virtumonde.sdn, dynamically altered links, lots of bad stuff

**picklehammer** · 2009-05-24, 12:12

ComboFix 09-05-23.04 - tyler 05/24/2009 2:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.615 [GMT -7:00]
Running from: c:\documents and settings\tyler\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\1055860099.exe
c:\documents and settings\LocalService\Application Data\916653139.exe
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\tyler\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\tyler\protect.dll
c:\documents and settings\tyler\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\tyler\Start Menu\Programs\Startup\ChkDisk.lnk
c:\program files\icroso~1
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\fnts~1
c:\windows\system\oeminfo.ini
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\ovfsthvymesoyvdpmpiksmxxflewndjouobobu.sys
c:\windows\system32\Ijl11.dll
c:\windows\system32\lmn_setup.exe
c:\windows\system32\ovfsthbxakoykveeojioyvfcjyhqpsbhojfsjj.dll
c:\windows\system32\ovfsthmbsjujgwtdfpxmbrfqqmoelydvugaitd.dll
c:\windows\system32\ovfsthonkrbyrdupkdlshexbyrfeklphcvwbaw.dat
c:\windows\system32\ovfsthrqiryskkqbivjyymklwlmxtpgvbmakxf.dat
c:\windows\system32\ovfsthtueppkcrqsitkjhvtsgeqdxhfipurfke.dll
c:\windows\system32\ovfsthtueppkcrqsitkjhvtsgeqdxhfipurfke.dll_old
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\service-466.exe
c:\windows\system32\sft.res
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wpcap.dll
C:\xcrashdump.dat

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthkmlrrvkkylhbaompfefkosntjiijclfn
-------\Legacy_MSCONTROLSERVICE
-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-24 07:26 . 2009-05-24 07:26 -------- d-----w c:\program files\ERUNT
2009-05-24 07:21 . 2009-05-24 07:21 -------- d-----w c:\program files\Trend Micro
2009-05-24 06:55 . 2009-05-24 06:55 29184 ----a-w c:\windows\system32\lklf32.dll
2009-05-23 02:24 . 2009-05-24 07:43 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-23 02:23 . 2008-12-11 15:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-23 02:22 . 2009-04-03 18:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-23 02:22 . 2008-12-18 19:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-23 02:22 . 2009-05-23 02:25 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-23 02:22 . 2008-12-10 18:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-23 02:22 . 2009-05-23 06:08 -------- d-----w c:\program files\Spyware Doctor
2009-05-23 02:22 . 2009-05-23 02:22 -------- d-----w c:\documents and settings\tyler\Application Data\PC Tools
2009-05-23 02:22 . 2009-05-23 02:22 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-23 02:07 . 2009-05-23 02:07 -------- d-----w C:\VundoFix Backups
2009-05-23 01:00 . 2009-05-23 01:00 29184 ----a-w c:\windows\system32\jhxm32.dll
2009-05-23 01:00 . 2009-05-23 01:00 32768 ----a-w c:\windows\system32\avast!Antivirus.exe
2009-05-21 01:21 . 2009-05-21 01:21 -------- d-----w c:\documents and settings\tyler\Application Data\vlc
2009-05-20 06:35 . 2009-05-20 06:35 57344 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-31f380fe-n\Decora-SSE.dll
2009-05-20 06:35 . 2009-05-20 06:35 24064 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-7c65e637-n\Decora-D3D.dll
2009-05-20 06:35 . 2009-05-20 06:35 499712 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4d8d8b33-n\msvcp71.dll
2009-05-20 06:35 . 2009-05-20 06:35 499712 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4d8d8b33-n\jmc.dll
2009-05-20 06:35 . 2009-05-20 06:35 348160 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4d8d8b33-n\msvcr71.dll
2009-05-20 06:35 . 2009-05-20 06:35 315392 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7eb0a5f2-n\jogl.dll
2009-05-20 06:35 . 2009-05-20 06:35 20480 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7eb0a5f2-n\jogl_awt.dll
2009-05-20 06:35 . 2009-05-20 06:35 20480 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-21b01d74-n\gluegen-rt.dll
2009-05-20 06:35 . 2009-05-20 06:35 114688 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7eb0a5f2-n\jogl_cg.dll
2009-05-20 06:34 . 2009-05-20 06:33 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-20 06:32 . 2009-05-20 06:32 152576 ----a-w c:\documents and settings\tyler\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-20 05:52 . 2009-05-20 05:53 -------- d-----w c:\program files\OpenOffice.org 2.4
2009-05-20 05:45 . 2009-05-20 05:46 -------- d-----w c:\temp\OpenOffice.org 2.4 (en-US) Installation Files
2009-05-20 05:38 . 2009-05-20 05:38 -------- d-----w c:\program files\Apple Software Update
2009-05-20 05:36 . 2009-05-20 05:36 -------- d-----w c:\documents and settings\tyler\Local Settings\Application Data\AOL OCP
2009-05-20 05:36 . 2009-05-20 05:36 -------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-05-20 05:36 . 2009-05-20 05:36 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-05-20 05:36 . 2009-05-20 05:36 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-05-20 05:35 . 2009-05-20 05:35 -------- d-----w c:\program files\Common Files\AOL
2009-05-20 05:34 . 2009-05-20 05:36 -------- d-----w c:\program files\AIM6
2009-05-20 04:49 . 2009-05-20 04:49 -------- d-----w c:\program files\Secunia
2009-05-20 04:36 . 2009-05-20 04:36 -------- d-----w c:\documents and settings\tyler\Application Data\Malwarebytes
2009-05-20 04:36 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-20 04:36 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 04:36 . 2009-05-20 04:36 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-20 04:36 . 2009-05-20 04:36 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-20 02:07 . 2009-05-20 03:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-20 02:07 . 2009-05-20 03:04 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-19 15:28 . 2009-05-16 15:53 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-19 15:28 . 2009-05-16 15:53 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-19 15:28 . 2009-05-16 15:53 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-19 15:28 . 2009-05-16 15:53 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-19 15:28 . 2009-05-16 15:53 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-19 15:28 . 2009-05-16 15:53 354584 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-16 15:53 . 2009-05-16 02:39 76040 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtdix.sys
2009-05-16 15:53 . 2009-05-16 15:53 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-16 15:53 . 2009-05-16 02:39 10520 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2009-05-16 15:53 . 2009-05-16 02:39 26824 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-05-16 02:39 . 2009-05-16 15:53 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-16 02:39 . 2009-05-16 15:53 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-16 02:39 . 2009-05-16 15:53 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-16 02:39 . 2009-05-16 15:53 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-16 02:39 . 2009-05-22 00:52 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-16 02:01 . 2009-05-22 02:03 31174 ----a-w c:\windows\W2BNEUnin.dat
2009-05-16 02:01 . 2009-05-20 07:26 98304 ----a-w c:\windows\W2BNEUnin.exe
2009-05-16 02:01 . 2009-05-20 07:26 2829 ----a-w c:\windows\W2BNEUnin.pif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 09:30 . 2009-02-18 03:17 -------- d-----w c:\program files\Flock
2009-05-24 09:29 . 2008-03-04 11:49 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-24 07:20 . 2005-08-22 08:58 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-23 02:19 . 2006-07-03 11:00 -------- d-----w c:\documents and settings\tyler\Application Data\uTorrent
2009-05-23 02:15 . 2008-10-06 07:27 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-20 06:33 . 2005-09-13 03:24 -------- d-----w c:\program files\Java
2009-05-20 05:52 . 2005-10-22 07:06 -------- d-----w c:\program files\OpenOffice.org 2.0
2009-05-20 05:45 . 2005-10-07 03:53 -------- d-----w c:\program files\QuickTime
2009-05-20 05:43 . 2005-07-26 08:51 -------- d-----w c:\program files\Winamp
2009-05-20 05:39 . 2008-01-17 04:22 -------- d-----w c:\program files\Bonjour
2009-05-20 05:35 . 2005-07-26 05:52 -------- d-----w c:\program files\Opera
2009-05-16 15:53 . 2009-01-15 17:14 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-16 15:53 . 2009-01-15 17:14 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-16 02:39 . 2009-01-15 17:16 97928 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-05-16 02:38 . 2009-01-15 17:14 641304 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-05-16 02:38 . 2009-01-15 17:14 443672 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-05-16 02:13 . 2005-07-13 23:12 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-15 08:57 . 2005-07-13 23:05 102312 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 11:10 . 2005-08-03 02:08 -------- d-----w c:\program files\BitSpirit
2009-05-11 09:26 . 2006-06-22 05:55 -------- d-----w c:\program files\mIRC
2009-05-10 16:31 . 2008-11-21 06:31 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-07 04:16 . 2009-02-03 08:06 -------- d-----w c:\documents and settings\Guest\Application Data\OpenOffice.org2
2009-03-27 06:56 . 2005-09-30 05:45 -------- d-----w c:\program files\Google
2009-03-27 04:36 . 2008-03-31 18:24 -------- d-----w c:\documents and settings\tyler\Application Data\Digidesign
2009-03-24 11:03 . 2009-03-24 11:03 7808 ----a-w c:\windows\system32\drivers\psi_mf.sys
2009-03-20 06:55 . 2009-02-28 08:20 334912 ----a-w c:\documents and settings\tyler\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-03-20 06:55 . 2009-02-28 08:19 171072 ----a-w c:\documents and settings\tyler\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-03-20 06:30 . 2009-02-28 08:15 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-20 06:29 . 2009-02-28 08:14 189784 ----a-w c:\windows\system32\PnkBstrB.exe
2009-03-20 06:29 . 2009-02-28 08:19 874660 ----a-w c:\documents and settings\tyler\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-03-20 06:29 . 2009-02-28 08:19 57344 ----a-w c:\documents and settings\tyler\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-03-20 06:29 . 2009-02-28 08:19 479232 ----a-w c:\documents and settings\tyler\Application Data\id Software\quakelive\home\pb\pbsv.dll
2009-03-20 06:29 . 2009-02-28 08:19 2669632 ----a-w c:\documents and settings\tyler\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-03-12 05:04 . 2009-02-28 08:14 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-12 05:02 . 2009-02-28 08:15 22328 ----a-w c:\documents and settings\tyler\Application Data\PnkBstrK.sys
2009-03-12 05:02 . 2009-02-28 08:15 22328 ----a-w c:\documents and settings\tyler\Application Data\PnkBstrK.sys
2009-03-12 05:01 . 2009-02-28 08:14 2246144 ----a-w c:\windows\system32\pbsvc.exe
2009-03-11 19:40 . 2009-03-11 19:40 625728 ----a-w c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 08:28 . 2009-02-28 08:19 441408 ----a-w c:\documents and settings\tyler\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-02-28 08:19 . 2009-02-28 08:19 866235 ----a-w c:\documents and settings\tyler\Application Data\id Software\quakelive\home\pb\pbcls.dll
2009-02-28 08:19 . 2009-02-28 08:19 57344 ----a-w c:\documents and settings\tyler\Application Data\id Software\quakelive\home\pb\pbags.dll
2006-05-06 16:42 . 2006-11-02 06:07 7260160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-07-20 22:07 . 2005-05-13 04:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2005-03-17 02:16 . 2005-03-17 02:16 970752 c:\program files\Common Files\Adobe\Updater\bak\AdobeUpdater.exe

2005-07-20 21:53 . 2002-12-04 01:06 45056 c:\program files\Creative\SB Drive Det\bak\SBDrvDet.exe

2005-07-20 22:02 . 2003-11-01 02:42 32768 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

2007-02-16 07:42 . 2007-02-16 07:42 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

2002-10-14 22:09 . 2002-10-14 22:09 57344 c:\program files\Lexmark X74-X75\bak\lxbbbmgr.exe
2002-10-14 22:09 . 2002-10-14 22:09 57344 c:\program files\Lexmark X74-X75\lxbbbmgr.exe

2004-06-03 08:51 . 2004-06-03 08:51 172032 c:\program files\Microsoft IntelliType Pro\bak\type32.exe
2004-06-03 08:51 . 2004-06-03 08:51 172032 c:\program files\Microsoft IntelliType Pro\type32.exe

2006-11-30 00:31 . 2005-03-11 19:59 35328 c:\tracking\Digidesign\Drivers\bak\MMERefresh.exe

2005-07-20 21:53 . 2000-05-11 08:00 90112 c:\windows\bak\UpdReg.EXE

2006-04-16 09:37 . 2006-03-16 17:54 99840 c:\windows\system32\bak\M-AudioTaskBarIcon.exe

2006-02-02 00:45 . 2006-01-12 23:37 491520 c:\windows\system32\spool\drivers\w32x86\3\bak\fpdisp5a.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}]
2009-05-24 06:55 29184 ----a-w c:\windows\system32\lklf32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-06 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="" [N/A]
"DCAM"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 483328]
"DigidesignMMERefresh"="c:\tracking\protools\Digidesign\Drivers\MMERefresh.exe" [2005-10-26 61440]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-20 148888]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [N/A]
"UpdReg"="c:\windows\UpdReg.EXE" [N/A]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [N/A]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [N/A]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-04-12 1383936]
"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2005-08-09 185480]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
"autochk"="c:\docume~1\LOCALS~1\protect.dll" [N/A]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-16 15:53 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\MsgPlusLoader.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"midi1"= myokent.dll
"midi2"= usbnp4x4.dll
"midi4"= usbnp4x4.dll
"MIDI5"= diomidi.dll
"wave7"= Digi32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^tyler^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\tyler\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^tyler^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\tyler\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^tyler^Start Menu^Programs^Startup^Deewoo.lnk]
path=c:\documents and settings\tyler\Start Menu\Programs\Startup\Deewoo.lnk
backup=c:\windows\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^tyler^Start Menu^Programs^Startup^DW_Start.lnk]
path=c:\documents and settings\tyler\Start Menu\Programs\Startup\DW_Start.lnk
backup=c:\windows\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^tyler^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\tyler\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^tyler^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\tyler\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"rpcapd"=3 (0x3)
"MSControlService"=3 (0x3)
"MAudioAudiophileService"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=2 (0x2)
"PnkBstrA"=2 (0x2)
"MDM"=2 (0x2)
"KodakCCS"=2 (0x2)
"HssSrv"=2 (0x2)
"HotspotShieldService"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"digiSPTIService"=3 (0x3)
"avast!Antivirus"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Kazaa Lite\\kazaa.core"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\CuteFTP 7 Professional\\ftpte.exe"=
"c:\\FlashFXP\\flashfxp.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\games\\doom\\doom2\\zlauncher.exe"=
"c:\\games\\doom\\doom2\\zdaemon.exe"=
"c:\\games\\doom\\doom2\\odamex.exe"=
"c:\\games\\doom\\doom2\\odalaunch.exe"=
"c:\\games\\doom\\doom2\\skulltag.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\games\\git\\Git.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\ipod\\itunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft IntelliType Pro\\type32.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\games\\wc2\\Warcraft II BNE.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [5/14/2008 4:06 AM 16384]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/22/2009 7:22 PM 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/15/2009 7:39 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/15/2009 7:39 PM 108552]
R2 cdenable;cdenable;c:\windows\system32\drivers\cdenable.sys [4/11/2006 6:14 PM 6112]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2/4/2009 2:34 AM 31192]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
R3 OpenDrvII;AOpen OpenCLibv4 Driver;c:\windows\system32\drivers\OpenDrvII.sys [8/31/2004 5:23 PM 4736]
R3 SOFTXG;YAMAHA XG WDM SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [11/24/2007 2:19 AM 966784]
S2 EZWINIT;EZWINIT;c:\windows\system32\drivers\ezwinit.sys [12/26/2005 5:22 PM 14494]
S2 EZWRITER;EZWRITER;c:\windows\system32\drivers\ezwriter.sys [12/26/2005 5:22 PM 16680]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [5/14/2008 4:00 AM 105472]
S3 DJUSB;DMM Controller;c:\windows\system32\drivers\DM2.sys [6/1/2001 8:26 PM 10758]
S3 idrmkl;idrmkl;\??\c:\docume~1\tyler\LOCALS~1\Temp\idrmkl.sys --> c:\docume~1\tyler\LOCALS~1\Temp\idrmkl.sys [?]
S3 LMASFltr;LMASFltr;c:\windows\system32\drivers\LMASFltr.sys [10/29/2005 12:09 AM 13684]
S3 ma763003;M-Audio Audiophile;c:\windows\system32\drivers\MA763003.sys --> c:\windows\system32\drivers\MA763003.sys [?]
S3 MADFU003;MADFU003;c:\windows\system32\drivers\MADFU003.sys [11/29/2006 6:04 PM 69248]
S3 MAUSBAP;Service for M-Audio Audiophile (WDM);c:\windows\system32\drivers\mausbap.sys [11/29/2006 6:04 PM 103424]
S3 MMAUSB;M Audio USB ASIO Driver;c:\windows\system32\drivers\MMAUSB.SYS [10/29/2005 12:09 AM 18135]
S3 PortlUSB;PortlUSB;c:\windows\system32\drivers\H10USB.sys [6/23/2004 9:52 PM 7552]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 4:03 AM 7808]
S3 USBNP4X4;M-Audio Audiophile USB Midi;c:\windows\system32\drivers\usbnp4x4.sys [11/29/2006 6:04 PM 22336]
S4 avast!Antivirus;avast!Antivirus;c:\windows\System32\avast!Antivirus.exe -k netsvcs --> c:\windows\System32\avast!Antivirus.exe -k netsvcs [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/16/2009 8:53 AM 908568]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/16/2009 8:53 AM 298776]
S4 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [1/27/2009 12:15 PM 93656]
S4 MAudioAudiophileService;M-Audio Audiophile Installer;c:\program files\M-Audio\Audiophile USB\MAUSBAPInst.exe --> c:\program files\M-Audio\Audiophile USB\MAUSBAPInst.exe [?]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/22/2009 7:22 PM 348752]
.
Contents of the 'Scheduled Tasks' folder

2007-11-28 c:\windows\Tasks\DoItAgain.job
- c:\doit\DoItAgain.exe [2007-11-07 07:08]

2009-05-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 05:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{c871956a-1bff-4b64-9254-6551494a43aa} - (no file)
Notify-hggfdec - hggfdec.dll
SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Copy to Semagic - c:\program files\Semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\office03\OFFICE11\EXCEL.EXE/3000
IE: Semagic - c:\program files\Semagic\link.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\tyler\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: aol.com\free
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\tyler\Application Data\Mozilla\Firefox\Profiles\34g21xux.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\tyler\Application Data\Mozilla\Firefox\Profiles\34g21xux.default\extensions\activegs@freetoolsassociation.com\plugins\npActiveGS.dll
FF - plugin: c:\ipod\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 02:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1636)
c:\windows\system32\myokent.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1692)
c:\windows\system32\myokent.dll

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\myokent.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\windows\system32\lklf32.dll
c:\office03\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
.
**************************************************************************
.
Completion time: 2009-05-24 3:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 10:03

Pre-Run: 71,114,817,536 bytes free
Post-Run: 71,933,132,800 bytes free

465 --- E O F --- 2009-05-20 10:01

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:10 AM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\tracking\protools\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Microsoft copyright - {F30B5E7E-CFBB-44fb-A947-226E5A7A4290} - lklf32.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\tracking\protools\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\office03\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\office03\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\tyler\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/game...Plugin7USA.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\MsgPlusLoader.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\tracking\protools\Digidesign\Drivers\MMERefresh.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe

--
End of file - 11238 bytes

Thread: virtumonde.sdn, dynamically altered links, lots of bad stuff

Thread Tools

Display

Threaded View

Tags for this Thread

Posting Permissions