help w/ removal of virtumonde

**ericv222** · 2008-08-18, 22:32

i've been trying to get rid of virtumonde on my own for the past few days but have failed miserably. how can i get rid of it?

**ericv222** · 2008-08-18, 22:34

also, every time i restart i get a blue screen. are these two problems related?

**ericv222** · 2008-08-18, 22:40

i ran combofix.exe, it rebooted my computer and did a scan. this is the log:

ComboFix 08-08-17.05 - Eric 2008-08-18 15:17:47.1 - NTFSx86
Running from: C:\Documents and Settings\Eric\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\#SharedObjects\URC2PZ5U\interclick.com
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\#SharedObjects\URC2PZ5U\interclick.com\ud.sol
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Eric\Application Data\rhcgw5j0erej
C:\WINDOWS\BMe7defac8.txt
C:\WINDOWS\BMe7defac8.xml
C:\WINDOWS\mrofinu2000352.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ukwxgrqy.exe
C:\WINDOWS\system32\winzbb32.dll

----- BITS: Possible infected sites -----

http://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-18 15:11 . 2008-08-18 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 15:11 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 15:42 . 2008-08-14 15:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-14 14:08 . 2008-08-14 14:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 10:09 . 2008-08-14 10:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Program Files\AVG
2008-08-14 10:01 . 2008-08-14 10:22 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\AVGTOOLBAR
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 10:01 . 2008-08-14 10:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 10:01 . 2008-08-14 10:01 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-13 02:07 . 2008-08-13 08:56 <DIR> d-------- C:\VundoFix Backups
2008-08-13 01:18 . 2008-08-14 09:57 <DIR> d-------- C:\Program Files\ESET
2008-08-12 22:10 . 2008-08-13 03:18 261 --a------ C:\WINDOWS\wininit.ini
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11E.tmp
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11D.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11C.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11B.tmp
2008-08-11 14:58 . 2008-08-11 16:24 <DIR> d-------- C:\Program Files\Microsoft Games
2008-08-06 04:01 . 2008-08-06 04:01 <DIR> d-------- C:\Program Files\Real
2008-08-05 01:44 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-05 01:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-05 01:42 . 2008-08-05 01:43 <DIR> d-------- C:\Program Files\Java
2008-08-05 01:41 . 2008-08-05 01:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 01:29 . 2008-08-06 04:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-05 01:29 . 2008-08-06 04:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-07-27 03:02 . 2008-07-27 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-27 03:01 . 2008-07-27 03:01 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-07-27 03:00 . 2008-07-27 03:02 <DIR> d-------- C:\Program Files\CyberLink
2008-07-27 03:00 . 2008-07-27 02:59 29,480 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-25 18:06 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\Autobahn
2008-07-25 18:05 . 2008-07-25 18:40 <DIR> d-------- C:\Documents and Settings\Eric\.autobahn
2008-07-25 18:04 . 2008-07-25 18:06 <DIR> d-------- C:\Program Files\MLB TV Mosaic
2008-07-25 17:49 . 2008-07-25 17:49 <DIR> d-------- C:\Program Files\MSBuild
2008-07-25 17:48 . 2008-07-25 17:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-25 15:44 . 2008-07-25 15:44 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-25 03:36 . 2008-07-25 03:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-07-25 03:36 . 2008-07-25 03:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-24 20:29 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-24 20:29 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-24 20:29 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-24 20:29 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-24 20:29 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-24 20:29 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-24 20:29 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-24 20:29 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-24 20:29 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 17:37 . 2008-07-23 17:37 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Research In Motion
2008-07-23 17:21 . 2008-07-24 03:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-23 16:39 . 2008-07-23 16:39 256 --a------ C:\Documents and Settings\Eric\pool.bin
2008-07-23 12:45 . 2008-07-23 17:22 <DIR> d-------- C:\Program Files\Common Files\Pumatech Shared
2008-07-23 12:45 . 2008-07-23 17:21 54 --a------ C:\WINDOWS\system32\pumahlp.err
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:29 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-23 11:50 . 2008-07-23 11:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 11:48 . 2008-07-23 11:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 11:48 . 2008-07-23 11:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 11:46 . 2008-07-23 11:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-23 10:16 . 2008-07-23 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-23 10:15 . 2008-07-23 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-23 10:08 . 2004-08-06 08:50 17,920 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-07-23 09:36 . 2008-07-23 09:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-23 07:49 . 2008-07-23 07:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-23 07:48 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-07-23 07:41 . 2008-08-05 01:58 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DivX
2008-07-23 07:37 . 2008-07-25 01:32 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-23 07:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-23 07:36 . 2008-08-06 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-07-23 07:26 . 2008-08-05 01:05 <DIR> d-------- C:\Program Files\DivX
2008-07-23 07:26 . 2008-06-10 19:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\Red Kawa
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-23 07:19 . 2008-07-23 07:19 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-23 07:12 . 2008-08-06 04:54 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-23 06:16 . 2008-07-23 06:19 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-07-23 05:18 . 2008-07-23 08:16 <DIR> d-------- C:\Media
2008-07-23 05:18 . 2008-07-23 05:18 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-23 05:07 . 2008-07-23 05:07 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Media Player Classic
2008-07-23 04:53 . 2008-07-23 05:03 <DIR> d-------- C:\Program Files\SoundTaxi
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 12:42 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe
2008-07-23 04:53 . 2007-10-09 12:52 9,472 --a------ C:\WINDOWS\system32\MovRVDrv32.dll
2008-07-23 04:53 . 2007-10-09 17:04 3,993 --a------ C:\WINDOWS\system32\SndTDriverV32.inf
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 17:04 2,584 --a------ C:\WINDOWS\system32\MovRVDrv32.inf
2008-07-23 04:35 . 2008-08-11 18:10 <DIR> d-------- C:\Program Files\Steam
2008-07-23 04:27 . 2008-07-23 06:48 <DIR> d-------- C:\Documents and Settings\Eric\Contacts
2008-07-23 04:24 . 2008-07-23 04:24 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 04:23 . 2008-08-13 01:27 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\uTorrent
2008-07-23 04:20 . 2008-07-23 04:49 <DIR> d-------- C:\Program Files\Windows Live
2008-07-23 04:20 . 2008-07-23 04:25 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-23 04:20 . 2008-07-23 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-23 04:10 . 2008-07-23 04:10 <DIR> d-------- C:\Program Files\Synaptics
2008-07-23 04:10 . 2004-05-20 13:52 184,768 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-07-23 04:10 . 2004-05-20 13:53 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-07-23 04:10 . 2004-05-20 13:54 90,112 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-07-23 04:10 . 2004-05-20 13:59 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll
2008-07-23 04:10 . 2004-05-20 13:53 77,824 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-07-23 04:10 . 2004-05-20 13:57 66,048 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-07-23 03:54 . 2008-07-23 03:54 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iPod
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 03:52 . 2008-07-23 03:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-23 03:51 . 2008-07-23 04:26 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-23 03:51 . 2008-07-10 09:35 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-23 02:02 . 2008-07-23 02:02 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-23 02:01 . 2008-07-25 13:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-27 08:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 07:59 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-27 07:59 353,576 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-23 15:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-23 00:35 --------- d-----w C:\Program Files\Intel
2008-07-22 23:31 --------- d-----w C:\Program Files\Broadcom
2008-07-22 23:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2008-01-15 09:17 277960]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 10:01 1172760]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 13:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 13:57 532480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 20:23 83240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 11:36 50472]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 18:51 118784]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-06-27 16:50 91432]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-02-18 16:38 169984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autobahn.lnk - C:\Program Files\Autobahn\autobahn.exe [2008-07-09 14:26:28 708824]
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 18:52:34 799496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\flipmaster380\\counter-strike\\hl.exe"=
"C:\\Program Files\\Autobahn\\autobahn.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\AGE2_X1.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 10:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 10:01]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 08:57]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-06-27 16:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-14 10:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 10:01]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 10:01]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 12:52]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 08:50]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-03 18:07]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 17:04]
S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\system32\snmvtsvc.exe [2007-10-09 12:42]
.
Contents of the 'Scheduled Tasks' folder

2008-08-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{FE81757C-5AAE-4E1F-9385-BEE54DE2F55E} - C:\WINDOWS\system32\awttqqNH.dll
HKLM-Run-Media Codec Update Service - C:\Program Files\Essentials Codec Pack\update.exe
Notify-winzbb32 - winzbb32.dll
MSConfigStartUp-BMe7defac8 - C:\WINDOWS\system32\imnsxlgw.dll
MSConfigStartUp-e4edc954 - C:\WINDOWS\system32\pjtqpvdj.dll
MSConfigStartUp-lphclw5j0erej - C:\WINDOWS\system32\lphclw5j0erej.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\o2n18mc6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - my.yahoo.com
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 15:28:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-18 15:36:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-18 20:36:07

Pre-Run: 9,399,832,576 bytes free
Post-Run: 9,348,005,888 bytes free

288 --- E O F --- 2008-08-07 08:01:36

**ericv222** · 2008-08-18, 22:43

this is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:41 PM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Autobahn\autobahn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: autobahn.lnk = C:\Program Files\Autobahn\autobahn.exe
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe

--
End of file - 6799 bytes

**ericv222** · 2008-08-18, 22:57

i ran Combofix again, this time using the recovery console. i don't know if it changes anything, but hopefully it will be more helpful. also, last time combofix ran while my other anti-virus/spyware/malware programs were running. i made sure to close/disable them this time.

New combofix log:

ComboFix 08-08-17.05 - Eric 2008-08-18 15:50:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.166 [GMT -5:00]
Running from: C:\Documents and Settings\Eric\Desktop\ComboFix.exe
Command switches used :: E:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

http://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-18 15:11 . 2008-08-18 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 15:11 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 15:42 . 2008-08-14 15:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-14 14:08 . 2008-08-14 14:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 10:09 . 2008-08-14 10:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Program Files\AVG
2008-08-14 10:01 . 2008-08-14 10:22 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\AVGTOOLBAR
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 10:01 . 2008-08-14 10:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 10:01 . 2008-08-14 10:01 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-13 02:07 . 2008-08-13 08:56 <DIR> d-------- C:\VundoFix Backups
2008-08-13 01:18 . 2008-08-14 09:57 <DIR> d-------- C:\Program Files\ESET
2008-08-12 22:10 . 2008-08-13 03:18 261 --a------ C:\WINDOWS\wininit.ini
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11E.tmp
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11D.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11C.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11B.tmp
2008-08-11 14:58 . 2008-08-11 16:24 <DIR> d-------- C:\Program Files\Microsoft Games
2008-08-06 04:01 . 2008-08-06 04:01 <DIR> d-------- C:\Program Files\Real
2008-08-05 01:44 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-05 01:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-05 01:42 . 2008-08-05 01:43 <DIR> d-------- C:\Program Files\Java
2008-08-05 01:41 . 2008-08-05 01:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 01:29 . 2008-08-06 04:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-05 01:29 . 2008-08-06 04:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-07-27 03:02 . 2008-07-27 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-27 03:01 . 2008-07-27 03:01 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-07-27 03:00 . 2008-07-27 03:02 <DIR> d-------- C:\Program Files\CyberLink
2008-07-27 03:00 . 2008-07-27 02:59 29,480 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-25 18:06 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\Autobahn
2008-07-25 18:05 . 2008-07-25 18:40 <DIR> d-------- C:\Documents and Settings\Eric\.autobahn
2008-07-25 18:04 . 2008-07-25 18:06 <DIR> d-------- C:\Program Files\MLB TV Mosaic
2008-07-25 17:49 . 2008-07-25 17:49 <DIR> d-------- C:\Program Files\MSBuild
2008-07-25 17:48 . 2008-07-25 17:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-25 15:44 . 2008-07-25 15:44 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-25 03:36 . 2008-07-25 03:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-07-25 03:36 . 2008-07-25 03:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-24 20:29 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-24 20:29 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-24 20:29 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-24 20:29 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-24 20:29 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-24 20:29 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-24 20:29 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-24 20:29 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-24 20:29 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 17:37 . 2008-07-23 17:37 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Research In Motion
2008-07-23 17:21 . 2008-07-24 03:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-23 16:39 . 2008-07-23 16:39 256 --a------ C:\Documents and Settings\Eric\pool.bin
2008-07-23 12:45 . 2008-07-23 17:22 <DIR> d-------- C:\Program Files\Common Files\Pumatech Shared
2008-07-23 12:45 . 2008-07-23 17:21 54 --a------ C:\WINDOWS\system32\pumahlp.err
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:29 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-23 11:50 . 2008-07-23 11:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 11:48 . 2008-07-23 11:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 11:48 . 2008-07-23 11:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 11:46 . 2008-07-23 11:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-23 10:16 . 2008-07-23 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-23 10:15 . 2008-07-23 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-23 10:08 . 2004-08-06 08:50 17,920 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-07-23 09:36 . 2008-07-23 09:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-23 07:49 . 2008-07-23 07:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-23 07:48 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-07-23 07:41 . 2008-08-05 01:58 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DivX
2008-07-23 07:37 . 2008-07-25 01:32 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-23 07:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-23 07:36 . 2008-08-06 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-07-23 07:26 . 2008-08-05 01:05 <DIR> d-------- C:\Program Files\DivX
2008-07-23 07:26 . 2008-06-10 19:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\Red Kawa
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-23 07:19 . 2008-07-23 07:19 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-23 07:12 . 2008-08-06 04:54 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-23 06:16 . 2008-07-23 06:19 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-07-23 05:18 . 2008-07-23 08:16 <DIR> d-------- C:\Media
2008-07-23 05:18 . 2008-07-23 05:18 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-23 05:07 . 2008-07-23 05:07 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Media Player Classic
2008-07-23 04:53 . 2008-07-23 05:03 <DIR> d-------- C:\Program Files\SoundTaxi
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 12:42 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe
2008-07-23 04:53 . 2007-10-09 12:52 9,472 --a------ C:\WINDOWS\system32\MovRVDrv32.dll
2008-07-23 04:53 . 2007-10-09 17:04 3,993 --a------ C:\WINDOWS\system32\SndTDriverV32.inf
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 17:04 2,584 --a------ C:\WINDOWS\system32\MovRVDrv32.inf
2008-07-23 04:35 . 2008-08-11 18:10 <DIR> d-------- C:\Program Files\Steam
2008-07-23 04:27 . 2008-07-23 06:48 <DIR> d-------- C:\Documents and Settings\Eric\Contacts
2008-07-23 04:24 . 2008-07-23 04:24 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 04:23 . 2008-08-13 01:27 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\uTorrent
2008-07-23 04:20 . 2008-07-23 04:49 <DIR> d-------- C:\Program Files\Windows Live
2008-07-23 04:20 . 2008-07-23 04:25 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-23 04:20 . 2008-07-23 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-23 04:10 . 2008-07-23 04:10 <DIR> d-------- C:\Program Files\Synaptics
2008-07-23 04:10 . 2004-05-20 13:52 184,768 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-07-23 04:10 . 2004-05-20 13:53 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-07-23 04:10 . 2004-05-20 13:54 90,112 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-07-23 04:10 . 2004-05-20 13:59 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll
2008-07-23 04:10 . 2004-05-20 13:53 77,824 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-07-23 04:10 . 2004-05-20 13:57 66,048 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-07-23 03:54 . 2008-07-23 03:54 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iPod
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 03:52 . 2008-07-23 03:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-23 03:51 . 2008-07-23 04:26 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-23 03:51 . 2008-07-10 09:35 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-23 02:02 . 2008-07-23 02:02 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-23 02:01 . 2008-07-25 13:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-27 08:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 07:59 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-27 07:59 353,576 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-23 15:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-23 00:35 --------- d-----w C:\Program Files\Intel
2008-07-22 23:31 --------- d-----w C:\Program Files\Broadcom
2008-07-22 23:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2008-01-15 09:17 277960]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 10:01 1172760]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 13:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 13:57 532480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 20:23 83240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 11:36 50472]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 18:51 118784]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-06-27 16:50 91432]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-02-18 16:38 169984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autobahn.lnk - C:\Program Files\Autobahn\autobahn.exe [2008-07-09 14:26:28 708824]
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 18:52:34 799496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\flipmaster380\\counter-strike\\hl.exe"=
"C:\\Program Files\\Autobahn\\autobahn.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\AGE2_X1.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 10:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 10:01]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 08:57]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-06-27 16:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-14 10:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 10:01]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 10:01]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 12:52]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 08:50]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-03 18:07]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 17:04]
S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\system32\snmvtsvc.exe [2007-10-09 12:42]
.
Contents of the 'Scheduled Tasks' folder

2008-08-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\o2n18mc6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - my.yahoo.com
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 15:53:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2008-08-18 15:55:24
ComboFix-quarantined-files.txt 2008-08-18 20:55:21
ComboFix2.txt 2008-08-18 20:36:28

Pre-Run: 9,330,868,224 bytes free
Post-Run: 9,306,189,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

263 --- E O F --- 2008-08-07 08:01:36

**ericv222** · 2008-08-19, 20:56

Combofix Log:

ComboFix 08-08-17.05 - Eric 2008-08-18 15:50:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.166 [GMT -5:00]
Running from: C:\Documents and Settings\Eric\Desktop\ComboFix.exe
Command switches used :: E:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

http://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-18 15:11 . 2008-08-18 15:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 15:11 . 2008-08-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 15:42 . 2008-08-14 15:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-14 14:08 . 2008-08-14 14:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 10:09 . 2008-08-14 10:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Program Files\AVG
2008-08-14 10:01 . 2008-08-14 10:22 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\AVGTOOLBAR
2008-08-14 10:01 . 2008-08-14 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 10:01 . 2008-08-14 10:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 10:01 . 2008-08-14 10:01 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 10:01 . 2008-08-14 10:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-13 02:07 . 2008-08-13 08:56 <DIR> d-------- C:\VundoFix Backups
2008-08-13 01:18 . 2008-08-14 09:57 <DIR> d-------- C:\Program Files\ESET
2008-08-12 22:10 . 2008-08-13 03:18 261 --a------ C:\WINDOWS\wininit.ini
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11E.tmp
2008-08-12 20:37 . 2008-08-12 20:38 94,208 --a------ C:\WINDOWS\system32\11D.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11C.tmp
2008-08-12 20:37 . 2008-08-12 20:37 94,208 --a------ C:\WINDOWS\system32\11B.tmp
2008-08-11 14:58 . 2008-08-11 16:24 <DIR> d-------- C:\Program Files\Microsoft Games
2008-08-06 04:01 . 2008-08-06 04:01 <DIR> d-------- C:\Program Files\Real
2008-08-05 01:44 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-05 01:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-05 01:42 . 2008-08-05 01:43 <DIR> d-------- C:\Program Files\Java
2008-08-05 01:41 . 2008-08-05 01:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 01:29 . 2008-08-06 04:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-08-05 01:29 . 2008-08-06 04:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-07-27 03:02 . 2008-07-27 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-27 03:01 . 2008-07-27 03:01 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-07-27 03:00 . 2008-07-27 03:02 <DIR> d-------- C:\Program Files\CyberLink
2008-07-27 03:00 . 2008-07-27 02:59 29,480 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-25 18:06 . 2008-07-25 18:19 <DIR> d-------- C:\Program Files\Autobahn
2008-07-25 18:05 . 2008-07-25 18:40 <DIR> d-------- C:\Documents and Settings\Eric\.autobahn
2008-07-25 18:04 . 2008-07-25 18:06 <DIR> d-------- C:\Program Files\MLB TV Mosaic
2008-07-25 17:49 . 2008-07-25 17:49 <DIR> d-------- C:\Program Files\MSBuild
2008-07-25 17:48 . 2008-07-25 17:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-25 15:44 . 2008-07-25 15:44 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-25 03:36 . 2008-07-25 03:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-07-25 03:36 . 2008-07-25 03:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-24 20:29 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-24 20:29 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-24 20:29 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-24 20:29 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-24 20:29 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-24 20:29 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-24 20:29 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-24 20:29 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-24 20:29 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 17:37 . 2008-07-23 17:37 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Research In Motion
2008-07-23 17:21 . 2008-07-24 03:09 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-23 17:21 . 2008-07-23 17:21 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-23 16:39 . 2008-07-23 16:39 256 --a------ C:\Documents and Settings\Eric\pool.bin
2008-07-23 12:45 . 2008-07-23 17:22 <DIR> d-------- C:\Program Files\Common Files\Pumatech Shared
2008-07-23 12:45 . 2008-07-23 17:21 54 --a------ C:\WINDOWS\system32\pumahlp.err
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Roxio
2008-07-23 12:04 . 2008-07-23 12:29 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-23 11:50 . 2008-07-23 11:50 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 11:48 . 2008-07-23 11:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 11:48 . 2008-07-23 11:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 11:47 . 2008-07-23 11:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 11:46 . 2008-07-23 11:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-23 10:16 . 2008-07-23 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-23 10:15 . 2008-07-23 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-23 10:11 . 2008-07-23 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-23 10:08 . 2004-08-06 08:50 17,920 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-07-23 09:36 . 2008-07-23 09:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-23 07:49 . 2008-07-23 07:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-23 07:48 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-07-23 07:41 . 2008-08-05 01:58 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DivX
2008-07-23 07:37 . 2008-07-25 01:32 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-23 07:36 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-23 07:36 . 2008-08-06 04:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-07-23 07:36 . 2008-07-25 01:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-07-23 07:26 . 2008-08-05 01:05 <DIR> d-------- C:\Program Files\DivX
2008-07-23 07:26 . 2008-06-10 19:07 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\Red Kawa
2008-07-23 07:21 . 2008-07-23 07:21 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-07-23 07:19 . 2008-07-23 07:19 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-23 07:12 . 2008-08-06 04:54 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-23 06:16 . 2008-07-23 06:19 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-07-23 05:18 . 2008-07-23 08:16 <DIR> d-------- C:\Media
2008-07-23 05:18 . 2008-07-23 05:18 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-23 05:07 . 2008-07-23 05:07 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Media Player Classic
2008-07-23 04:53 . 2008-07-23 05:03 <DIR> d-------- C:\Program Files\SoundTaxi
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 17:04 513,152 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-07-23 04:53 . 2007-10-09 12:42 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe
2008-07-23 04:53 . 2007-10-09 12:52 9,472 --a------ C:\WINDOWS\system32\MovRVDrv32.dll
2008-07-23 04:53 . 2007-10-09 17:04 3,993 --a------ C:\WINDOWS\system32\SndTDriverV32.inf
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 12:52 2,688 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-07-23 04:53 . 2007-10-09 17:04 2,584 --a------ C:\WINDOWS\system32\MovRVDrv32.inf
2008-07-23 04:35 . 2008-08-11 18:10 <DIR> d-------- C:\Program Files\Steam
2008-07-23 04:27 . 2008-07-23 06:48 <DIR> d-------- C:\Documents and Settings\Eric\Contacts
2008-07-23 04:24 . 2008-07-23 04:24 <DIR> d-------- C:\Program Files\uTorrent
2008-07-23 04:23 . 2008-08-13 01:27 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\uTorrent
2008-07-23 04:20 . 2008-07-23 04:49 <DIR> d-------- C:\Program Files\Windows Live
2008-07-23 04:20 . 2008-07-23 04:25 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-23 04:20 . 2008-07-23 04:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-23 04:10 . 2008-07-23 04:10 <DIR> d-------- C:\Program Files\Synaptics
2008-07-23 04:10 . 2004-05-20 13:52 184,768 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-07-23 04:10 . 2004-05-20 13:53 114,688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-07-23 04:10 . 2004-05-20 13:54 90,112 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-07-23 04:10 . 2004-05-20 13:59 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll
2008-07-23 04:10 . 2004-05-20 13:53 77,824 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-07-23 04:10 . 2004-05-20 13:57 66,048 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-07-23 03:54 . 2008-07-23 03:54 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Apple Computer
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\iPod
2008-07-23 03:53 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 03:52 . 2008-07-23 03:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-23 03:52 . 2008-07-23 03:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-23 03:51 . 2008-07-23 04:26 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-23 03:51 . 2008-07-23 03:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-23 03:51 . 2008-07-10 09:35 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-23 02:02 . 2008-07-23 02:02 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-23 02:01 . 2008-07-25 13:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-27 08:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 07:59 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-27 07:59 353,576 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-23 15:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-23 00:35 --------- d-----w C:\Program Files\Intel
2008-07-22 23:31 --------- d-----w C:\Program Files\Broadcom
2008-07-22 23:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2008-01-15 09:17 277960]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 10:01 1172760]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 13:57 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 13:57 532480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 20:23 83240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 11:36 50472]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 18:51 118784]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-06-27 16:50 91432]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-02-18 16:38 169984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autobahn.lnk - C:\Program Files\Autobahn\autobahn.exe [2008-07-09 14:26:28 708824]
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 18:52:34 799496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\MLB TV Mosaic\\Swarmcast\\mlb-nexdef-autobahn.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\flipmaster380\\counter-strike\\hl.exe"=
"C:\\Program Files\\Autobahn\\autobahn.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\AGE2_X1.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 10:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 09:35]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 10:01]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 08:57]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-06-27 16:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 09:37]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-14 10:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 10:01]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 10:01]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 12:52]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 08:50]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-03 18:07]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 17:04]
S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\system32\snmvtsvc.exe [2007-10-09 12:42]
.
Contents of the 'Scheduled Tasks' folder

2008-08-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\o2n18mc6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - my.yahoo.com
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 15:53:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2008-08-18 15:55:24
ComboFix-quarantined-files.txt 2008-08-18 20:55:21
ComboFix2.txt 2008-08-18 20:36:28

Pre-Run: 9,330,868,224 bytes free
Post-Run: 9,306,189,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

263 --- E O F --- 2008-08-07 08:01:36

**ericv222** · 2008-08-19, 21:27

Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:20 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Autobahn\autobahn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {FE81757C-5AAE-4E1F-9385-BEE54DE2F55E} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: autobahn.lnk = C:\Program Files\Autobahn\autobahn.exe
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: winzbb32 - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe

--
End of file - 7152 bytes

**tashi** · 2008-08-19, 21:57

Hello ericv222,

Apprantly you have missed this forum's sticky topics,

no new topics for the same computer, "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) and Do NOT run 'fixes' before helpers have analyzed the HJT log

Also see: P2P

You might try starting again with a new topic providing only one log, the HJT one.

If you take that route please provide a link back to this thread so that helpers are aware you have run ComboFix.

Best regards.

**ericv222** · 2008-08-20, 02:35

you want me to start a new topic? and only include the HJT log?

**tashi** · 2008-08-21, 22:04

Originally Posted by tashi

You might try starting again with a new topic providing only one log, the HJT one.

If you take that route please provide a link back to this thread so that helpers are aware you have run ComboFix.

Helpers look for topics without a response, that means one post.

Thread: help w/ removal of virtumonde

Thread Tools

Display

help w/ removal of virtumonde

Virtumonde removal help

Posting Permissions