Tomato
2009-03-08, 21:04
Please excuse me if I make any mistakes. I'm new to this whole posting thing. I am uploading logs in the following order, Combofix, Hijackthis. Please let me know if I am missing any helpful information. Thanks.
ComboFix 09-03-06.02 - Owner 2009-03-08 15:45:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2550.1792 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090307-0] *On-access scanning disabled* (Updated)
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\9gdfgjf23
c:\windows\system32\hayudopu
c:\windows\system32\wpa.dbl
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\9gdfgjf23
c:\windows\system32\hayudopu
c:\windows\system32\wpa.dbl
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASWFSBLK
-------\Service_aswFsBlk
((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.
2009-03-08 14:48 . 2009-03-08 14:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 14:46 . 2009-03-08 14:46 <DIR> d-------- c:\program files\Symantec
2009-03-08 14:46 . 2009-03-08 14:48 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-03-08 14:46 . 2009-03-08 14:46 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-08 14:46 . 2009-03-08 14:46 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-08 14:46 . 2009-03-08 14:46 36,272 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-08 14:46 . 2009-03-08 14:46 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-08 14:46 . 2009-03-08 14:46 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-08 14:45 . 2009-03-08 14:45 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-08 14:45 . 2009-03-08 14:45 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-08 14:45 . 2009-03-08 14:46 <DIR> d-------- c:\program files\Norton AntiVirus
2009-03-08 14:45 . 2009-03-08 14:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-08 14:40 . 2009-03-08 14:59 <DIR> d-------- C:\ComboFix
2009-03-08 14:34 . 2009-03-08 14:45 <DIR> d-------- c:\program files\NortonInstaller
2009-03-08 14:34 . 2009-03-08 14:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-07 16:58 . 2009-03-08 11:34 333 --a------ c:\windows\wininit.ini
2009-03-07 16:46 . 2009-03-07 22:54 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-07 16:46 . 2009-03-07 16:46 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-03-07 16:46 . 2008-08-25 11:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-03-07 16:46 . 2008-08-25 11:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-03-07 16:46 . 2008-08-25 11:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-03-07 16:46 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-03-07 16:43 . 2008-09-08 23:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2009-03-07 13:03 . 2009-03-07 13:03 12,800 --a------ c:\windows\system32\dll32.dll
2009-03-07 12:02 . 2004-08-04 07:00 24,576 --a------ c:\windows\system32\stu2.exe
2009-02-26 20:06 . 2009-02-26 20:06 <DIR> d-------- c:\program files\Rosetta Stone
2009-02-26 20:06 . 2009-02-26 20:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-25 15:55 . 2009-02-25 16:25 <DIR> d-------- c:\program files\GameJack 5
2009-02-25 15:55 . 2009-02-25 15:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-22 14:35 . 2009-02-22 14:35 <DIR> d-------- c:\program files\EA GAMES
2009-02-20 22:37 . 2009-02-20 22:39 <DIR> d-------- c:\program files\MagicDisc
2009-02-20 22:37 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2009-02-19 18:03 . 2009-02-19 18:03 <DIR> d-------- c:\program files\Trend Micro
2009-02-17 21:33 . 2009-02-17 21:33 <DIR> d-------- c:\program files\Common Files\xing shared
2009-02-17 20:47 . 2009-02-17 20:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-17 20:47 . 2009-03-07 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 20:23 . 2009-02-17 20:23 <DIR> d-------- c:\documents and settings\Owner\Application Data\Yahoo!
2009-02-17 20:23 . 2009-02-17 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-17 18:27 . 2009-02-17 19:27 <DIR> d--h----- c:\windows\msdownld.tmp
2009-02-17 18:27 . 2009-02-17 18:28 <DIR> d-------- c:\program files\Yahoo!
2009-02-17 18:22 . 2009-02-17 18:22 <DIR> d--h----- c:\windows\$hf_mig$
2009-02-16 17:58 . 2009-02-16 17:59 <DIR> d-------- c:\program files\Error Repair Professional
2009-02-16 16:12 . 2009-02-16 16:12 <DIR> d-------- c:\program files\AudioConverter Studio
2009-02-16 16:12 . 2009-02-16 16:12 <DIR> d-------- C:\My Music
2009-02-16 12:13 . 2009-02-17 18:23 <DIR> d-------- C:\Downloads
2009-02-15 22:56 . 2009-02-15 22:58 <DIR> d-------- c:\program files\MagicISO
2009-02-15 21:00 . 2009-02-15 21:00 <DIR> d-------- c:\documents and settings\Owner\Application Data\dvdcss
2009-02-15 19:01 . 2009-02-15 19:01 1,234 --a------ c:\windows\is-8LP0M.lst
2009-02-15 18:40 . 2009-02-17 21:33 <DIR> d-------- c:\program files\Real
2009-02-15 18:40 . 2009-02-17 21:33 <DIR> d-------- c:\program files\Common Files\Real
2009-02-13 16:14 . 2009-02-13 16:14 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-12 21:52 . 2009-02-12 23:27 38 --a------ c:\windows\AviSplitter.INI
2009-02-12 17:32 . 2009-02-12 17:32 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-12 17:30 . 2009-02-12 17:30 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-12 17:30 . 2009-02-12 19:08 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-12 17:14 . 2009-02-12 17:19 <DIR> d-------- c:\documents and settings\Owner\Application Data\vlc
2009-02-12 17:12 . 2009-02-12 17:14 <DIR> d-------- c:\documents and settings\Owner\Application Data\vlc(2)
2009-02-12 15:37 . 2004-08-04 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-12 14:50 . 2009-02-12 14:50 42 --a------ c:\windows\system32\AK083E209605E394C.lie
2009-02-10 19:42 . 2009-02-11 16:00 <DIR> d-------- c:\documents and settings\Owner\Application Data\DivX
2009-02-10 18:27 . 2009-02-10 18:28 <DIR> d-------- c:\program files\DivX
2009-02-10 18:24 . 2009-02-10 18:24 <DIR> d-------- c:\program files\Deskshare
2009-02-10 18:24 . 2009-02-10 18:24 <DIR> d-------- c:\program files\Common Files\DeskShare Shared
2009-02-10 18:16 . 2009-02-10 18:16 356,352 --a------ c:\windows\eSellerateEngine.dll
2009-02-10 18:08 . 2009-03-08 15:51 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-10 17:21 . 2009-02-10 17:21 <DIR> d-------- c:\program files\ImTOO
2009-02-10 00:21 . 2009-02-10 00:21 <DIR> d-------- c:\program files\Siber Systems
2009-02-09 07:46 . 2009-02-12 17:15 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser
2009-02-09 01:09 . 2009-03-08 01:02 <DIR> d-------- c:\program files\LogMeIn
2009-02-09 01:09 . 2009-02-09 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogMeIn
2009-02-09 01:09 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll
2009-02-09 01:09 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll
2009-02-09 01:09 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys
2009-02-09 01:09 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll
2009-02-09 01:09 . 2009-02-09 01:09 1,024 --a------ C:\.rnd
2009-02-09 00:55 . 2009-02-21 16:36 <DIR> d-------- c:\program files\Mozilla Firefox New
2009-02-08 17:02 . 2009-02-08 17:02 <DIR> d-------- c:\program files\Cucusoft
2009-02-08 17:02 . 2009-02-08 17:02 <DIR> d-------- C:\ConverterOutput
2009-02-08 17:02 . 2003-03-30 20:08 372,736 --a------ c:\windows\system32\xvid.ax
2009-02-08 15:09 . 2009-02-08 15:09 <DIR> d-------- c:\program files\Common Files\Download Manager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 19:23 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-03-07 23:58 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-02 15:45 --------- d-----w c:\program files\AIM6
2009-02-27 02:01 --------- d-----w c:\program files\Sony
2009-02-27 02:00 --------- d-----w c:\program files\Sony Setup
2009-02-27 01:02 --------- d-----w c:\documents and settings\Owner\Application Data\NetMedia Providers
2009-02-22 19:35 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-19 02:15 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-18 02:33 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-02-18 01:41 --------- d-----w c:\program files\Vstplugins
2009-02-18 01:15 4,867,104 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-18 01:15 39,104 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-17 02:40 524,320 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-02-17 02:40 2,872 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-02-16 01:57 --------- d-----w c:\program files\ISOpen
2009-02-13 21:14 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-09 00:59 --------- d-----w c:\program files\SBaGen
2009-02-04 04:17 --------- d-----w c:\documents and settings\Owner\Application Data\Ahead
2009-02-04 02:27 --------- d-----w c:\program files\Common Files\Ahead
2009-02-03 23:43 --------- d-----w c:\program files\Nero
2009-02-02 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-02 21:33 --------- d-----w c:\program files\Common Files\Adobe
2009-02-02 21:33 --------- d-----w c:\program files\Bonjour
2009-02-02 21:22 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-02-02 05:11 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-02 00:07 --------- d-----w c:\documents and settings\Owner\Application Data\Talkback
2009-02-01 22:32 --------- d-----w c:\program files\I-Doser
2009-02-01 07:56 502,272 ----a-w c:\windows\system32\winlogon.exe
2009-01-26 08:53 73,728 ----a-w c:\windows\ALCFDRTM.EXE
2009-01-15 02:43 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2009-01-15 02:21 --------- d-----w c:\documents and settings\Owner\Application Data\Publish Providers
2009-01-15 02:18 --------- d-----w c:\program files\QuickTime
2009-01-15 02:18 --------- d-----w c:\program files\Common Files\Apple
2009-01-15 02:18 --------- d-----w c:\program files\Apple Software Update
2009-01-15 02:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-15 02:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-12 23:55 --------- d-----w c:\program files\Samsung
2009-01-10 21:58 --------- d-----w c:\documents and settings\Owner\Application Data\Sony
2009-01-10 18:45 --------- d-----w c:\program files\Google
2009-01-10 18:18 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2009-01-10 18:17 --------- d-----w c:\program files\Microsoft SQL Server
2009-01-08 04:48 --------- d-----w c:\documents and settings\Owner\Application Data\IM-History
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2006-10-03 07:43 2,402,550 ----a-w c:\windows\inf\SET7D.tmp
2009-02-10 19:48 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-10 19:48 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-10 19:48 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-10 19:48 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-10 19:48 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
------- Sigcheck -------
2009-02-01 02:56 502272 6225f14b8ce08ccba8b25ad27843c674 c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-08_15.15.42.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-08 20:51:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_138.dat
+ 2009-03-08 20:51:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2009-03-08 20:50:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"BIBLauncher"="c:\program files\Business-in-a-Box\BIBLauncher.exe" [2008-11-12 613080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-17 126976]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2009-02-18 484888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-17 198160]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-25 c:\windows\ALCWZRD.EXE]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-02-20 575488]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
"80:TCP"= 80:TCP:dll32
"7171:TCP"= 7171:TCP:dll32
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1002000.007\SymEFA.sys [2009-03-08 309296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-07 114768]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1002000.007\BHDrvx86.sys [2009-03-08 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1002000.007\cchpx86.sys [2009-03-08 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2009-03-08 274808]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-09 47640]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe [2009-03-08 115560]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-07 356920]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-27 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-08 99376]
S2 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe [2009-03-08 280833]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vem3b2cb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vem3b2cb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 15:51:55
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1202660629-1645522239-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{506A948E-6A4C-49DF-1FBC-FCD264920744}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iagcmmhdbblcicjplj"=hex:6a,61,63,70,63,6d,68,6d,6d,61,64,6b,69,70,6c,62,64,61,
6f,6f,00,00
"haacgnmikldfkfgi"=hex:6a,61,63,70,63,6d,68,6d,6d,61,64,6b,69,70,6c,62,64,61,
6f,6f,00,00
"hacbipbhdienkhja"=hex:6b,61,66,63,65,6d,67,69,6c,63,61,6e,69,64,65,70,64,65,
68,66,6c,61,00,00
"hacbipbhiifbdgji"=hex:70,62,66,62,66,61,66,6b,6c,66,6f,64,64,62,61,6c,67,66,
6f,69,6d,67,64,62,6a,65,64,63,6f,6a,6b,69,68,6b,6e,69,65,68,63,70,68,67,69,\
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Ace=(Denied: NO_PROPAGATE_INHERIT_ACE) (Full) (LocalSystem)
"OOBETimer"=hex:7f,63,3e,be,ec,25,8e,19,be,a7,92,c6
"LastWPAEventLogged"=hex:d9,07,01,00,00,00,19,00,13,00,33,00,3a,00,3c,03
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\midimap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2009-03-08 15:57:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 20:57:34
ComboFix2.txt 2009-03-08 20:18:24
Pre-Run: 54,145,695,744 bytes free
Post-Run: 54,126,936,064 bytes free
328
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:27, on 3/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Business-in-a-Box\BIBLauncher.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://downloads.yahoo.com/internetexplorer/welcome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BIBLauncher] C:\Program Files\Business-in-a-Box\BIBLauncher.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8952 bytes
ComboFix 09-03-06.02 - Owner 2009-03-08 15:45:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2550.1792 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090307-0] *On-access scanning disabled* (Updated)
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\9gdfgjf23
c:\windows\system32\hayudopu
c:\windows\system32\wpa.dbl
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\9gdfgjf23
c:\windows\system32\hayudopu
c:\windows\system32\wpa.dbl
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASWFSBLK
-------\Service_aswFsBlk
((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.
2009-03-08 14:48 . 2009-03-08 14:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 14:46 . 2009-03-08 14:46 <DIR> d-------- c:\program files\Symantec
2009-03-08 14:46 . 2009-03-08 14:48 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-03-08 14:46 . 2009-03-08 14:46 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-08 14:46 . 2009-03-08 14:46 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-08 14:46 . 2009-03-08 14:46 36,272 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-08 14:46 . 2009-03-08 14:46 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-08 14:46 . 2009-03-08 14:46 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-08 14:45 . 2009-03-08 14:45 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-08 14:45 . 2009-03-08 14:45 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-08 14:45 . 2009-03-08 14:46 <DIR> d-------- c:\program files\Norton AntiVirus
2009-03-08 14:45 . 2009-03-08 14:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-08 14:40 . 2009-03-08 14:59 <DIR> d-------- C:\ComboFix
2009-03-08 14:34 . 2009-03-08 14:45 <DIR> d-------- c:\program files\NortonInstaller
2009-03-08 14:34 . 2009-03-08 14:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-07 16:58 . 2009-03-08 11:34 333 --a------ c:\windows\wininit.ini
2009-03-07 16:46 . 2009-03-07 22:54 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-07 16:46 . 2009-03-07 16:46 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-03-07 16:46 . 2008-08-25 11:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-03-07 16:46 . 2008-08-25 11:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-03-07 16:46 . 2008-08-25 11:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-03-07 16:46 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-03-07 16:43 . 2008-09-08 23:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2009-03-07 13:03 . 2009-03-07 13:03 12,800 --a------ c:\windows\system32\dll32.dll
2009-03-07 12:02 . 2004-08-04 07:00 24,576 --a------ c:\windows\system32\stu2.exe
2009-02-26 20:06 . 2009-02-26 20:06 <DIR> d-------- c:\program files\Rosetta Stone
2009-02-26 20:06 . 2009-02-26 20:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-25 15:55 . 2009-02-25 16:25 <DIR> d-------- c:\program files\GameJack 5
2009-02-25 15:55 . 2009-02-25 15:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-22 14:35 . 2009-02-22 14:35 <DIR> d-------- c:\program files\EA GAMES
2009-02-20 22:37 . 2009-02-20 22:39 <DIR> d-------- c:\program files\MagicDisc
2009-02-20 22:37 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2009-02-19 18:03 . 2009-02-19 18:03 <DIR> d-------- c:\program files\Trend Micro
2009-02-17 21:33 . 2009-02-17 21:33 <DIR> d-------- c:\program files\Common Files\xing shared
2009-02-17 20:47 . 2009-02-17 20:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-17 20:47 . 2009-03-07 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 20:23 . 2009-02-17 20:23 <DIR> d-------- c:\documents and settings\Owner\Application Data\Yahoo!
2009-02-17 20:23 . 2009-02-17 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-17 18:27 . 2009-02-17 19:27 <DIR> d--h----- c:\windows\msdownld.tmp
2009-02-17 18:27 . 2009-02-17 18:28 <DIR> d-------- c:\program files\Yahoo!
2009-02-17 18:22 . 2009-02-17 18:22 <DIR> d--h----- c:\windows\$hf_mig$
2009-02-16 17:58 . 2009-02-16 17:59 <DIR> d-------- c:\program files\Error Repair Professional
2009-02-16 16:12 . 2009-02-16 16:12 <DIR> d-------- c:\program files\AudioConverter Studio
2009-02-16 16:12 . 2009-02-16 16:12 <DIR> d-------- C:\My Music
2009-02-16 12:13 . 2009-02-17 18:23 <DIR> d-------- C:\Downloads
2009-02-15 22:56 . 2009-02-15 22:58 <DIR> d-------- c:\program files\MagicISO
2009-02-15 21:00 . 2009-02-15 21:00 <DIR> d-------- c:\documents and settings\Owner\Application Data\dvdcss
2009-02-15 19:01 . 2009-02-15 19:01 1,234 --a------ c:\windows\is-8LP0M.lst
2009-02-15 18:40 . 2009-02-17 21:33 <DIR> d-------- c:\program files\Real
2009-02-15 18:40 . 2009-02-17 21:33 <DIR> d-------- c:\program files\Common Files\Real
2009-02-13 16:14 . 2009-02-13 16:14 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-12 21:52 . 2009-02-12 23:27 38 --a------ c:\windows\AviSplitter.INI
2009-02-12 17:32 . 2009-02-12 17:32 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-12 17:30 . 2009-02-12 17:30 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-12 17:30 . 2009-02-12 19:08 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-12 17:14 . 2009-02-12 17:19 <DIR> d-------- c:\documents and settings\Owner\Application Data\vlc
2009-02-12 17:12 . 2009-02-12 17:14 <DIR> d-------- c:\documents and settings\Owner\Application Data\vlc(2)
2009-02-12 15:37 . 2004-08-04 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-12 14:50 . 2009-02-12 14:50 42 --a------ c:\windows\system32\AK083E209605E394C.lie
2009-02-10 19:42 . 2009-02-11 16:00 <DIR> d-------- c:\documents and settings\Owner\Application Data\DivX
2009-02-10 18:27 . 2009-02-10 18:28 <DIR> d-------- c:\program files\DivX
2009-02-10 18:24 . 2009-02-10 18:24 <DIR> d-------- c:\program files\Deskshare
2009-02-10 18:24 . 2009-02-10 18:24 <DIR> d-------- c:\program files\Common Files\DeskShare Shared
2009-02-10 18:16 . 2009-02-10 18:16 356,352 --a------ c:\windows\eSellerateEngine.dll
2009-02-10 18:08 . 2009-03-08 15:51 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-10 17:21 . 2009-02-10 17:21 <DIR> d-------- c:\program files\ImTOO
2009-02-10 00:21 . 2009-02-10 00:21 <DIR> d-------- c:\program files\Siber Systems
2009-02-09 07:46 . 2009-02-12 17:15 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser
2009-02-09 01:09 . 2009-03-08 01:02 <DIR> d-------- c:\program files\LogMeIn
2009-02-09 01:09 . 2009-02-09 01:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogMeIn
2009-02-09 01:09 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll
2009-02-09 01:09 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll
2009-02-09 01:09 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys
2009-02-09 01:09 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll
2009-02-09 01:09 . 2009-02-09 01:09 1,024 --a------ C:\.rnd
2009-02-09 00:55 . 2009-02-21 16:36 <DIR> d-------- c:\program files\Mozilla Firefox New
2009-02-08 17:02 . 2009-02-08 17:02 <DIR> d-------- c:\program files\Cucusoft
2009-02-08 17:02 . 2009-02-08 17:02 <DIR> d-------- C:\ConverterOutput
2009-02-08 17:02 . 2003-03-30 20:08 372,736 --a------ c:\windows\system32\xvid.ax
2009-02-08 15:09 . 2009-02-08 15:09 <DIR> d-------- c:\program files\Common Files\Download Manager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 19:23 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-03-07 23:58 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-02 15:45 --------- d-----w c:\program files\AIM6
2009-02-27 02:01 --------- d-----w c:\program files\Sony
2009-02-27 02:00 --------- d-----w c:\program files\Sony Setup
2009-02-27 01:02 --------- d-----w c:\documents and settings\Owner\Application Data\NetMedia Providers
2009-02-22 19:35 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-19 02:15 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-18 02:33 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-02-18 01:41 --------- d-----w c:\program files\Vstplugins
2009-02-18 01:15 4,867,104 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-18 01:15 39,104 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-17 02:40 524,320 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-02-17 02:40 2,872 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-02-16 01:57 --------- d-----w c:\program files\ISOpen
2009-02-13 21:14 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-09 00:59 --------- d-----w c:\program files\SBaGen
2009-02-04 04:17 --------- d-----w c:\documents and settings\Owner\Application Data\Ahead
2009-02-04 02:27 --------- d-----w c:\program files\Common Files\Ahead
2009-02-03 23:43 --------- d-----w c:\program files\Nero
2009-02-02 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-02 21:33 --------- d-----w c:\program files\Common Files\Adobe
2009-02-02 21:33 --------- d-----w c:\program files\Bonjour
2009-02-02 21:22 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-02-02 05:11 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-02 00:07 --------- d-----w c:\documents and settings\Owner\Application Data\Talkback
2009-02-01 22:32 --------- d-----w c:\program files\I-Doser
2009-02-01 07:56 502,272 ----a-w c:\windows\system32\winlogon.exe
2009-01-26 08:53 73,728 ----a-w c:\windows\ALCFDRTM.EXE
2009-01-15 02:43 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2009-01-15 02:21 --------- d-----w c:\documents and settings\Owner\Application Data\Publish Providers
2009-01-15 02:18 --------- d-----w c:\program files\QuickTime
2009-01-15 02:18 --------- d-----w c:\program files\Common Files\Apple
2009-01-15 02:18 --------- d-----w c:\program files\Apple Software Update
2009-01-15 02:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-15 02:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-12 23:55 --------- d-----w c:\program files\Samsung
2009-01-10 21:58 --------- d-----w c:\documents and settings\Owner\Application Data\Sony
2009-01-10 18:45 --------- d-----w c:\program files\Google
2009-01-10 18:18 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2009-01-10 18:17 --------- d-----w c:\program files\Microsoft SQL Server
2009-01-08 04:48 --------- d-----w c:\documents and settings\Owner\Application Data\IM-History
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2006-10-03 07:43 2,402,550 ----a-w c:\windows\inf\SET7D.tmp
2009-02-10 19:48 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-10 19:48 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-10 19:48 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-10 19:48 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-10 19:48 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
------- Sigcheck -------
2009-02-01 02:56 502272 6225f14b8ce08ccba8b25ad27843c674 c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-08_15.15.42.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-08 20:51:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_138.dat
+ 2009-03-08 20:51:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2009-03-08 20:50:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"BIBLauncher"="c:\program files\Business-in-a-Box\BIBLauncher.exe" [2008-11-12 613080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-17 126976]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2009-02-18 484888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-17 198160]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-25 c:\windows\ALCWZRD.EXE]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-02-20 575488]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
"80:TCP"= 80:TCP:dll32
"7171:TCP"= 7171:TCP:dll32
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1002000.007\SymEFA.sys [2009-03-08 309296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-07 114768]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1002000.007\BHDrvx86.sys [2009-03-08 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1002000.007\cchpx86.sys [2009-03-08 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2009-03-08 274808]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-09 47640]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe [2009-03-08 115560]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-07 356920]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-27 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-08 99376]
S2 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe [2009-03-08 280833]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vem3b2cb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vem3b2cb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 15:51:55
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1202660629-1645522239-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{506A948E-6A4C-49DF-1FBC-FCD264920744}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iagcmmhdbblcicjplj"=hex:6a,61,63,70,63,6d,68,6d,6d,61,64,6b,69,70,6c,62,64,61,
6f,6f,00,00
"haacgnmikldfkfgi"=hex:6a,61,63,70,63,6d,68,6d,6d,61,64,6b,69,70,6c,62,64,61,
6f,6f,00,00
"hacbipbhdienkhja"=hex:6b,61,66,63,65,6d,67,69,6c,63,61,6e,69,64,65,70,64,65,
68,66,6c,61,00,00
"hacbipbhiifbdgji"=hex:70,62,66,62,66,61,66,6b,6c,66,6f,64,64,62,61,6c,67,66,
6f,69,6d,67,64,62,6a,65,64,63,6f,6a,6b,69,68,6b,6e,69,65,68,63,70,68,67,69,\
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Ace=(Denied: NO_PROPAGATE_INHERIT_ACE) (Full) (LocalSystem)
"OOBETimer"=hex:7f,63,3e,be,ec,25,8e,19,be,a7,92,c6
"LastWPAEventLogged"=hex:d9,07,01,00,00,00,19,00,13,00,33,00,3a,00,3c,03
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\midimap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2009-03-08 15:57:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 20:57:34
ComboFix2.txt 2009-03-08 20:18:24
Pre-Run: 54,145,695,744 bytes free
Post-Run: 54,126,936,064 bytes free
328
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:27, on 3/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Business-in-a-Box\BIBLauncher.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://downloads.yahoo.com/internetexplorer/welcome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BIBLauncher] C:\Program Files\Business-in-a-Box\BIBLauncher.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8952 bytes