03:54 . 2008-07-23 03:54 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iPod
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 03:52 . 2008-07-23 03:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-23 03:51 . 2008-07-23 04:26 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-23 03:51 . 2008-07-10 09:35 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-23 02:02 . 2008-07-23 02:02 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-23 02:01 . 2008-07-25 13:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-27 08:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 07:59 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-27 07:59 353,576 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-23 15:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-23 00:35 --------- d-----w C:\Program Files\Intel
2008-07-22 23:31 --------- d-----w C:\Program Files\Broadcom
2008-07-22 23:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2008-01-15 09:17 277960]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 10:01 1172760]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 13:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 13:57 532480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 20:23 83240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 11:36 50472]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 18:51 118784]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-06-27 16:50 91432]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-02-18 16:38 169984]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autobahn.lnk - C:\Program Files\Autobahn\autobahn.exe [2008-07-09 14:26:28 708824]
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 18:52:34 799496]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\flipmaster380\\counter-strike\\hl.exe"=
"C:\\Program Files\\Autobahn\\autobahn.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\AGE2_X1.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 10:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 10:01]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 08:57]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-06-27 16:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-14 10:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 10:01]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 10:01]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 12:52]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 08:50]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-03 18:07]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 17:04]
S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\system32\snmvtsvc.exe [2007-10-09 12:42]
.
Contents of the 'Scheduled Tasks' folder
2008-08-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\o2n18mc6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - my.yahoo.com
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 15:53:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2008-08-18 15:55:24
ComboFix-quarantined-files.txt 2008-08-18 20:55:21
ComboFix2.txt 2008-08-18 20:36:28
Pre-Run: 9,330,868,224 bytes free
Post-Run: 9,306,189,824 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
263 --- E O F --- 2008-08-07 08:01:36
ericv222
2008-08-19, 21:56
Combofix Log:
ComboFix 08-08-17.05 - Eric 2008-08-18 15:50:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.166 [GMT -5:00]
Running from: C:\Documents and Settings\Eric\Desktop\ComboFix.exe
Command switches used :: E:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
http://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
2008-08-18 15:11 . 2008-08-18 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 15:11 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 15:42 . 2008-08-14 15:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-14 14:08 . 2008-08-14 14:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 10:09 . 2008-08-14 10:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Program Files\AVG
2008-08-14 10:01 . 2008-08-14 10:22 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\AVGTOOLBAR
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 10:01 . 2008-08-14 10:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 10:01 . 2008-08-14 10:01 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-13 02:07 . 2008-08-13 08:56 <DIR> d-------- C:\VundoFix Backups
2008-08-13 01:18 . 2008-08-14 09:57 <DIR> d-------- C:\Program Files\ESET
2008-08-12 22:10 . 2008-08-13 03:18 261 --a------ C:\WINDOWS\wininit.ini
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11E.tmp
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11D.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11C.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11B.tmp
2008-08-11 14:58 . 2008-08-11 16:24 <DIR> d-------- C:\Program Files\Microsoft Games
2008-08-06 04:01 . 2008-08-06 04:01 <DIR> d-------- C:\Program Files\Real
2008-08-05 01:44 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-05 01:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-05 01:42 . 2008-08-05 01:43 <DIR> d-------- C:\Program Files\Java
2008-08-05 01:41 . 2008-08-05 01:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 01:29 . 2008-08-06 04:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-05 01:29 . 2008-08-06 04:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-07-27 03:02 . 2008-07-27 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-27 03:01 . 2008-07-27 03:01 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-07-27 03:00 . 2008-07-27 03:02 <DIR> d-------- C:\Program Files\CyberLink
2008-07-27 03:00 . 2008-07-27 02:59 29,480 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-25 18:06 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\Autobahn
2008-07-25 18:05 . 2008-07-25 18:40 <DIR> d-------- C:\Documents and Settings\Eric\.autobahn
2008-07-25 18:04 . 2008-07-25 18:06 <DIR> d-------- C:\Program Files\MLB TV Mosaic
2008-07-25 17:49 . 2008-07-25 17:49 <DIR> d-------- C:\Program Files\MSBuild
2008-07-25 17:48 . 2008-07-25 17:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-25 15:44 . 2008-07-25 15:44 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-25 03:36 . 2008-07-25 03:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-07-25 03:36 . 2008-07-25 03:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-24 20:29 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-24 20:29 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-24 20:29 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-24 20:29 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-24 20:29 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-24 20:29 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-24 20:29 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-24 20:29 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-24 20:29 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 17:37 . 2008-07-23 17:37 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Research In Motion
2008-07-23 17:21 . 2008-07-24 03:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-23 16:39 . 2008-07-23 16:39 256 --a------ C:\Documents and Settings\Eric\pool.bin
2008-07-23 12:45 . 2008-07-23 17:22 <DIR> d-------- C:\Program Files\Common Files\Pumatech Shared
2008-07-23 12:45 . 2008-07-23 17:21 54 --a------ C:\WINDOWS\system32\pumahlp.err
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:29 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-23 11:50 . 2008-07-23 11:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 11:48 . 2008-07-23 11:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 11:48 . 2008-07-23 11:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 11:46 . 2008-07-23 11:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-23 10:16 . 2008-07-23 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-23 10:15 . 2008-07-23 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-23 10:08 . 2004-08-06 08:50 17,920 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-07-23 09:36 . 2008-07-23 09:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-23 07:49 . 2008-07-23 07:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-23 07:48 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-07-23 07:41 . 2008-08-05 01:58 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DivX
2008-07-23 07:37 . 2008-07-25 01:32 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-23 07:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-23 07:36 . 2008-08-06 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-07-23 07:26 . 2008-08-05 01:05 <DIR> d-------- C:\Program Files\DivX
2008-07-23 07:26 . 2008-06-10 19:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\Red Kawa
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-23 07:19 . 2008-07-23 07:19 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-23 07:12 . 2008-08-06 04:54 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-23 06:16 . 2008-07-23 06:19 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-07-23 05:18 . 2008-07-23 08:16 <DIR> d-------- C:\Media
2008-07-23 05:18 . 2008-07-23 05:18 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-23 05:07 . 2008-07-23 05:07 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Media Player Classic
2008-07-23 04:53 . 2008-07-23 05:03 <DIR> d-------- C:\Program Files\SoundTaxi
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 12:42 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe
2008-07-23 04:53 . 2007-10-09 12:52 9,472 --a------ C:\WINDOWS\system32\MovRVDrv32.dll
2008-07-23 04:53 . 2007-10-09 17:04 3,993 --a------ C:\WINDOWS\system32\SndTDriverV32.inf
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 17:04 2,584 --a------ C:\WINDOWS\system32\MovRVDrv32.inf
2008-07-23 04:35 . 2008-08-11 18:10 <DIR> d-------- C:\Program Files\Steam
2008-07-23 04:27 . 2008-07-23 06:48 <DIR> d-------- C:\Documents and Settings\Eric\Contacts
2008-07-23 04:24 . 2008-07-23 04:24 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 04:23 . 2008-08-13 01:27 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\uTorrent
2008-07-23 04:20 . 2008-07-23 04:49 <DIR> d-------- C:\Program Files\Windows Live
2008-07-23 04:20 . 2008-07-23 04:25 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-23 04:20 . 2008-07-23 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-23 04:10 . 2008-07-23 04:10 <DIR> d-------- C:\Program Files\Synaptics
2008-07-23 04:10 . 2004-05-20 13:52 184,768 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-07-23 04:10 . 2004-05-20 13:53 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-07-23 04:10 . 2004-05-20 13:54 90,112 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-07-23 04:10 . 2004-05-20 13:59 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll
2008-07-23 04:10 . 2004-05-20 13:53 77,824 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-07-23 04:10 . 2004-05-20 13:57 66,048 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-07-23 03:54 . 2008-07-23 03:54 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iPod
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 03:52 . 2008-07-23 03:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-23 03:51 . 2008-07-23 04:26 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-23 03:51 . 2008-07-10 09:35 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-23 02:02 . 2008-07-23 02:02 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-23 02:01 . 2008-07-25 13:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-27 08:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 07:59 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-27 07:59 353,576 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-23 15:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-23 00:35 --------- d-----w C:\Program Files\Intel
2008-07-22 23:31 --------- d-----w C:\Program Files\Broadcom
2008-07-22 23:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2008-01-15 09:17 277960]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 10:01 1172760]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 13:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 13:57 532480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 20:23 83240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 11:36 50472]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 18:51 118784]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-06-27 16:50 91432]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-02-18 16:38 169984]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autobahn.lnk - C:\Program Files\Autobahn\autobahn.exe [2008-07-09 14:26:28 708824]
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 18:52:34 799496]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\flipmaster380\\counter-strike\\hl.exe"=
"C:\\Program Files\\Autobahn\\autobahn.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\AGE2_X1.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 10:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 10:01]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 08:57]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-06-27 16:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-14 10:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 10:01]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 10:01]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 12:52]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 08:50]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-03 18:07]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 17:04]
S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\system32\snmvtsvc.exe [2007-10-09 12:42]
.
Contents of the 'Scheduled Tasks' folder
2008-08-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\o2n18mc6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - my.yahoo.com
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 15:53:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2008-08-18 15:55:24
ComboFix-quarantined-files.txt 2008-08-18 20:55:21
ComboFix2.txt 2008-08-18 20:36:28
Pre-Run: 9,330,868,224 bytes free
Post-Run: 9,306,189,824 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
263 --- E O F --- 2008-08-07 08:01:36
ericv222
2008-08-19, 22:27
Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:20 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Autobahn\autobahn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {FE81757C-5AAE-4E1F-9385-BEE54DE2F55E} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: autobahn.lnk = C:\Program Files\Autobahn\autobahn.exe
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: winzbb32 - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
--
End of file - 7152 bytes
Hello ericv222,
Apprantly you have missed this forum's sticky topics, :eek: no new topics for the same computer, "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) and Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)
Also see: P2P (http://forums.spybot.info/showpost.php?p=218503&postcount=4)
You might try starting again with a new topic providing only one log, the HJT one.
If you take that route please provide a link back to this thread so that helpers are aware you have run ComboFix.
Best regards.
ericv222
2008-08-20, 03:35
you want me to start a new topic? and only include the HJT log?
You might try starting again with a new topic providing only one log, the HJT one.
If you take that route please provide a link back to this thread so that helpers are aware you have run ComboFix.
Helpers look for topics without a response, that means one post. ;)