PDA

View Full Version : Continuing a closed thread



RallyReal
2009-04-06, 07:08
I let time get away from me and did not respond before the thread was closed. I hope I can still get some assistance. Original thread was re: windows update not working after removing virtumonde.sdn. Here is the closed thread:




http://forums.spybot.info/showthread.php?p=302628


As per the above thread's instructions here are the combofix log and the new HJT scan log.

RallyReal
2009-04-06, 07:09
ComboFix 09-04-01.01 - Owner 2009-04-05 20:47:34.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.126 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090405-1] *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-05 20:45 . 2009-04-05 20:45 <DIR> d-------- C:\32788R22FWJFW
2009-04-05 20:45 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-03-28 13:50 . 2009-03-28 13:50 2,560 --a------ c:\winnt\_MSRSTRT.EXE
2009-03-27 08:35 . 2009-03-28 13:50 <DIR> d-------- c:\program files\Common Files\Agnitum Shared
2009-03-27 08:35 . 2009-03-27 08:35 <DIR> d-------- c:\program files\Agnitum
2009-03-27 08:18 . 2009-03-27 08:18 <DIR> d-------- c:\program files\Alwil Software
2009-03-26 17:48 . 2009-03-26 17:48 <DIR> d-------- c:\program files\iPod
2009-03-26 17:46 . 2009-03-26 17:49 <DIR> d-------- c:\program files\iTunes
2009-03-26 17:46 . 2009-03-26 17:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-26 17:44 . 2009-03-26 17:44 <DIR> d-------- c:\program files\Bonjour
2009-03-26 17:42 . 2009-03-26 17:43 <DIR> d-------- c:\program files\QuickTime
2009-03-26 11:52 . 1999-12-21 07:58 21,312 --a------ c:\winnt\choice.exe
2009-03-26 11:49 . 2009-03-26 11:49 <DIR> d-------- C:\ie-spyad
2009-03-25 16:31 . 2009-03-25 16:32 <DIR> d-------- c:\documents and settings\Owner\.SunDownloadManager
2009-03-24 19:47 . 2009-03-24 19:47 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-03-24 19:39 . 2009-03-24 19:39 <DIR> d--hs---- c:\documents and settings\Owner\IECompatCache
2009-03-23 19:11 . 2009-03-23 19:11 <DIR> d--hs---- c:\documents and settings\Owner\PrivacIE
2009-03-23 19:10 . 2009-03-23 19:10 <DIR> d--hs---- c:\documents and settings\Owner\IETldCache
2009-03-23 18:54 . 2009-03-23 18:58 <DIR> d--h----- c:\winnt\msdownld.tmp
2009-03-23 18:54 . 2009-03-23 18:57 <DIR> d--h-c--- c:\winnt\ie8
2009-03-21 20:10 . 2009-03-21 20:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-21 20:10 . 2009-03-21 20:10 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-03-21 20:10 . 2009-03-21 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-21 20:10 . 2009-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-03-21 20:10 . 2009-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-03-20 13:37 . 2009-03-20 13:37 <DIR> d-------- c:\program files\ERUNT
2009-03-20 01:00 . 2009-03-20 01:00 206 --a------ c:\winnt\system32\MRT.INI
2009-03-19 23:45 . 2009-03-20 00:52 2 --a------ C:\278134064
2009-03-15 17:02 . 2009-03-15 17:21 <DIR> d-------- c:\program files\Only Astrology
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --------- c:\winnt\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --------- c:\winnt\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --------- c:\winnt\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --------- c:\winnt\system32\iedkcs32.dll.mui
2009-03-08 04:33 . 2009-03-08 04:33 18,944 --------- c:\winnt\system32\dllcache\corpol.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 01:53 --------- d-----w c:\program files\GetRight
2009-03-28 00:18 --------- d-----w c:\program files\Virtual Villagers - The Lost Children
2009-03-27 00:48 --------- d-----w c:\program files\Common Files\Apple
2009-03-25 23:35 410,984 ----a-w c:\winnt\system32\deploytk.dll
2009-03-25 23:35 --------- d-----w c:\program files\Java
2009-03-24 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-24 01:58 --------- d-----w c:\program files\Yahoo!
2009-03-24 01:58 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-03-20 07:52 14,336 ----a-w c:\winnt\system32\svchost.exe
2009-03-20 07:52 14,336 ----a-w c:\winnt\system32\dllcache\svchost.exe
2009-03-16 00:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-08 21:09 638,816 ----a-w c:\winnt\system32\dllcache\iexplore.exe
2009-03-08 21:09 391,536 ----a-w c:\winnt\system32\dllcache\iedkcs32.dll
2009-03-08 11:41 5,937,152 ----a-w c:\winnt\system32\dllcache\mshtml.dll
2009-03-08 11:39 11,063,808 ----a-w c:\winnt\system32\dllcache\ieframe.dll
2009-03-08 11:34 914,944 ----a-w c:\winnt\system32\wininet.dll
2009-03-08 11:34 914,944 ----a-w c:\winnt\system32\dllcache\wininet.dll
2009-03-08 11:34 43,008 ----a-w c:\winnt\system32\licmgr10.dll
2009-03-08 11:34 43,008 ----a-w c:\winnt\system32\dllcache\licmgr10.dll
2009-03-08 11:34 236,544 ----a-w c:\winnt\system32\dllcache\webcheck.dll
2009-03-08 11:34 193,536 ----a-w c:\winnt\system32\dllcache\msrating.dll
2009-03-08 11:34 109,568 ----a-w c:\winnt\system32\dllcache\occache.dll
2009-03-08 11:34 105,984 ----a-w c:\winnt\system32\dllcache\url.dll
2009-03-08 11:34 1,206,784 ----a-w c:\winnt\system32\dllcache\urlmon.dll
2009-03-08 11:33 759,296 ----a-w c:\winnt\system32\dllcache\VGX.dll
2009-03-08 11:33 726,528 ----a-w c:\winnt\system32\dllcache\jscript.dll
2009-03-08 11:33 420,352 ----a-w c:\winnt\system32\vbscript.dll
2009-03-08 11:33 420,352 ----a-w c:\winnt\system32\dllcache\vbscript.dll
2009-03-08 11:33 25,600 ----a-w c:\winnt\system32\dllcache\jsproxy.dll
2009-03-08 11:33 229,376 ----a-w c:\winnt\system32\dllcache\ieaksie.dll
2009-03-08 11:33 18,944 ----a-w c:\winnt\system32\corpol.dll
2009-03-08 11:33 125,952 ----a-w c:\winnt\system32\dllcache\ieakeng.dll
2009-03-08 11:32 94,720 ----a-w c:\winnt\system32\dllcache\inseng.dll
2009-03-08 11:32 72,704 ----a-w c:\winnt\system32\dllcache\admparse.dll
2009-03-08 11:32 72,704 ----a-w c:\winnt\system32\admparse.dll
2009-03-08 11:32 71,680 ----a-w c:\winnt\system32\iesetup.dll
2009-03-08 11:32 71,680 ----a-w c:\winnt\system32\dllcache\iesetup.dll
2009-03-08 11:32 611,840 ----a-w c:\winnt\system32\dllcache\mstime.dll
2009-03-08 11:32 594,432 ----a-w c:\winnt\system32\dllcache\msfeeds.dll
2009-03-08 11:32 55,808 ----a-w c:\winnt\system32\dllcache\iernonce.dll
2009-03-08 11:32 173,056 ----a-w c:\winnt\system32\dllcache\ie4uinit.exe
2009-03-08 11:32 163,840 ----a-w c:\winnt\system32\dllcache\ieakui.dll
2009-03-08 11:32 128,512 ----a-w c:\winnt\system32\dllcache\advpack.dll
2009-03-08 11:32 1,985,024 ----a-w c:\winnt\system32\dllcache\iertutil.dll
2009-03-08 11:24 68,608 ----a-w c:\winnt\system32\dllcache\hmmapi.dll
2009-03-08 11:22 156,160 ----a-w c:\winnt\system32\msls31.dll
2009-03-08 11:22 156,160 ----a-w c:\winnt\system32\dllcache\msls31.dll
2009-03-08 11:11 445,952 ----a-w c:\winnt\system32\dllcache\ieapfltr.dll
2009-02-25 23:19 --------- d-----w c:\documents and settings\Owner\Application Data\vlc
2009-02-25 22:57 --------- d-----w c:\program files\VideoLAN
2009-02-21 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-19 05:06 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-19 05:04 --------- d-----w c:\documents and settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-09 11:13 1,846,784 ----a-w c:\winnt\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\winnt\system32\dllcache\win32k.sys
2009-01-08 01:21 26,144 ----a-w c:\winnt\system32\spupdsvc.exe
2009-01-08 01:20 474,112 ------w c:\winnt\system32\dllcache\shlwapi.dll
2009-01-08 01:20 265,720 ----a-w c:\winnt\system32\msdbg2.dll
2009-01-08 01:20 26,112 ----a-w c:\winnt\system32\idndl.dll
2009-01-08 01:20 24,576 ----a-w c:\winnt\system32\nlsdl.dll
2009-01-08 01:20 23,552 ----a-w c:\winnt\system32\normaliz.dll
2009-01-08 01:20 134,144 ------w c:\winnt\system32\dllcache\sqmapi.dll
2009-01-08 01:20 1,497,088 ------w c:\winnt\system32\dllcache\shdocvw.dll
2009-01-08 01:20 1,022,976 ------w c:\winnt\system32\dllcache\browseui.dll
2008-04-13 10:17 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-06-03 17:18 26,166,613 ----a-w c:\program files\NAV05ENG.exe
2005-05-30 23:51 315,624 ----a-w c:\program files\dxwebsetup.exe
2005-02-18 07:35 626,884 ----a-w c:\program files\kukuxumusu_2.zip
2005-02-16 07:02 68,257 ----a-w c:\program files\metallix.zip
2004-11-07 09:45 2,663,024 ----a-w c:\program files\lusetup.exe
2004-08-17 19:45 295,120 ----a-w c:\program files\NSSetup.exe
2004-08-07 23:13 420,974 ----a-w c:\program files\XviD-04102002-1.exe
2004-08-07 23:12 325,354 ----a-w c:\program files\ffdshow-20020617.exe
2004-08-06 02:04 273,342 ----a-w c:\program files\DivFix110.zip
2004-03-24 09:24 401,952 ----a-w c:\program files\3DwindowsXP.exe
2004-02-22 01:18 410,644 ----a-w c:\program files\KTAngelSaver.zip
2004-01-31 02:31 795,540 ----a-w c:\program files\fishtank.zip
2004-01-25 04:39 1,678,680 ----a-w c:\program files\monalisa.exe
2004-01-25 04:37 942,790 ----a-w c:\program files\hypno.zip
2004-01-25 04:37 56,785 ----a-w c:\program files\electric.zip
2004-01-25 04:36 103,708 ----a-w c:\program files\julsav10.zip
2004-01-25 04:35 272,666 ----a-w c:\program files\blaze.zip
2004-01-25 04:34 1,098,212 ----a-w c:\program files\living_waterfall_es.exe
2008-09-28 17:40 32,768 --sha-w c:\winnt\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092820080929\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\winnt\system32\narrator.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Screen Saver Control.lnk - c:\winnt\FSScrCtl.exe [2004-01-24 249344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GetRight - Tray Icon.lnk - c:\program files\GetRight\getright.exe [2005-09-24 4628752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= pclepim1.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"<NO NAME>"=
"57156:TCP"= 57156:TCP:Pando P2P TCP Listening Port
"57156:UDP"= 57156:UDP:Pando P2P UDP Listening Port

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2009-03-27 114768]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2009-03-27 20560]
R2 LicCtrlService;LicCtrl Service;c:\winnt\Runservice.exe [2008-10-15 2560]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
R3 FLASHREADER;USB Reader;c:\winnt\system32\drivers\camusb.sys [1979-12-31 25216]
S1 117d6292;117d6292;c:\winnt\system32\drivers\117d6292.sys --> c:\winnt\system32\drivers\117d6292.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-11 33752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
MespW
Ouken

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\winnt\system32\rundll32.exe c:\winnt\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{082874E6-7542-4935-AE3E-70FA93AD2244} - (no file)
BHO-{23502185-02D6-4A95-AA2C-FFB426DF934D} - (no file)
BHO-{2E371025-D2FA-48C2-87E2-C3876309E889} - (no file)
BHO-{6127B8EB-9029-4272-96B8-B85023440CFC} - (no file)
BHO-{711AB4CA-3EE7-49D1-9FDE-6312DC3540DF} - (no file)
BHO-{72F305DC-5DBD-4F24-87C9-1F0AA03C32CE} - (no file)
BHO-{7B724A89-4D3D-48E5-8186-8ABAC7595D9E} - (no file)
BHO-{7F74FE62-B043-4477-822D-D13D44297C6D} - (no file)
BHO-{8350CB80-6ECD-4F2C-A89D-600831FFAA61} - (no file)
BHO-{8A6FB44E-6F96-4972-9B0A-B4604497EC65} - (no file)
BHO-{95768BFD-5D96-4D10-95A2-91975E1CF38D} - (no file)
BHO-{A74A11BF-0437-4B05-A1C0-01E5D0F8B3CC} - (no file)
BHO-{B1B95662-608A-4340-8FAB-79DAE16072D7} - (no file)
BHO-{B612F991-D9CE-469D-9738-B3A3AA7185CB} - (no file)
BHO-{BBF82CA3-7093-42A6-A4BE-492FEE0E2288} - (no file)
BHO-{C52EA57A-F4A0-4589-B8FB-0280EC000242} - (no file)
BHO-{C5F74968-726B-42F7-AC61-87F40E9F491A} - (no file)
BHO-{DBC1CB0C-2E5A-4945-9BEA-671A8091D111} - (no file)
BHO-{E7823DBF-7D4C-4DB3-9531-A9B21BE03593} - (no file)
Toolbar-Locked - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://images.google.com/imghp?hl=en
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.net/
uInternet Settings,ProxyOverride = *.local
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/barnyardinvasion/sis/slgwebinstall.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.shockwave.com/content/ghostfrenzy/sis/axhost.cab
DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - hxxp://www.typingmaster.com/contents/tm2002/oneclick/TMSetup.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kj32c38l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://images.google.com/imghp?hl=en&tab=wi
FF - prefs.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPGetRt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 20:52:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \04F7528984592EA0]
"1"=hex:d5,3e,50,00,82,25,c9,f6,dd,f6,18,c9,99,5b,70,06,b4,b6,07,c1,1b,95,01,
2f
"2"=hex:e4,d7,da,38,b0,b5,3c,88,a2,01,5f,80,71,fc,07,41,22,5f,c1,26,5d,01,8c,
86
"3"=hex:d5,3e,50,00,82,25,c9,f6,dd,f6,18,c9,99,5b,70,06,53,86,fb,a3,af,c0,18,
8b,f9,e5,ef,ce,f2,5f,47,59,1f,2b,25,f6,12,48,81,74

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \04F7528984592EA0\FD1E79A92259B5BC6F3673C7C70B3F80]
"1"=hex:a0,05,e5,14,70,56,59,19,19,f2,d5,d0,45,ea,42,c8,7b,0e,8f,12,8d,fe,0d,
89,e7,25,77,a8,98,63,f3,0c
"2"=hex:03,13,8a,80,bd,85,45,8e
"3"=hex:a2,64,f1,6f,8c,e0,34,8f,eb,ec,fc,19,df,46,d2,40,db,d8,17,55,7a,be,5f,
f2,d1,db,11,d7,36,8b,87,3b,b3,9c,c1,5b,f3,80,c3,dd,1b,84,70,63,e0,09,0c,1f,\
"4"=hex:bd,75,77,15,24,56,01,85
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:c9,3a,93,65,d5,aa,5c,a5,af,ff,f0,6c,ea,dc,3b,16,d5,46,14,1e,de,21,e3,
92,5e,f6,28,50,86,1e,42,82,78,98,b2,16,ef,bb,c5,35,e6,7b,97,84,6e,7c,e4,9d,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,d5,51,9f,32,fb,06,fa,
8c,e8,22,fe,5a,96,f6,72,ff,b7,d3,87,b3,8d,54,9f,32,5f,3a,e2,a1,97,10,45,b9,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:c7,b0,18,85,7b,39,96,ed
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Completion time: 2009-04-05 20:59:24
ComboFix-quarantined-files.txt 2009-04-06 03:58:01
ComboFix2.txt 2009-03-22 23:10:52

Pre-Run: 10,609,975,296 bytes free
Post-Run: 10,748,235,776 bytes free

290 --- E O F --- 2009-03-20 08:00:11

RallyReal
2009-04-06, 07:09
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:21 PM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\runservice.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\FSScrCtl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.google.com/imghp?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn13\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {082874E6-7542-4935-AE3E-70FA93AD2244} - (no file)
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.2\lexbar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {23502185-02D6-4A95-AA2C-FFB426DF934D} - (no file)
O2 - BHO: (no name) - {2E371025-D2FA-48C2-87E2-C3876309E889} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6127B8EB-9029-4272-96B8-B85023440CFC} - (no file)
O2 - BHO: (no name) - {711AB4CA-3EE7-49D1-9FDE-6312DC3540DF} - (no file)
O2 - BHO: (no name) - {72F305DC-5DBD-4F24-87C9-1F0AA03C32CE} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7B724A89-4D3D-48E5-8186-8ABAC7595D9E} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7F74FE62-B043-4477-822D-D13D44297C6D} - (no file)
O2 - BHO: (no name) - {8350CB80-6ECD-4F2C-A89D-600831FFAA61} - (no file)
O2 - BHO: (no name) - {8A6FB44E-6F96-4972-9B0A-B4604497EC65} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {95768BFD-5D96-4D10-95A2-91975E1CF38D} - (no file)
O2 - BHO: (no name) - {A74A11BF-0437-4B05-A1C0-01E5D0F8B3CC} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {B1B95662-608A-4340-8FAB-79DAE16072D7} - (no file)
O2 - BHO: (no name) - {B612F991-D9CE-469D-9738-B3A3AA7185CB} - (no file)
O2 - BHO: (no name) - {BBF82CA3-7093-42A6-A4BE-492FEE0E2288} - (no file)
O2 - BHO: (no name) - {C52EA57A-F4A0-4589-B8FB-0280EC000242} - (no file)
O2 - BHO: (no name) - {C5F74968-726B-42F7-AC61-87F40E9F491A} - (no file)
O2 - BHO: (no name) - {DBC1CB0C-2E5A-4945-9BEA-671A8091D111} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E7823DBF-7D4C-4DB3-9531-A9B21BE03593} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn13\YTSingleInstance.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.2\lexbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn13\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124777306750
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/barnyardinvasion/sis/slgwebinstall.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.com/content/ghostfrenzy/sis/axhost.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/contents/tm2002/oneclick/TMSetup.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/sis/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINNT\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14235 bytes