Tech Support Forum - View Single Post - infected- Win32:Adware-gen

khealy729 · 08-11-2008, 05:03 PM

ran combo fix once more in safe mode. it went all the way through finally got a log it follows below. my desktop appears to have returned to normal.

ComboFix 08-08-10.05 - Kevin 2008-08-11 17:12:30.4 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXBOUSCI.INI
2008-08-11 13:51 . 2008-08-11 15:01 474 --ahs---- C:\WINDOWS\system32\balapnxn.ini
2008-08-04 16:48 . 2008-08-04 16:48 <DIR> d-------- C:\Deckard
2008-08-04 16:47 . 2008-08-04 16:47 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-03 19:44 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-03 19:04 . 2008-08-03 19:04 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 20:46 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Move Networks
2008-06-28 22:10 --------- d-----w C:\Program Files\AIM6
2008-06-28 22:07 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-28 22:06 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Viewpoint
2008-06-28 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-28 22:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-28 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-06-27 22:22 --------- d-----w C:\Documents and Settings\Kevin\Application Data\uTorrent
2008-06-27 22:14 --------- d-----w C:\Program Files\MSBuild
2008-06-27 22:04 --------- d-----w C:\Program Files\Reference Assemblies
2008-06-27 21:40 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Sony Setup
2008-06-27 21:39 --------- d-----w C:\Program Files\Sony Setup
2008-06-27 18:13 --------- d-----w C:\Program Files\uTorrent
2008-06-27 18:12 --------- d-----w C:\Program Files\Sony
2008-06-27 01:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-26 14:04 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Audacity
2008-06-26 02:31 --------- d-----w C:\Program Files\LimeWire
2008-06-21 15:38 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Apple Computer
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-24 19:52 399,084 ----a-w C:\Documents and Settings\Kevin\g74.exe
2006-10-31 01:52 3,932 ----a-w C:\Documents and Settings\Kevin\Application Data\CMLayout.dat
2006-10-31 01:52 268 ----a-w C:\Documents and Settings\Kevin\Application Data\CMCPaper.dat
2005-04-06 15:18 16,384 ----a-w C:\Documents and Settings\Kevin\rappmx.dll
2003-07-18 16:12 4 ----a-w C:\Documents and Settings\Kevin\hl.dat
2001-05-21 10:54 3,932 ----a-w C:\Documents and Settings\Elizabeth\Application Data\CMLayout.dat
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30ED533D-7E10-48D6-8314-E07DFE852B87}]
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\393ORJKQ\3077ahntdksr[1].dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Veoh"="C:\Documents and Settings\Kevin\My Documents\New Folder\VeohClient.exe" [BU]
"MoneyStartUp"="c:\Program Files\Microsoft Money\System\Money Startup.exe" [2000-07-19 12:00 24625]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 13:50 28672]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 11:30 131072]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-10-17 12:50 655360]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02 57344]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 17:13 86016]
"Lexmark X84-X85 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2003-01-08 14:36 40960]
"Lexmark X84-X85 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 10:36 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-18 19:52 36864]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 17:13 7204864]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-26 02:27 180269]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 13:37 79224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"e4b94219"="C:\WINDOWS\system32\hfidebog.dll" [BU]
"Smapp"="Smtray.exe" [2001-05-31 22:32 224256 C:\WINDOWS\system32\SMTray.exe]
"WorksFUD"="" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Documents and Settings\Kevin\My Documents\New Folder\Picasa2\PicasaMediaDetector.exe" [BU]

C:\Documents and Settings\Elizabeth\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
CoolMon.lnk - C:\Program Files\CoolMon\CoolMon.exe [2002-10-13 22:51:43 1516032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXpQiIB]
cbXpQiIB.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=riollo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"StartSurfing"=C:\PROGRA~1\STARTS~1\STARTS~1.EXE
"AltnetPointsManager"=c:\program files\altnet\points manager\points manager.exe -s
"avserve2.exe"=C:\WINDOWS\avserve2.exe
"avserve.exe"=C:\WINDOWS\avserve.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"nwiz"=nwiz.exe /install
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AnalogX\\Proxy\\proxy.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\WinMX\\WinMX.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"35617:TCP"= 35617:TCP:Gnutella
"35617:UDP"= 35617:UDP:Gnutella

S0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
S2 MSSQL$AUTODESKVAULT;MSSQL$AUTODESKVAULT;C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe [2005-05-04 01:04]
S2 ntlogin32;NT login service;C:\WINDOWS\System32\libsysmgr.exe []
S2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 17:36]
S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-09-06 16:05]
S3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys [2007-07-19 14:58]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 08:28]
S3 SNDP202;Bushnell ImageView;C:\WINDOWS\system32\DRIVERS\sndp202.sys [2003-01-08 09:43]
S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT;C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE [2005-05-03 22:42]
S3 TICalc;TICalc;C:\WINDOWS\system32\drivers\TICalc.sys [2001-01-29 16:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE
\Shell\install\command - F:\INSTALL\_SETUP.exe

*Newly Created Service* - DCFS2K
.
Contents of the 'Scheduled Tasks' folder

2001-10-17 C:\WINDOWS\Tasks\Registration reminder 1.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2001-10-17 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2001-10-17 C:\WINDOWS\Tasks\Registration reminder 3.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2008-08-04 C:\WINDOWS\Tasks\{C185ABC2-822F-4D34-9CF9-6FDDC99D90CE}_DESKTOP_Kevin.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 02:56]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4k3nozsh.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 17:18:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\DOCUME~1\Kevin\LOCALS~1\Temp\RGI1.tmp 7075 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-08-11 17:28:01
ComboFix-quarantined-files.txt 2008-08-11 22:27:14
ComboFix2.txt 2008-08-11 21:21:12

Pre-Run: 27,642,982,400 bytes free
Post-Run: 27,618,770,944 bytes free

187 --- E O F --- 2008-06-20 15:37:40

08-11-2008, 05:03 PM	#8 (permalink)
khealy729 Registered User Join Date: Aug 2008 Posts: 10 OS: xpsp2	Re: infected- Win32:Adware-gen ran combo fix once more in safe mode. it went all the way through finally got a log it follows below. my desktop appears to have returned to normal. ComboFix 08-08-10.05 - Kevin 2008-08-11 17:12:30.4 - NTFSx86 MINIMAL Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 ))))))))))))))))))))))))))))))) . 2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXBOUSCI.INI 2008-08-11 13:51 . 2008-08-11 15:01 474 --ahs---- C:\WINDOWS\system32\balapnxn.ini 2008-08-04 16:48 . 2008-08-04 16:48 <DIR> d-------- C:\Deckard 2008-08-04 16:47 . 2008-08-04 16:47 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-03 19:44 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-08-03 19:04 . 2008-08-03 19:04 <DIR> d-------- C:\Program Files\Panda Security . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-14 20:46 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Move Networks 2008-06-28 22:10 --------- d-----w C:\Program Files\AIM6 2008-06-28 22:07 --------- d-----w C:\Program Files\Common Files\AOL 2008-06-28 22:06 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Viewpoint 2008-06-28 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-06-28 22:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-06-28 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads 2008-06-27 22:22 --------- d-----w C:\Documents and Settings\Kevin\Application Data\uTorrent 2008-06-27 22:14 --------- d-----w C:\Program Files\MSBuild 2008-06-27 22:04 --------- d-----w C:\Program Files\Reference Assemblies 2008-06-27 21:40 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Sony Setup 2008-06-27 21:39 --------- d-----w C:\Program Files\Sony Setup 2008-06-27 18:13 --------- d-----w C:\Program Files\uTorrent 2008-06-27 18:12 --------- d-----w C:\Program Files\Sony 2008-06-27 01:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-26 14:04 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Audacity 2008-06-26 02:31 --------- d-----w C:\Program Files\LimeWire 2008-06-21 15:38 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Apple Computer 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-04-24 19:52 399,084 ----a-w C:\Documents and Settings\Kevin\g74.exe 2006-10-31 01:52 3,932 ----a-w C:\Documents and Settings\Kevin\Application Data\CMLayout.dat 2006-10-31 01:52 268 ----a-w C:\Documents and Settings\Kevin\Application Data\CMCPaper.dat 2005-04-06 15:18 16,384 ----a-w C:\Documents and Settings\Kevin\rappmx.dll 2003-07-18 16:12 4 ----a-w C:\Documents and Settings\Kevin\hl.dat 2001-05-21 10:54 3,932 ----a-w C:\Documents and Settings\Elizabeth\Application Data\CMLayout.dat 2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30ED533D-7E10-48D6-8314-E07DFE852B87}] C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\393ORJKQ\3077ahntdksr[1].dll [BU] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="1" [X] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "Veoh"="C:\Documents and Settings\Kevin\My Documents\New Folder\VeohClient.exe" [BU] "MoneyStartUp"="c:\Program Files\Microsoft Money\System\Money Startup.exe" [2000-07-19 12:00 24625] "Aim6"="" [BU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 13:50 28672] "WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 11:30 131072] "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864] "AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-10-17 12:50 655360] "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02 57344] "Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 17:13 86016] "Lexmark X84-X85 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2003-01-08 14:36 40960] "Lexmark X84-X85 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 10:36 53248] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-18 19:52 36864] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 17:13 7204864] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-26 02:27 180269] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 13:37 79224] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712] "e4b94219"="C:\WINDOWS\system32\hfidebog.dll" [BU] "Smapp"="Smtray.exe" [2001-05-31 22:32 224256 C:\WINDOWS\system32\SMTray.exe] "WorksFUD"="" [BU] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Documents and Settings\Kevin\My Documents\New Folder\Picasa2\PicasaMediaDetector.exe" [BU] C:\Documents and Settings\Elizabeth\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632] C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\ CoolMon.lnk - C:\Program Files\CoolMon\CoolMon.exe [2002-10-13 22:51:43 1516032] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXpQiIB] cbXpQiIB.dll [BU] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=riollo.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.iv41"= IR41_32.DLL [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe 1 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup "StartSurfing"=C:\PROGRA~1\STARTS~1\STARTS~1.EXE "AltnetPointsManager"=c:\program files\altnet\points manager\points manager.exe -s "avserve2.exe"=C:\WINDOWS\avserve2.exe "avserve.exe"=C:\WINDOWS\avserve.exe "Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers "Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe "SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe "BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime "nwiz"=nwiz.exe /install "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\AnalogX\\Proxy\\proxy.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\WinMX\\WinMX.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\AIM95\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "35617:TCP"= 35617:TCP:Gnutella "35617:UDP"= 35617:UDP:Gnutella S0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31] S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS [] S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35] S2 MSSQL$AUTODESKVAULT;MSSQL$AUTODESKVAULT;C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe [2005-05-04 01:04] S2 ntlogin32;NT login service;C:\WINDOWS\System32\libsysmgr.exe [] S2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 17:36] S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38] S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-09-06 16:05] S3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys [2007-07-19 14:58] S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 08:28] S3 SNDP202;Bushnell ImageView;C:\WINDOWS\system32\DRIVERS\sndp202.sys [2003-01-08 09:43] S3 SQLAgent$AUTODESKVAULT;SQLAgent$AUTODESKVAULT;C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE [2005-05-03 22:42] S3 TICalc;TICalc;C:\WINDOWS\system32\drivers\TICalc.sys [2001-01-29 16:41] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\SETUP.EXE \Shell\install\command - F:\INSTALL\_SETUP.exe Newly Created Service - DCFS2K . Contents of the 'Scheduled Tasks' folder 2001-10-17 C:\WINDOWS\Tasks\Registration reminder 1.job - C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 02:56] 2001-10-17 C:\WINDOWS\Tasks\Registration reminder 2.job - C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 02:56] 2001-10-17 C:\WINDOWS\Tasks\Registration reminder 3.job - C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 02:56] 2008-08-04 C:\WINDOWS\Tasks\{C185ABC2-822F-4D34-9CF9-6FDDC99D90CE}_DESKTOP_Kevin.job - C:\WINDOWS\system32\mobsync.exe [2004-08-04 02:56] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\4k3nozsh.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-11 17:18:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\DOCUME~1\Kevin\LOCALS~1\Temp\RGI1.tmp 7075 bytes scan completed successfully hidden files: 1 ************************************************************************ . Completion time: 2008-08-11 17:28:01 ComboFix-quarantined-files.txt 2008-08-11 22:27:14 ComboFix2.txt 2008-08-11 21:21:12 Pre-Run: 27,642,982,400 bytes free Post-Run: 27,618,770,944 bytes free 187 --- E O F --- 2008-06-20 15:37:40