Chadcicle
2009-09-17, 22:28
Hey, I had another thread open and it got closed due to inactivity. Sorry about that I was getting a external hard drive to back my files up before I ran ComboFix. Anyways here is my ComboFix log and a link back to the previous thread. Thanks again guys!
http://forums.spybot.info/showthread.php?p=334230#post334230
ComboFix 09-09-16.05 - Chad 09/17/2009 15:03.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.541 [GMT -4:00]
Running from: c:\documents and settings\Chad\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Chad\Start Menu\Programs\Startup\TA_Start.lnk
C:\Images
c:\program files\INSTALL.LOG
c:\program files\Xfire Online Backup\Xfire Online Backup\ntSVc.ocx
c:\recycler\S-1-5-21-1645522239-1035525444-682003330-1004
c:\recycler\S-1-5-21-179408545-1627737751-893798309-1004
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\fse
c:\temp\fse\tmpZTF.log
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\649d4.msi
c:\windows\system32\B1
c:\windows\system32\drivers\hwdrv.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\f02WtR
c:\windows\system32\G1
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\win
c:\windows\system32\Y1
c:\windows\system32\Y2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AIM
-------\Legacy_RDRIV
-------\Service_rdriv
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.
2009-09-15 22:51 . 2009-09-15 22:51 -------- d-----w- c:\program files\2BrightSparks
2009-09-15 22:45 . 2009-09-15 22:51 -------- d-----w- c:\documents and settings\Chad\Local Settings\Application Data\2BrightSparks
2009-09-06 15:59 . 2009-09-06 15:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-09-03 18:07 . 2009-09-03 18:07 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-08-28 02:18 . 2009-08-28 02:18 -------- d-----w- c:\program files\Trend Micro
2009-08-28 00:33 . 2009-08-28 00:32 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-28 00:32 . 2009-08-28 00:37 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-08-28 00:28 . 2009-08-28 00:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-08-27 20:28 . 2009-08-27 22:38 -------- d-----w- c:\windows\BDOSCAN8
2009-08-27 20:17 . 2009-08-27 20:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-27 17:41 . 2009-08-27 17:41 152576 ----a-w- c:\documents and settings\Chad\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 18:44 . 2008-01-13 18:38 -------- d-----w- c:\program files\Lx_cats
2009-09-17 18:33 . 2005-03-16 23:26 -------- d-s---w- c:\program files\Xfire
2009-09-16 00:11 . 2009-01-31 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-15 22:49 . 2009-01-04 14:14 -------- d-----w- c:\program files\Dyyno
2009-09-11 23:19 . 2008-11-27 23:20 -------- d-----w- c:\documents and settings\Chad\Application Data\uTorrent
2009-09-09 19:14 . 2005-03-16 23:27 -------- d-----w- c:\documents and settings\Chad\Application Data\Xfire
2009-08-28 01:00 . 2006-04-14 17:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-27 18:37 . 2007-02-03 05:15 -------- d-----w- c:\program files\AIM6
2009-08-19 19:28 . 2009-02-04 00:52 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-19 19:28 . 2009-02-04 00:52 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-19 19:28 . 2009-02-04 00:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-19 19:28 . 2009-02-04 00:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-19 19:28 . 2005-02-03 02:05 -------- d-----w- c:\program files\Symantec
2009-08-18 18:59 . 2009-03-05 02:08 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-07-26 15:39 . 2005-04-10 00:37 -------- d-----w- c:\documents and settings\Chad\Application Data\Apple Computer
2009-07-25 05:33 . 2009-07-25 05:33 -------- d-----w- c:\program files\iTunes
2009-07-25 05:33 . 2007-07-21 04:47 -------- d-----w- c:\program files\Common Files\Apple
2009-07-25 05:33 . 2005-04-17 22:52 -------- d-----w- c:\program files\iPod
2009-07-25 05:07 . 2004-12-14 17:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2005-02-03 02:04 . 2005-02-03 02:04 25184485 ----a-w- c:\program files\NV11ESD.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2009-06-10 1217784]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ABIT uGuru"="c:\program files\ABIT\ABIT uGuru\uGuru.exe" [2004-09-13 1695827]
"GuruClock"="c:\program files\ABIT\ABIT uGuru\GuruClock.exe" [2004-09-29 4489280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
c:\documents and settings\Chad\Start Menu\Programs\Startup\
GameSpot Download Manager.lnk - c:\program files\GameSpot\GameSpotDownloadManager_Win32.exe [2007-11-15 876544]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-9-3 3111824]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-5-2 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 03:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\chadcicle\\day of defeat\\hl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1007020.00B\SymEFA.sys [8/31/2009 7:24 PM 310320]
R0 uGuru;uGuru;c:\windows\system32\drivers\uGuru.SYS [3/13/2005 6:34 PM 10752]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1007020.00B\BHDrvx86.sys [8/31/2009 7:24 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1007020.00B\cchpx86.sys [8/31/2009 7:23 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSXpx86.sys [9/16/2009 10:56 PM 329080]
R1 TeksKernel;TeksKernel;c:\windows\system32\drivers\TeksKernel.sys [7/8/2004 3:14 PM 9060]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe [8/31/2009 7:24 PM 117640]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [8/11/2006 3:56 PM 8192]
R2 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [7/8/2004 3:22 PM 77824]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/28/2007 10:54 AM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 4:00 AM 102448]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - Winflash
.
Contents of the 'Scheduled Tasks' folder
2009-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = localhost;*.local
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: amaena.com
Trusted Zone: drivecleaner.com
Trusted Zone: errorprotector.com
Trusted Zone: imageservr.com
Trusted Zone: winantispyware.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
Trusted Zone: amaena.com
Trusted Zone: drivecleaner.com
Trusted Zone: errorprotector.com
Trusted Zone: imageservr.com
Trusted Zone: winantispyware.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
FF - ProfilePath - c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\trq2th4i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-lxdcmon.exe - c:\program files\Lexmark 1300 Series\lxdcmon.exe
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
Notify-AtiExtEvent - (no file)
AddRemove-Adobe Acrobat 5.0 - c:\windows\ISUNINST.EXE -fc:\program files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu
AddRemove-AIM_6 - c:\program files\AIM6\uninst.exe
AddRemove-Half-Life - c:\windows\IsUninst.exe -fc:\sierra\Half-Life\Uninst.isu
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe
AddRemove-Viewpoint Toolbar - c:\program files\Viewpoint\Viewpoint Toolbar\3.8.0\Uninstaller.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 15:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2450225623-1706990351-3503433465-1006\Software\SecuROM\License information*]
"datasecu"=hex:20,81,a1,3e,f5,9d,f4,ef,db,2a,45,1f,ef,5c,1b,fc,40,7f,d1,55,1b,
71,99,30,01,5c,33,d3,c6,d8,df,d6,44,48,f9,7b,b0,ca,d1,8b,d6,bb,c0,af,60,6a,\
"rkeysecu"=hex:4e,10,a8,75,bd,8a,24,82,59,b2,f9,5e,ee,b6,ea,d5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(956)
c:\program files\AlienGUIse\fastload.dll
- - - - - - - > 'explorer.exe'(2096)
c:\program files\Xfire\xfire_toucan_39110.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdccoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-17 15:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 19:20
Pre-Run: 94,734,802,944 bytes free
Post-Run: 98,423,463,936 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
268 --- E O F --- 2009-02-27 21:34
http://forums.spybot.info/showthread.php?p=334230#post334230
ComboFix 09-09-16.05 - Chad 09/17/2009 15:03.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.541 [GMT -4:00]
Running from: c:\documents and settings\Chad\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Chad\Start Menu\Programs\Startup\TA_Start.lnk
C:\Images
c:\program files\INSTALL.LOG
c:\program files\Xfire Online Backup\Xfire Online Backup\ntSVc.ocx
c:\recycler\S-1-5-21-1645522239-1035525444-682003330-1004
c:\recycler\S-1-5-21-179408545-1627737751-893798309-1004
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\fse
c:\temp\fse\tmpZTF.log
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\649d4.msi
c:\windows\system32\B1
c:\windows\system32\drivers\hwdrv.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\f02WtR
c:\windows\system32\G1
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\win
c:\windows\system32\Y1
c:\windows\system32\Y2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AIM
-------\Legacy_RDRIV
-------\Service_rdriv
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.
2009-09-15 22:51 . 2009-09-15 22:51 -------- d-----w- c:\program files\2BrightSparks
2009-09-15 22:45 . 2009-09-15 22:51 -------- d-----w- c:\documents and settings\Chad\Local Settings\Application Data\2BrightSparks
2009-09-06 15:59 . 2009-09-06 15:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-09-03 18:07 . 2009-09-03 18:07 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-08-28 02:18 . 2009-08-28 02:18 -------- d-----w- c:\program files\Trend Micro
2009-08-28 00:33 . 2009-08-28 00:32 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-28 00:32 . 2009-08-28 00:37 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-08-28 00:28 . 2009-08-28 00:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-08-27 20:28 . 2009-08-27 22:38 -------- d-----w- c:\windows\BDOSCAN8
2009-08-27 20:17 . 2009-08-27 20:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-27 17:41 . 2009-08-27 17:41 152576 ----a-w- c:\documents and settings\Chad\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 18:44 . 2008-01-13 18:38 -------- d-----w- c:\program files\Lx_cats
2009-09-17 18:33 . 2005-03-16 23:26 -------- d-s---w- c:\program files\Xfire
2009-09-16 00:11 . 2009-01-31 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-15 22:49 . 2009-01-04 14:14 -------- d-----w- c:\program files\Dyyno
2009-09-11 23:19 . 2008-11-27 23:20 -------- d-----w- c:\documents and settings\Chad\Application Data\uTorrent
2009-09-09 19:14 . 2005-03-16 23:27 -------- d-----w- c:\documents and settings\Chad\Application Data\Xfire
2009-08-28 01:00 . 2006-04-14 17:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-27 18:37 . 2007-02-03 05:15 -------- d-----w- c:\program files\AIM6
2009-08-19 19:28 . 2009-02-04 00:52 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-19 19:28 . 2009-02-04 00:52 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-19 19:28 . 2009-02-04 00:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-19 19:28 . 2009-02-04 00:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-19 19:28 . 2005-02-03 02:05 -------- d-----w- c:\program files\Symantec
2009-08-18 18:59 . 2009-03-05 02:08 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-07-26 15:39 . 2005-04-10 00:37 -------- d-----w- c:\documents and settings\Chad\Application Data\Apple Computer
2009-07-25 05:33 . 2009-07-25 05:33 -------- d-----w- c:\program files\iTunes
2009-07-25 05:33 . 2007-07-21 04:47 -------- d-----w- c:\program files\Common Files\Apple
2009-07-25 05:33 . 2005-04-17 22:52 -------- d-----w- c:\program files\iPod
2009-07-25 05:07 . 2004-12-14 17:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2005-02-03 02:04 . 2005-02-03 02:04 25184485 ----a-w- c:\program files\NV11ESD.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2009-06-10 1217784]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ABIT uGuru"="c:\program files\ABIT\ABIT uGuru\uGuru.exe" [2004-09-13 1695827]
"GuruClock"="c:\program files\ABIT\ABIT uGuru\GuruClock.exe" [2004-09-29 4489280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
c:\documents and settings\Chad\Start Menu\Programs\Startup\
GameSpot Download Manager.lnk - c:\program files\GameSpot\GameSpotDownloadManager_Win32.exe [2007-11-15 876544]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-9-3 3111824]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-5-2 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 03:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\chadcicle\\day of defeat\\hl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1007020.00B\SymEFA.sys [8/31/2009 7:24 PM 310320]
R0 uGuru;uGuru;c:\windows\system32\drivers\uGuru.SYS [3/13/2005 6:34 PM 10752]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1007020.00B\BHDrvx86.sys [8/31/2009 7:24 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1007020.00B\cchpx86.sys [8/31/2009 7:23 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSXpx86.sys [9/16/2009 10:56 PM 329080]
R1 TeksKernel;TeksKernel;c:\windows\system32\drivers\TeksKernel.sys [7/8/2004 3:14 PM 9060]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe [8/31/2009 7:24 PM 117640]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [8/11/2006 3:56 PM 8192]
R2 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [7/8/2004 3:22 PM 77824]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/28/2007 10:54 AM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 4:00 AM 102448]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - Winflash
.
Contents of the 'Scheduled Tasks' folder
2009-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = localhost;*.local
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: amaena.com
Trusted Zone: drivecleaner.com
Trusted Zone: errorprotector.com
Trusted Zone: imageservr.com
Trusted Zone: winantispyware.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
Trusted Zone: amaena.com
Trusted Zone: drivecleaner.com
Trusted Zone: errorprotector.com
Trusted Zone: imageservr.com
Trusted Zone: winantispyware.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
FF - ProfilePath - c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\trq2th4i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-lxdcmon.exe - c:\program files\Lexmark 1300 Series\lxdcmon.exe
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
Notify-AtiExtEvent - (no file)
AddRemove-Adobe Acrobat 5.0 - c:\windows\ISUNINST.EXE -fc:\program files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu
AddRemove-AIM_6 - c:\program files\AIM6\uninst.exe
AddRemove-Half-Life - c:\windows\IsUninst.exe -fc:\sierra\Half-Life\Uninst.isu
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe
AddRemove-Viewpoint Toolbar - c:\program files\Viewpoint\Viewpoint Toolbar\3.8.0\Uninstaller.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 15:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2450225623-1706990351-3503433465-1006\Software\SecuROM\License information*]
"datasecu"=hex:20,81,a1,3e,f5,9d,f4,ef,db,2a,45,1f,ef,5c,1b,fc,40,7f,d1,55,1b,
71,99,30,01,5c,33,d3,c6,d8,df,d6,44,48,f9,7b,b0,ca,d1,8b,d6,bb,c0,af,60,6a,\
"rkeysecu"=hex:4e,10,a8,75,bd,8a,24,82,59,b2,f9,5e,ee,b6,ea,d5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(956)
c:\program files\AlienGUIse\fastload.dll
- - - - - - - > 'explorer.exe'(2096)
c:\program files\Xfire\xfire_toucan_39110.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdccoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-17 15:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 19:20
Pre-Run: 94,734,802,944 bytes free
Post-Run: 98,423,463,936 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
268 --- E O F --- 2009-02-27 21:34