stebow
2008-10-16, 08:45
Hi virtumonde has got me again was wonderin if you guys could take a look at it for me?
I have prepared HJT log an combofix logs...ComboFix 08-10-15.05 - Stebow 2008-10-16 6:31:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1008 [GMT 1:00]
Running from: C:\Documents and Settings\Stebow\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Stebow\Application Data\Adobe\crc.dat
C:\Documents and Settings\Stebow\Application Data\Adobe\Player.exe
C:\WINDOWS\560.exe
C:\WINDOWS\system32\drpibdfe.dll
C:\WINDOWS\system32\efdbiprd.ini
C:\WINDOWS\system32\fccdcdCr.dll
C:\WINDOWS\system32\rCdcdccf.ini
C:\WINDOWS\system32\rCdcdccf.ini2
C:\WINDOWS\vmreg32.dll
----- BITS: Possible infected sites -----
hxxp://62.176.16.10
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService
((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.
2008-10-16 06:36 . 2008-10-16 06:36 267,776 --a------ C:\WINDOWS\system32\ljJDWoMD.dll
2008-10-16 06:36 . 2008-10-16 06:36 345 --ahs---- C:\WINDOWS\system32\DMoWDJjl.ini2
2008-10-16 06:36 . 2008-10-16 06:38 345 --ahs---- C:\WINDOWS\system32\DMoWDJjl.ini
2008-10-16 03:49 . 2008-10-16 03:57 <DIR> d-------- C:\Program Files\uTorrent Ultra Accelerator
2008-10-16 03:25 . 2008-10-16 03:25 40,448 --a------ C:\WINDOWS\system32\opnnmjiH.dll
2008-10-16 03:25 . 2008-10-16 03:25 40,448 --a------ C:\WINDOWS\system32\cbXPgfcd.dll
2008-10-15 05:26 . 2008-08-14 11:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 05:26 . 2008-08-14 11:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 05:26 . 2008-08-14 10:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 05:26 . 2008-08-14 10:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 05:26 . 2008-09-15 13:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 05:26 . 2008-09-08 11:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-09 01:47 . 2008-10-09 01:47 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-10-05 00:44 . 2008-10-05 00:44 <DIR> d-------- C:\Program Files\RapidTyping
2008-10-05 00:44 . 2008-10-15 09:53 <DIR> d-------- C:\Documents and Settings\Stebow\Application Data\RapidTyping
2008-10-02 03:32 . 2008-10-02 03:32 <DIR> d-------- C:\Program Files\Uniblue
2008-10-02 03:32 . 2008-10-02 03:32 <DIR> d-------- C:\Documents and Settings\Stebow\Application Data\Uniblue
2008-10-02 03:32 . 2008-10-08 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DriverScanner
2008-10-02 03:15 . 2008-10-02 03:32 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}
2008-09-18 03:10 . 2008-09-18 03:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-16 05:04 . 2008-09-18 03:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SymplisIT
2008-09-16 04:39 . 2008-09-16 04:39 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2008-09-16 04:35 . 2008-09-16 04:35 <DIR> d-------- C:\Program Files\Internet Cell Boost
2008-09-16 04:19 . 2008-09-16 04:20 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2008-09-16 03:38 . 2008-09-16 03:38 <DIR> d-------- C:\Program Files\SymplisIT
2008-09-16 03:37 . 2008-09-16 03:37 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-09-16 02:15 . 2008-09-16 02:15 <DIR> d--hs---- C:\Documents and Settings\Stebow\PrivacIE
2008-09-16 02:08 . 2008-09-16 02:09 <DIR> d--h-c--- C:\WINDOWS\ie8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 05:36 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-10-16 05:36 --------- d-----w C:\Documents and Settings\Stebow\Application Data\uTorrent
2008-10-16 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 03:07 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Vso
2008-10-15 04:14 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Image Zone Express
2008-10-15 03:53 --------- d-----w C:\Program Files\HP
2008-10-15 02:14 --------- d-----w C:\Program Files\Xfire
2008-10-14 04:01 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Xfire
2008-10-14 00:55 138,280 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-14 00:54 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-10-07 23:50 --------- d-----w C:\Program Files\Windows Live
2008-10-07 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-10-03 13:59 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Skype
2008-10-03 13:57 --------- d-----w C:\Documents and Settings\Stebow\Application Data\skypePM
2008-10-02 01:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-01 14:00 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Nokia
2008-10-01 13:36 --------- d-----w C:\Program Files\Nokia
2008-10-01 13:36 --------- d-----w C:\Program Files\Common Files\Nokia
2008-10-01 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-09-18 03:51 --------- d-----w C:\Program Files\PCPitstop
2008-09-18 01:17 --------- d-----w C:\Program Files\Yahoo!
2008-09-18 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-09-16 03:23 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Systweak
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 21:45 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-09-14 15:51 410,976 ----a-w C:\WINDOWS\system32\deploytk.dll
2008-09-14 15:51 --------- d-----w C:\Program Files\Java
2008-09-11 23:34 --------- d-----w C:\Program Files\Wolfenstein - Enemy Territory
2008-09-09 12:43 319,488 ----a-w C:\WINDOWS\HideWin.exe
2008-09-08 23:54 --------- d-----w C:\Program Files\Systweak
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-05 12:50 --------- d-----w C:\Documents and Settings\Stebow\Application Data\dvdcss
2008-09-05 09:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-04 10:28 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-04 10:19 --------- d-----w C:\Documents and Settings\Stebow\Application Data\ArcSoft
2008-09-04 10:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 10:09 --------- d-----w C:\Documents and Settings\Stebow\Application Data\InstallShield
2008-09-04 10:08 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-09-04 10:08 --------- d-----w C:\Program Files\ArcSoft
2008-09-04 10:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-02 10:29 496,669 ----a-w C:\WINDOWS\system32\systemrestore32.exe
2008-09-02 10:01 10,240 ----a-w C:\WINDOWS\load.exe
2008-08-28 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-08-28 00:50 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-08-28 00:49 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-08-27 16:22 4,754,432 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-08-26 12:51 16,851,456 ----a-w C:\WINDOWS\RTHDCPL.EXE
2008-08-22 02:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 02:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 02:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 02:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 02:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 02:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 02:05 48,640 ----a-w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 02:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 02:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 02:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 01:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-08-19 23:37 --------- d-----w C:\Program Files\a-squared Free
2008-08-19 17:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-19 12:26 77,824 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-06 14:51 1,200,128 ----a-w C:\WINDOWS\RtlUpd.exe
2008-08-05 16:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-29 14:42 528,384 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-06-06 01:58 47,360 ----a-w C:\Documents and Settings\Stebow\Application Data\pcouffin.sys
2008-05-15 18:08 1,008,362,079 ----a-w C:\Program Files\Wolfenstein - Enemy Territory.rar
2008-07-04 05:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070420080705\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a1104608-24ed-4e9b-926a-845aa46828f4}]
2008-10-16 06:38 109056 --a------ C:\WINDOWS\system32\trrqvj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCE97A72-640B-4DED-923F-8196FC01F76B}]
2008-10-16 03:25 40448 --a------ C:\WINDOWS\system32\cbXPgfcd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC060B90-5F5B-42CB-A479-49D4FD7CADEB}]
2008-10-16 06:36 267776 --a------ C:\WINDOWS\system32\ljJDWoMD.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-10-08 270128]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"uTorrent Ultra Accelerator"="C:\Program Files\uTorrent Ultra Accelerator\uTorrent Ultra Accelerator.exe" [2008-09-15 414208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
C:\Documents and Settings\Stebow\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-04-30 3450608]
uTorrent Ultra Accelerator.lnk - C:\Program Files\uTorrent Ultra Accelerator\uTorrent Ultra Accelerator.exe [2008-09-15 414208]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{BCE97A72-640B-4DED-923F-8196FC01F76B}"= "C:\WINDOWS\system32\cbXPgfcd.dll" [2008-10-16 40448]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXPgfcd]
2008-10-16 03:25 40448 C:\WINDOWS\system32\cbXPgfcd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ljJDWoMD
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk.disabled]
backup=C:\WINDOWS\pss\Windows Search.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Stebow^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVO Ram Optimizer]
--a------ 2008-09-05 17:31 158448 c:\Program Files\Systweak\Advanced Vista Optimizer 2008\AVO.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-02-26 01:01 437160 c:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-15 12:46 159744 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-02-28 17:07 1828136 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 16:29 2221352 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-02-15 12:46 131072 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-04-23 17:45 22058792 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-09-14 16:52 144792 C:\Program Files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2008-06-19 16:20 57344 C:\WINDOWS\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-08-26 13:51 16851456 C:\WINDOWS\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"SupportSoft RemoteAssist"=3 (0x3)
"RSVP"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"mnmsrvc"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
"MyWebSearch Plugin"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ventrilo\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-09-14 147456]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);C:\Program Files\TalkTalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe [2007-08-02 148768]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2008-02-24 37376]
S3 DCamUSBSTK02N;Standard Camera;C:\WINDOWS\system32\DRIVERS\STK02NW2.sys [2007-03-12 101520]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
.
Contents of the 'Scheduled Tasks' folder
2008-10-16 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Stebow\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 02:10]
2008-10-16 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-08-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-07-25 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]
.
- - - - ORPHANS REMOVED - - - -
BHO-{AA213C79-008D-407C-8C3D-AE0844968F47} - C:\WINDOWS\system32\fccdcdCr.dll
HKLM-Run-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
MSConfigStartUp-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Stebow\Application Data\Mozilla\Firefox\Profiles\ct8f1l8i.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - C:\Documents and Settings\Stebow\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - C:\PROGRA~1\MEADCO~1\npmeadax.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\program files\mozilla firefox\plugins\npdeploytk.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 06:36:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXPgfcd.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
-> C:\WINDOWS\system32\jvnnkubg.dll
-> C:\WINDOWS\system32\ljJDWoMD.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-16 6:39:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-16 05:39:43
Pre-Run: 407,485,407,232 bytes free
Post-Run: 407,410,278,400 bytes free
328 --- E O F --- 2008-09-10 11:55:16
I have prepared HJT log an combofix logs...ComboFix 08-10-15.05 - Stebow 2008-10-16 6:31:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1008 [GMT 1:00]
Running from: C:\Documents and Settings\Stebow\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Stebow\Application Data\Adobe\crc.dat
C:\Documents and Settings\Stebow\Application Data\Adobe\Player.exe
C:\WINDOWS\560.exe
C:\WINDOWS\system32\drpibdfe.dll
C:\WINDOWS\system32\efdbiprd.ini
C:\WINDOWS\system32\fccdcdCr.dll
C:\WINDOWS\system32\rCdcdccf.ini
C:\WINDOWS\system32\rCdcdccf.ini2
C:\WINDOWS\vmreg32.dll
----- BITS: Possible infected sites -----
hxxp://62.176.16.10
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService
((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.
2008-10-16 06:36 . 2008-10-16 06:36 267,776 --a------ C:\WINDOWS\system32\ljJDWoMD.dll
2008-10-16 06:36 . 2008-10-16 06:36 345 --ahs---- C:\WINDOWS\system32\DMoWDJjl.ini2
2008-10-16 06:36 . 2008-10-16 06:38 345 --ahs---- C:\WINDOWS\system32\DMoWDJjl.ini
2008-10-16 03:49 . 2008-10-16 03:57 <DIR> d-------- C:\Program Files\uTorrent Ultra Accelerator
2008-10-16 03:25 . 2008-10-16 03:25 40,448 --a------ C:\WINDOWS\system32\opnnmjiH.dll
2008-10-16 03:25 . 2008-10-16 03:25 40,448 --a------ C:\WINDOWS\system32\cbXPgfcd.dll
2008-10-15 05:26 . 2008-08-14 11:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 05:26 . 2008-08-14 11:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 05:26 . 2008-08-14 10:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 05:26 . 2008-08-14 10:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 05:26 . 2008-09-15 13:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 05:26 . 2008-09-08 11:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-09 01:47 . 2008-10-09 01:47 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-10-05 00:44 . 2008-10-05 00:44 <DIR> d-------- C:\Program Files\RapidTyping
2008-10-05 00:44 . 2008-10-15 09:53 <DIR> d-------- C:\Documents and Settings\Stebow\Application Data\RapidTyping
2008-10-02 03:32 . 2008-10-02 03:32 <DIR> d-------- C:\Program Files\Uniblue
2008-10-02 03:32 . 2008-10-02 03:32 <DIR> d-------- C:\Documents and Settings\Stebow\Application Data\Uniblue
2008-10-02 03:32 . 2008-10-08 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DriverScanner
2008-10-02 03:15 . 2008-10-02 03:32 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}
2008-09-18 03:10 . 2008-09-18 03:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-16 05:04 . 2008-09-18 03:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SymplisIT
2008-09-16 04:39 . 2008-09-16 04:39 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2008-09-16 04:35 . 2008-09-16 04:35 <DIR> d-------- C:\Program Files\Internet Cell Boost
2008-09-16 04:19 . 2008-09-16 04:20 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2008-09-16 03:38 . 2008-09-16 03:38 <DIR> d-------- C:\Program Files\SymplisIT
2008-09-16 03:37 . 2008-09-16 03:37 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-09-16 02:15 . 2008-09-16 02:15 <DIR> d--hs---- C:\Documents and Settings\Stebow\PrivacIE
2008-09-16 02:08 . 2008-09-16 02:09 <DIR> d--h-c--- C:\WINDOWS\ie8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 05:36 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-10-16 05:36 --------- d-----w C:\Documents and Settings\Stebow\Application Data\uTorrent
2008-10-16 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 03:07 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Vso
2008-10-15 04:14 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Image Zone Express
2008-10-15 03:53 --------- d-----w C:\Program Files\HP
2008-10-15 02:14 --------- d-----w C:\Program Files\Xfire
2008-10-14 04:01 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Xfire
2008-10-14 00:55 138,280 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-14 00:54 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-10-07 23:50 --------- d-----w C:\Program Files\Windows Live
2008-10-07 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-10-03 13:59 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Skype
2008-10-03 13:57 --------- d-----w C:\Documents and Settings\Stebow\Application Data\skypePM
2008-10-02 01:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-01 14:00 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Nokia
2008-10-01 13:36 --------- d-----w C:\Program Files\Nokia
2008-10-01 13:36 --------- d-----w C:\Program Files\Common Files\Nokia
2008-10-01 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-09-18 03:51 --------- d-----w C:\Program Files\PCPitstop
2008-09-18 01:17 --------- d-----w C:\Program Files\Yahoo!
2008-09-18 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-09-16 03:23 --------- d-----w C:\Documents and Settings\Stebow\Application Data\Systweak
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 21:45 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-09-14 15:51 410,976 ----a-w C:\WINDOWS\system32\deploytk.dll
2008-09-14 15:51 --------- d-----w C:\Program Files\Java
2008-09-11 23:34 --------- d-----w C:\Program Files\Wolfenstein - Enemy Territory
2008-09-09 12:43 319,488 ----a-w C:\WINDOWS\HideWin.exe
2008-09-08 23:54 --------- d-----w C:\Program Files\Systweak
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-05 12:50 --------- d-----w C:\Documents and Settings\Stebow\Application Data\dvdcss
2008-09-05 09:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-04 10:28 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-04 10:19 --------- d-----w C:\Documents and Settings\Stebow\Application Data\ArcSoft
2008-09-04 10:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 10:09 --------- d-----w C:\Documents and Settings\Stebow\Application Data\InstallShield
2008-09-04 10:08 --------- d-----w C:\Program Files\Common Files\ArcSoft
2008-09-04 10:08 --------- d-----w C:\Program Files\ArcSoft
2008-09-04 10:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-02 10:29 496,669 ----a-w C:\WINDOWS\system32\systemrestore32.exe
2008-09-02 10:01 10,240 ----a-w C:\WINDOWS\load.exe
2008-08-28 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-08-28 00:50 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-08-28 00:49 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-08-27 16:22 4,754,432 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-08-26 12:51 16,851,456 ----a-w C:\WINDOWS\RTHDCPL.EXE
2008-08-22 02:08 878,592 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 02:08 43,008 ----a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 02:07 18,944 ----a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 02:06 72,704 ----a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 02:06 71,680 ----a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 02:06 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 02:05 48,640 ----a-w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 02:05 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 02:05 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 02:04 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 01:57 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2008-08-19 23:37 --------- d-----w C:\Program Files\a-squared Free
2008-08-19 17:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-19 12:26 77,824 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-06 14:51 1,200,128 ----a-w C:\WINDOWS\RtlUpd.exe
2008-08-05 16:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-29 14:42 528,384 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-06-06 01:58 47,360 ----a-w C:\Documents and Settings\Stebow\Application Data\pcouffin.sys
2008-05-15 18:08 1,008,362,079 ----a-w C:\Program Files\Wolfenstein - Enemy Territory.rar
2008-07-04 05:53 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070420080705\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a1104608-24ed-4e9b-926a-845aa46828f4}]
2008-10-16 06:38 109056 --a------ C:\WINDOWS\system32\trrqvj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCE97A72-640B-4DED-923F-8196FC01F76B}]
2008-10-16 03:25 40448 --a------ C:\WINDOWS\system32\cbXPgfcd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC060B90-5F5B-42CB-A479-49D4FD7CADEB}]
2008-10-16 06:36 267776 --a------ C:\WINDOWS\system32\ljJDWoMD.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-10-08 270128]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"uTorrent Ultra Accelerator"="C:\Program Files\uTorrent Ultra Accelerator\uTorrent Ultra Accelerator.exe" [2008-09-15 414208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
C:\Documents and Settings\Stebow\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-04-30 3450608]
uTorrent Ultra Accelerator.lnk - C:\Program Files\uTorrent Ultra Accelerator\uTorrent Ultra Accelerator.exe [2008-09-15 414208]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{BCE97A72-640B-4DED-923F-8196FC01F76B}"= "C:\WINDOWS\system32\cbXPgfcd.dll" [2008-10-16 40448]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXPgfcd]
2008-10-16 03:25 40448 C:\WINDOWS\system32\cbXPgfcd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ljJDWoMD
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk.disabled]
backup=C:\WINDOWS\pss\Windows Search.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Stebow^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVO Ram Optimizer]
--a------ 2008-09-05 17:31 158448 c:\Program Files\Systweak\Advanced Vista Optimizer 2008\AVO.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-02-26 01:01 437160 c:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-15 12:46 159744 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-02-28 17:07 1828136 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 16:29 2221352 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-02-15 12:46 131072 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-04-23 17:45 22058792 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-09-14 16:52 144792 C:\Program Files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2008-06-19 16:20 57344 C:\WINDOWS\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-08-26 13:51 16851456 C:\WINDOWS\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"SupportSoft RemoteAssist"=3 (0x3)
"RSVP"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"mnmsrvc"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
"MyWebSearch Plugin"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ventrilo\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-09-14 147456]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);C:\Program Files\TalkTalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe [2007-08-02 148768]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2008-02-24 37376]
S3 DCamUSBSTK02N;Standard Camera;C:\WINDOWS\system32\DRIVERS\STK02NW2.sys [2007-03-12 101520]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
.
Contents of the 'Scheduled Tasks' folder
2008-10-16 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Stebow\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 02:10]
2008-10-16 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-08-21 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2007-08-02 09:20]
2008-07-25 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 14:45]
.
- - - - ORPHANS REMOVED - - - -
BHO-{AA213C79-008D-407C-8C3D-AE0844968F47} - C:\WINDOWS\system32\fccdcdCr.dll
HKLM-Run-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
MSConfigStartUp-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Stebow\Application Data\Mozilla\Firefox\Profiles\ct8f1l8i.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - C:\Documents and Settings\Stebow\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - C:\PROGRA~1\MEADCO~1\npmeadax.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\program files\mozilla firefox\plugins\npdeploytk.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-16 06:36:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXPgfcd.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
-> C:\WINDOWS\system32\jvnnkubg.dll
-> C:\WINDOWS\system32\ljJDWoMD.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-16 6:39:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-16 05:39:43
Pre-Run: 407,485,407,232 bytes free
Post-Run: 407,410,278,400 bytes free
328 --- E O F --- 2008-09-10 11:55:16