ken545
Emeritus-Security Expert
Last edited:
malware problems; HJT log posted; please help!
- Thread starter videogamer
- Start date
videogamer
New member
ComboFix 09-04-25.03 - Gamer 04/24/2009 17:07.30 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.269 [GMT -4:00]
Running from: c:\documents and settings\Gamer\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.
2009-04-24 10:35 . 2009-04-24 11:00 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-19 21:33 . 2009-04-19 21:33 32392 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 19:32 . 2003-04-07 07:05 155648 ----a-w c:\windows\system32\igfxres.dll
2009-04-19 19:27 . 2009-04-19 19:27 1396 ----a-w c:\windows\system32\wpa.bak
2009-04-19 19:16 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-19 19:13 . 2009-02-06 17:24 2180480 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-19 19:13 . 2009-02-06 17:22 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-19 19:13 . 2009-02-06 16:49 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-19 19:13 . 2009-02-06 16:49 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-19 19:12 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-19 18:56 . 2006-02-28 12:00 76288 -c--a-w c:\windows\system32\dllcache\uniime.dll
2009-04-19 18:55 . 2006-02-28 12:00 7680 -c--a-w c:\windows\system32\dllcache\kbdnecnt.dll
2009-04-19 18:54 . 2006-02-28 12:00 82172 -c--a-w c:\windows\system32\dllcache\bopomofo.nls
2009-04-19 18:52 . 2009-04-19 18:52 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-19 18:51 . 2006-02-28 12:00 2 ----a-w c:\windows\system32\desktop.ini
2009-04-19 18:41 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB7.tmp
2009-04-19 18:41 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET84.tmp
2009-04-19 18:41 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET78.tmp
2009-04-19 18:41 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET75.tmp
2009-04-19 18:18 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB6.tmp
2009-04-19 18:18 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET83.tmp
2009-04-19 18:18 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET77.tmp
2009-04-19 18:18 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET74.tmp
2009-04-19 17:59 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB5.tmp
2009-04-19 17:59 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET82.tmp
2009-04-19 17:59 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET76.tmp
2009-04-19 17:59 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET73.tmp
2009-04-19 17:58 . 2009-04-21 22:24 527908864 ----a-w c:\windows\MEMORY.DMP
2009-04-19 16:05 . 2009-04-19 16:05 4096 ----a-w c:\windows\system32\01.tmp
2009-04-18 17:00 . 2009-04-18 17:00 -------- d--h--w C:\$AVG8.VAULT$
2009-04-18 16:54 . 2009-04-18 17:01 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-18 16:51 . 2009-04-18 16:55 8192 ----a-w c:\documents and settings\L2MFIX
2009-04-08 01:03 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-08 01:03 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 01:03 . 2009-04-08 01:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 18:51 . 2003-12-02 01:34 23348 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-18 16:52 . 2005-12-26 03:06 -------- d-----w c:\program files\ewido anti-malware
2009-03-06 14:44 . 2006-02-28 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-28 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2006-02-28 12:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2006-02-28 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2006-02-28 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2006-02-28 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2006-02-28 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 2006-02-28 12:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2006-02-28 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2006-02-28 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2006-02-28 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2005-02-16 16:06 . 2005-12-26 01:10 218112 ----a-w c:\documents and settings\Gamer\HijackThis.exe
2005-01-13 22:32 . 2005-01-13 22:32 136 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\fusioncache.dat
2004-06-14 02:43 . 2004-06-10 23:51 449 ----a-w c:\documents and settings\Gamer\UpdateReg.reg
2008-09-08 01:08 . 2008-09-08 01:08 62976 --sha-w c:\windows\system32\bapemode.dll.tmp
2008-09-08 01:08 . 2008-09-08 01:08 62976 --sha-w c:\windows\system32\piyefire.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-04-22_21.32.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-24 21:05 . 2009-04-24 21:05 16384 c:\windows\temp\Perflib_Perfdata_494.dat
+ 2003-12-02 01:34 . 2003-03-31 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2004-03-28 00:08 . 2009-04-22 21:40 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2003-12-02 00:26 . 2003-03-31 12:00 2589 c:\windows\I386\RUNW32.BAT
- 2004-03-28 00:08 . 2004-03-28 00:08 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^office.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\office.exe
backup=c:\windows\pss\office.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Gamer\\SteamApps\\philosophize\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\ezSP_Px.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16317:TCP"= 16317:TCP:BitComet 16317 TCP
"16317:UDP"= 16317:UDP:BitComet 16317 UDP
"6773:TCP"= 6773:TCP:utunfv
R2 icvhhpb;Center Boot;c:\windows\system32\svchost.exe [2006-02-28 14336]
.
Contents of the 'Scheduled Tasks' folder
2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = gate.temple.edu:8080
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gamer\Application Data\Mozilla\Firefox\Profiles\pw0lcpho.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 17:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\icvhhpb]
"ServiceDll"="c:\windows\system32\xqatbn.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-24 17:12
ComboFix-quarantined-files.txt 2009-04-24 21:12
ComboFix2.txt 2009-04-22 21:37
ComboFix3.txt 2009-04-15 22:00
ComboFix4.txt 2009-04-15 11:04
ComboFix5.txt 2009-04-24 21:07
Pre-Run: 1,166,561,280 bytes free
Post-Run: 1,164,730,368 bytes free
204 --- E O F --- 2009-04-24 11:23
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.269 [GMT -4:00]
Running from: c:\documents and settings\Gamer\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.
2009-04-24 10:35 . 2009-04-24 11:00 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-19 21:33 . 2009-04-19 21:33 32392 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 19:32 . 2003-04-07 07:05 155648 ----a-w c:\windows\system32\igfxres.dll
2009-04-19 19:27 . 2009-04-19 19:27 1396 ----a-w c:\windows\system32\wpa.bak
2009-04-19 19:16 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-19 19:13 . 2009-02-06 17:24 2180480 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-19 19:13 . 2009-02-06 17:22 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-19 19:13 . 2009-02-06 16:49 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-19 19:13 . 2009-02-06 16:49 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-19 19:12 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-19 18:56 . 2006-02-28 12:00 76288 -c--a-w c:\windows\system32\dllcache\uniime.dll
2009-04-19 18:55 . 2006-02-28 12:00 7680 -c--a-w c:\windows\system32\dllcache\kbdnecnt.dll
2009-04-19 18:54 . 2006-02-28 12:00 82172 -c--a-w c:\windows\system32\dllcache\bopomofo.nls
2009-04-19 18:52 . 2009-04-19 18:52 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-19 18:51 . 2006-02-28 12:00 2 ----a-w c:\windows\system32\desktop.ini
2009-04-19 18:41 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB7.tmp
2009-04-19 18:41 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET84.tmp
2009-04-19 18:41 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET78.tmp
2009-04-19 18:41 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET75.tmp
2009-04-19 18:18 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB6.tmp
2009-04-19 18:18 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET83.tmp
2009-04-19 18:18 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET77.tmp
2009-04-19 18:18 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET74.tmp
2009-04-19 17:59 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB5.tmp
2009-04-19 17:59 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET82.tmp
2009-04-19 17:59 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET76.tmp
2009-04-19 17:59 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET73.tmp
2009-04-19 17:58 . 2009-04-21 22:24 527908864 ----a-w c:\windows\MEMORY.DMP
2009-04-19 16:05 . 2009-04-19 16:05 4096 ----a-w c:\windows\system32\01.tmp
2009-04-18 17:00 . 2009-04-18 17:00 -------- d--h--w C:\$AVG8.VAULT$
2009-04-18 16:54 . 2009-04-18 17:01 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-18 16:51 . 2009-04-18 16:55 8192 ----a-w c:\documents and settings\L2MFIX
2009-04-08 01:03 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-08 01:03 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 01:03 . 2009-04-08 01:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 18:51 . 2003-12-02 01:34 23348 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-18 16:52 . 2005-12-26 03:06 -------- d-----w c:\program files\ewido anti-malware
2009-03-06 14:44 . 2006-02-28 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-28 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2006-02-28 12:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2006-02-28 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2006-02-28 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2006-02-28 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2006-02-28 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 2006-02-28 12:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2006-02-28 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2006-02-28 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2006-02-28 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2005-02-16 16:06 . 2005-12-26 01:10 218112 ----a-w c:\documents and settings\Gamer\HijackThis.exe
2005-01-13 22:32 . 2005-01-13 22:32 136 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\fusioncache.dat
2004-06-14 02:43 . 2004-06-10 23:51 449 ----a-w c:\documents and settings\Gamer\UpdateReg.reg
2008-09-08 01:08 . 2008-09-08 01:08 62976 --sha-w c:\windows\system32\bapemode.dll.tmp
2008-09-08 01:08 . 2008-09-08 01:08 62976 --sha-w c:\windows\system32\piyefire.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-04-22_21.32.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-24 21:05 . 2009-04-24 21:05 16384 c:\windows\temp\Perflib_Perfdata_494.dat
+ 2003-12-02 01:34 . 2003-03-31 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2004-03-28 00:08 . 2009-04-22 21:40 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2003-12-02 00:26 . 2003-03-31 12:00 2589 c:\windows\I386\RUNW32.BAT
- 2004-03-28 00:08 . 2004-03-28 00:08 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^office.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\office.exe
backup=c:\windows\pss\office.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Gamer\\SteamApps\\philosophize\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\ezSP_Px.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16317:TCP"= 16317:TCP:BitComet 16317 TCP
"16317:UDP"= 16317:UDP:BitComet 16317 UDP
"6773:TCP"= 6773:TCP:utunfv
R2 icvhhpb;Center Boot;c:\windows\system32\svchost.exe [2006-02-28 14336]
.
Contents of the 'Scheduled Tasks' folder
2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = gate.temple.edu:8080
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gamer\Application Data\Mozilla\Firefox\Profiles\pw0lcpho.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 17:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\icvhhpb]
"ServiceDll"="c:\windows\system32\xqatbn.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-24 17:12
ComboFix-quarantined-files.txt 2009-04-24 21:12
ComboFix2.txt 2009-04-22 21:37
ComboFix3.txt 2009-04-15 22:00
ComboFix4.txt 2009-04-15 11:04
ComboFix5.txt 2009-04-24 21:07
Pre-Run: 1,166,561,280 bytes free
Post-Run: 1,164,730,368 bytes free
204 --- E O F --- 2009-04-24 11:23
videogamer
New member
above you will find the new combofix log. i dont know if this makes a difference but when i ran combofix this time, the computer did not restart
videogamer
New member
i am deeply sorry to hear about your loss. i am sure that whoever in your family has passed was proud of your good heart and your willingness to help strangers without asking for anything in return. take as much time as you need.
ken545
Emeritus-Security Expert
Thank you.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Collect::
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Collect::
Code:
Collect::
c:\windows\system32\xqatbn.dll
c:\windows\system32\bapemode.dll.tmp
c:\windows\system32\piyefire.dll
Driver::
icvhhpb
Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\icvhhpb]Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
videogamer
New member
ComboFix 09-04-25.03 - Gamer 04/24/2009 21:18.31 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.266 [GMT -4:00]
Running from: c:\documents and settings\Gamer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gamer\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bapemode.dll.tmp
c:\windows\system32\piyefire.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ICVHHPB
-------\Service_icvhhpb
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-24 10:35 . 2009-04-24 11:00 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-19 21:33 . 2009-04-19 21:33 32392 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 19:32 . 2003-04-07 07:05 155648 ----a-w c:\windows\system32\igfxres.dll
2009-04-19 19:27 . 2009-04-19 19:27 1396 ----a-w c:\windows\system32\wpa.bak
2009-04-19 19:16 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-19 19:13 . 2009-02-06 17:24 2180480 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-19 19:13 . 2009-02-06 17:22 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-19 19:13 . 2009-02-06 16:49 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-19 19:13 . 2009-02-06 16:49 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-19 19:12 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-19 18:56 . 2006-02-28 12:00 76288 -c--a-w c:\windows\system32\dllcache\uniime.dll
2009-04-19 18:55 . 2006-02-28 12:00 7680 -c--a-w c:\windows\system32\dllcache\kbdnecnt.dll
2009-04-19 18:54 . 2006-02-28 12:00 82172 -c--a-w c:\windows\system32\dllcache\bopomofo.nls
2009-04-19 18:52 . 2009-04-19 18:52 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-19 18:51 . 2006-02-28 12:00 2 ----a-w c:\windows\system32\desktop.ini
2009-04-19 18:41 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB7.tmp
2009-04-19 18:41 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET84.tmp
2009-04-19 18:41 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET78.tmp
2009-04-19 18:41 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET75.tmp
2009-04-19 18:18 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB6.tmp
2009-04-19 18:18 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET83.tmp
2009-04-19 18:18 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET77.tmp
2009-04-19 18:18 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET74.tmp
2009-04-19 17:59 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB5.tmp
2009-04-19 17:59 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET82.tmp
2009-04-19 17:59 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET76.tmp
2009-04-19 17:59 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET73.tmp
2009-04-19 17:58 . 2009-04-21 22:24 527908864 ----a-w c:\windows\MEMORY.DMP
2009-04-19 16:05 . 2009-04-19 16:05 4096 ----a-w c:\windows\system32\01.tmp
2009-04-18 17:00 . 2009-04-18 17:00 -------- d--h--w C:\$AVG8.VAULT$
2009-04-18 16:54 . 2009-04-18 17:01 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-18 16:51 . 2009-04-18 16:55 8192 ----a-w c:\documents and settings\L2MFIX
2009-04-08 01:03 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-08 01:03 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 01:03 . 2009-04-08 01:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 18:51 . 2003-12-02 01:34 23348 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-18 16:52 . 2005-12-26 03:06 -------- d-----w c:\program files\ewido anti-malware
2009-03-06 14:44 . 2006-02-28 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-28 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2006-02-28 12:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2006-02-28 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2006-02-28 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2006-02-28 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2006-02-28 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 2006-02-28 12:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2006-02-28 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2006-02-28 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2006-02-28 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2005-02-16 16:06 . 2005-12-26 01:10 218112 ----a-w c:\documents and settings\Gamer\HijackThis.exe
2005-01-13 22:32 . 2005-01-13 22:32 136 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\fusioncache.dat
2004-06-14 02:43 . 2004-06-10 23:51 449 ----a-w c:\documents and settings\Gamer\UpdateReg.reg
.
((((((((((((((((((((((((((((( SnapShot_2009-04-22_21.32.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-25 01:23 . 2009-04-25 01:23 16384 c:\windows\temp\Perflib_Perfdata_81c.dat
+ 2009-04-25 01:23 . 2009-04-25 01:23 16384 c:\windows\temp\Perflib_Perfdata_270.dat
+ 2003-12-02 01:34 . 2003-03-31 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2004-03-28 00:08 . 2009-04-22 21:40 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2003-12-02 00:26 . 2003-03-31 12:00 2589 c:\windows\I386\RUNW32.BAT
+ 2004-03-28 00:08 . 2009-04-22 21:40 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^office.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\office.exe
backup=c:\windows\pss\office.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Gamer\\SteamApps\\philosophize\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\ezSP_Px.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16317:TCP"= 16317:TCP:BitComet 16317 TCP
"16317:UDP"= 16317:UDP:BitComet 16317 UDP
"6773:TCP"= 6773:TCP:utunfv
.
Contents of the 'Scheduled Tasks' folder
2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = gate.temple.edu:8080
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gamer\Application Data\Mozilla\Firefox\Profiles\pw0lcpho.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 21:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
D:\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\dwwin.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-25 21:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 01:28
ComboFix2.txt 2009-04-24 21:12
ComboFix3.txt 2009-04-22 21:37
ComboFix4.txt 2009-04-15 22:00
ComboFix5.txt 2009-04-25 01:17
Pre-Run: 1,111,281,664 bytes free
Post-Run: 1,087,418,368 bytes free
227 --- E O F --- 2009-04-24 23:27
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.266 [GMT -4:00]
Running from: c:\documents and settings\Gamer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gamer\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bapemode.dll.tmp
c:\windows\system32\piyefire.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ICVHHPB
-------\Service_icvhhpb
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-24 10:35 . 2009-04-24 11:00 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-19 21:33 . 2009-04-19 21:33 32392 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 19:32 . 2003-04-07 07:05 155648 ----a-w c:\windows\system32\igfxres.dll
2009-04-19 19:27 . 2009-04-19 19:27 1396 ----a-w c:\windows\system32\wpa.bak
2009-04-19 19:16 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-19 19:13 . 2009-02-06 17:24 2180480 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-19 19:13 . 2009-02-06 17:22 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-19 19:13 . 2009-02-06 16:49 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-19 19:13 . 2009-02-06 16:49 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-19 19:12 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-19 18:56 . 2006-02-28 12:00 76288 -c--a-w c:\windows\system32\dllcache\uniime.dll
2009-04-19 18:55 . 2006-02-28 12:00 7680 -c--a-w c:\windows\system32\dllcache\kbdnecnt.dll
2009-04-19 18:54 . 2006-02-28 12:00 82172 -c--a-w c:\windows\system32\dllcache\bopomofo.nls
2009-04-19 18:52 . 2009-04-19 18:52 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-19 18:52 . 2009-04-19 18:52 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-19 18:51 . 2006-02-28 12:00 2 ----a-w c:\windows\system32\desktop.ini
2009-04-19 18:41 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB7.tmp
2009-04-19 18:41 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET84.tmp
2009-04-19 18:41 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET78.tmp
2009-04-19 18:41 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET75.tmp
2009-04-19 18:18 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB6.tmp
2009-04-19 18:18 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET83.tmp
2009-04-19 18:18 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET77.tmp
2009-04-19 18:18 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET74.tmp
2009-04-19 17:59 . 2006-02-28 12:00 14573 ----a-r c:\windows\SETB5.tmp
2009-04-19 17:59 . 2006-02-28 12:00 13753 ----a-r c:\windows\SET82.tmp
2009-04-19 17:59 . 2006-02-28 12:00 1086058 ----a-r c:\windows\SET76.tmp
2009-04-19 17:59 . 2006-02-28 12:00 1042903 ----a-r c:\windows\SET73.tmp
2009-04-19 17:58 . 2009-04-21 22:24 527908864 ----a-w c:\windows\MEMORY.DMP
2009-04-19 16:05 . 2009-04-19 16:05 4096 ----a-w c:\windows\system32\01.tmp
2009-04-18 17:00 . 2009-04-18 17:00 -------- d--h--w C:\$AVG8.VAULT$
2009-04-18 16:54 . 2009-04-18 17:01 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-18 16:51 . 2009-04-18 16:55 8192 ----a-w c:\documents and settings\L2MFIX
2009-04-08 01:03 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-08 01:03 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 01:03 . 2009-04-08 01:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 18:51 . 2003-12-02 01:34 23348 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-18 16:52 . 2005-12-26 03:06 -------- d-----w c:\program files\ewido anti-malware
2009-03-06 14:44 . 2006-02-28 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-28 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2006-02-28 12:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2006-02-28 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2006-02-28 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2006-02-28 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2006-02-28 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 2006-02-28 12:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2006-02-28 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2006-02-28 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2006-02-28 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2005-02-16 16:06 . 2005-12-26 01:10 218112 ----a-w c:\documents and settings\Gamer\HijackThis.exe
2005-01-13 22:32 . 2005-01-13 22:32 136 ----a-w c:\documents and settings\Gamer\Local Settings\Application Data\fusioncache.dat
2004-06-14 02:43 . 2004-06-10 23:51 449 ----a-w c:\documents and settings\Gamer\UpdateReg.reg
.
((((((((((((((((((((((((((((( SnapShot_2009-04-22_21.32.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-25 01:23 . 2009-04-25 01:23 16384 c:\windows\temp\Perflib_Perfdata_81c.dat
+ 2009-04-25 01:23 . 2009-04-25 01:23 16384 c:\windows\temp\Perflib_Perfdata_270.dat
+ 2003-12-02 01:34 . 2003-03-31 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2004-03-28 00:08 . 2009-04-22 21:40 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2003-12-02 00:26 . 2003-03-31 12:00 2589 c:\windows\I386\RUNW32.BAT
+ 2004-03-28 00:08 . 2009-04-22 21:40 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2004-03-28 00:08 . 2004-03-28 00:08 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2004-03-28 00:08 . 2009-04-22 21:40 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^office.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\office.exe
backup=c:\windows\pss\office.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Gamer\\SteamApps\\philosophize\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\ezSP_Px.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"%windir%\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16317:TCP"= 16317:TCP:BitComet 16317 TCP
"16317:UDP"= 16317:UDP:BitComet 16317 UDP
"6773:TCP"= 6773:TCP:utunfv
.
Contents of the 'Scheduled Tasks' folder
2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = gate.temple.edu:8080
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gamer\Application Data\Mozilla\Firefox\Profiles\pw0lcpho.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 21:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
D:\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\dwwin.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-25 21:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 01:28
ComboFix2.txt 2009-04-24 21:12
ComboFix3.txt 2009-04-22 21:37
ComboFix4.txt 2009-04-15 22:00
ComboFix5.txt 2009-04-25 01:17
Pre-Run: 1,111,281,664 bytes free
Post-Run: 1,087,418,368 bytes free
227 --- E O F --- 2009-04-24 23:27
videogamer
New member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:34, on 4/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Gamer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gate.temple.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
--
End of file - 5911 bytes
Scan saved at 21:34, on 4/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Gamer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gate.temple.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
--
End of file - 5911 bytes
ken545
Emeritus-Security Expert
videogamer
New member
good morning to you, too.
things havent changed; same problems persist.
my computer was already set to view hidden folders and such. i couldnt find the xqatbn file when i searched the the relevant folders in "My Computer" but i did search for the file though. two results came up:
xqatbn.zip
xqatbn.dll
i was able to delete the zip fil and did no successfully. however, nothing happens when i try to delete xqatbn.dll. hitting "delete" does nothing at all, and when i right-clicked on the file, nothing showed up.
things havent changed; same problems persist.
my computer was already set to view hidden folders and such. i couldnt find the xqatbn file when i searched the the relevant folders in "My Computer" but i did search for the file though. two results came up:
xqatbn.zip
xqatbn.dll
i was able to delete the zip fil and did no successfully. however, nothing happens when i try to delete xqatbn.dll. hitting "delete" does nothing at all, and when i right-clicked on the file, nothing showed up.
videogamer
New member
i did a second search for the file and then couldnt find it. i guess it may be gone. the xqatbn file was actually in a quarantine folder, along with a bunch of other files that have ".vir" as an extension. dont know if that helps.
ken545
Emeritus-Security Expert
Hi,
Are you talking about Combofix quarantine folder or your AV, whatever one, delete all the contents of the Quarantine folder that is holding those files.
Please download the OTMoveIt3 by OldTimer.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Explain to me exactly what problems your still having??
Are you talking about Combofix quarantine folder or your AV, whatever one, delete all the contents of the Quarantine folder that is holding those files.
Please download the OTMoveIt3 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Files
c:\windows\system32\xqatbn.dll- Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Explain to me exactly what problems your still having??
videogamer
New member
========== FILES ==========
File/Folder c:\windows\system32\xqatbn.dll not found.
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04252009_204451
File/Folder c:\windows\system32\xqatbn.dll not found.
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04252009_204451
videogamer
New member
problems:
1) computer freezes after 5 to 20 minutes of use. i cannot click on anything to get out of frozen state. task manager does not open when typing ctrl+alt+del. when computer freezes, i hold the power button on my desktop until it turns off, then restart again. after logging in to windows, computer freezes again after 5 to 20 minutes of use.
2) i cannot use windows media player. as soon as i open windows media player up, it freezes and i cannot click on any of the menu items on top of the WMP screen. i also cannot x out of it. I have to go to windows task manager, select wmplayer.exe, and shut it down.
3) internet explorer does not work at all. when i open an IE browser, nothing comes up on the main screen but an hourglass next to the cursor shows that it is still working.
1) computer freezes after 5 to 20 minutes of use. i cannot click on anything to get out of frozen state. task manager does not open when typing ctrl+alt+del. when computer freezes, i hold the power button on my desktop until it turns off, then restart again. after logging in to windows, computer freezes again after 5 to 20 minutes of use.
2) i cannot use windows media player. as soon as i open windows media player up, it freezes and i cannot click on any of the menu items on top of the WMP screen. i also cannot x out of it. I have to go to windows task manager, select wmplayer.exe, and shut it down.
3) internet explorer does not work at all. when i open an IE browser, nothing comes up on the main screen but an hourglass next to the cursor shows that it is still working.
ken545
Emeritus-Security Expert
Open IE , even if it does not work and click on Tools> Internet Options > Advanced Tab > Reset Internet Explorer setting > Reset and see if that helps.
As far as your other issues, this is a malware removal forum, we don't deal with Windows Issues, you need to post in one of these forums.
Windows Tech Support Forums
It's Not Always Malware
Speedup Windows
Windows Tips
As far as your other issues, this is a malware removal forum, we don't deal with Windows Issues, you need to post in one of these forums.
Windows Tech Support Forums
- Windows Helpnet <-- Excellent XP Forum
- Bleeping Computer <--Excellent Forum
- PcPitStop <-- You can take your system in for a checkup here.
- Windows Support
- Hardwareguys <-- Another good one
It's Not Always Malware
Speedup Windows
Windows Tips