Tech Support Forum - View Single Post

lee42lee · 08-13-2008, 01:33 PM

Here is the Combofix log along with the new HJT log. Sorry it took so long.
-----------------------------------------------------------

ComboFix 08-08-12.01 - Owner 2008-08-13 15:05:20.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\6STQ3CA7\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\6STQ3CA7\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\BM231aa6fd.txt
C:\WINDOWS\BM231aa6fd.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\albqwtmk.dll
C:\WINDOWS\system32\aukvjp.dll
C:\WINDOWS\system32\bqjnkgov.dll
C:\WINDOWS\system32\cbshqv.dll
C:\WINDOWS\system32\DMTuvGgh.ini
C:\WINDOWS\system32\DMTuvGgh.ini2
C:\WINDOWS\system32\efcDWmJc.dll
C:\WINDOWS\system32\gccmqa.dll
C:\WINDOWS\system32\gveuhkrr.dll
C:\WINDOWS\system32\hgGvuTMD.dll
C:\WINDOWS\system32\hrmjdmco.dll
C:\WINDOWS\system32\jqqnsllo.dll
C:\WINDOWS\system32\kudvnose.dll
C:\WINDOWS\system32\lcgzuf.dll
C:\WINDOWS\system32\lszhth.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ndhdiu.dll
C:\WINDOWS\system32\nfimxclp.ini
C:\WINDOWS\system32\okqimtrr.ini
C:\WINDOWS\system32\qordmbjt.ini
C:\WINDOWS\system32\qubeksee.ini
C:\WINDOWS\system32\qwcmtdpf.dll
C:\WINDOWS\system32\rdrpyduw.ini
C:\WINDOWS\system32\rrtmiqko.dll
C:\WINDOWS\system32\sprerkgq.dll
C:\WINDOWS\system32\upxhuqfl.ini
C:\WINDOWS\system32\urhmpvnf.ini
C:\WINDOWS\system32\wjyogwvn.ini
C:\WINDOWS\system32\wkvlwsjk.dll
C:\WINDOWS\system32\xxsiyndb.dll
C:\WINDOWS\system32\ykmhjbdm.dll

----- BITS: Possible infected sites -----

http://www.thenmnetwork.com
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-13 13:37 . 2008-08-13 13:46 <DIR> d-------- C:\Program Files\Ekahau
2008-08-13 12:40 . 2006-11-30 06:14 446,976 -ra------ C:\WINDOWS\system32\drivers\athrusb.sys
2008-08-13 12:39 . 2004-01-14 11:25 81,920 --a------ C:\WINDOWS\system32\ZDPN50.DLL
2008-08-13 12:39 . 2005-03-18 15:35 31,744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys
2008-08-13 12:39 . 2005-06-08 18:44 29,184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys
2008-08-13 12:39 . 2004-03-23 16:38 28,672 --a------ C:\WINDOWS\system32\InsDrvZD.dll
2008-08-13 12:39 . 2003-03-14 12:24 24,576 --a------ C:\WINDOWS\system32\ZyDelReg.exe
2008-08-13 12:39 . 2005-06-08 18:44 20,608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys
2008-08-13 12:39 . 2004-10-25 13:40 17,664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys
2008-08-13 12:39 . 2004-01-14 11:30 17,151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS
2008-08-13 12:39 . 2005-07-12 14:44 15,872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL
2008-08-13 11:54 . 2008-08-13 11:54 <DIR> d-------- C:\VundoFix Backups
2008-08-13 11:23 . 2008-08-13 11:23 2,048 --a------ C:\WINDOWS\system32\ihimpnii.exe
2008-08-12 16:41 . 2008-08-12 16:41 <DIR> d-------- C:\Program Files\Panda Security
2008-08-12 16:41 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-12 14:48 . 2008-08-12 14:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-12 13:30 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-12 11:28 . 2008-08-12 11:28 2,048 --a------ C:\WINDOWS\system32\ldhfotsy.exe
2008-08-11 11:29 . 2008-08-11 11:29 2,048 --a------ C:\WINDOWS\system32\untvrrpc.exe
2008-08-11 11:14 . 2008-08-11 11:14 2,048 --a------ C:\WINDOWS\system32\wjqyjgav.exe
2008-08-09 11:09 . 2008-08-09 11:09 2,048 --a------ C:\WINDOWS\system32\fwvrhlns.exe
2008-08-08 09:27 . 2008-08-08 09:27 2,048 --a------ C:\WINDOWS\system32\wjajvfsl.exe
2008-07-31 12:32 . 2008-07-31 12:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-31 12:31 . 2008-07-31 12:31 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-07-31 12:28 . 2008-07-31 12:31 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-07-31 12:27 . 2008-07-31 12:27 <DIR> dr-h----- C:\MSOCache
2008-07-31 10:28 . 2008-07-31 10:28 <DIR> d-------- C:\Program Files\Jarte
2008-07-31 10:28 . 2008-07-31 10:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jarte
2008-07-29 10:39 . 2008-07-29 10:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Blackberry Desktop
2008-07-28 17:37 . 2008-07-28 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RIM Palm&PPC Upgrade Wizard
2008-07-28 16:45 . 2008-07-28 16:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Research In Motion
2008-07-28 16:45 . 2008-07-29 18:20 256 --a------ C:\WINDOWS\system32\pool.bin
2008-07-28 16:34 . 2008-07-28 16:45 256 --a------ C:\Documents and Settings\Owner\pool.bin
2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-28 16:31 . 2008-07-28 16:32 <DIR> d-------- C:\Program Files\Roxio
2008-07-28 16:31 . 2008-07-28 16:33 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-28 16:31 . 2008-07-28 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-28 16:30 . 2008-07-28 16:32 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-28 16:25 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-28 16:19 . 2008-07-28 16:19 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-22 10:39 . 2008-07-22 10:40 <DIR> d-------- C:\Program Files\Auction Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 17:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-12 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 15:34 --------- d-----w C:\Program Files\LimeWire
2008-08-08 19:44 --------- d-----w C:\Program Files\Java
2008-08-07 14:58 --------- d-----w C:\Program Files\Apple Software Update
2008-08-04 14:56 --------- d-----w C:\Program Files\iRacing
2008-07-31 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-31 13:38 --------- d-----w C:\Program Files\palmOne
2008-07-28 21:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-15 19:24 --------- d-----w C:\Program Files\Netscape
2008-07-03 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\ieSpell
2008-06-30 21:05 --------- d-----w C:\Program Files\Automotix
2008-06-28 16:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-06-23 15:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\Automotix
2007-06-20 18:49 49 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6500.dat
2006-10-23 14:58 337 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
2006-10-23 14:51 13,046 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
2006-10-23 14:51 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
2006-10-23 13:49 179,200 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
2006-10-20 15:20 9,216 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb9169.dat
2006-10-20 15:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5724.dat
2006-10-20 13:12 49 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8253.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb153.dat
2006-10-20 13:07 9,216 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8467.dat
2006-10-20 13:07 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2005-12-02 17:15 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"LGBLiveUpdate"="C:\WINDOWS\system32\lgbpd.exe" [2008-07-09 12:58 1043456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-12 15:36 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--a------ 2004-11-11 22:00 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-04-14 15:04 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2004-04-14 14:46 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 02:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-03-15 13:04 966656 C:\WINDOWS\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 17:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 10:22 155648 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2004-11-02 16:59 218240 C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-11-15 18:04 135168 C:\Program Files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-10-12 15:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-12-09 14:17 67584 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-03-08 06:33 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
--a------ 2005-03-11 20:33 147456 C:\WINDOWS\system32\VTTrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\incredimail_install.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 iRacingService;iRacing helper service;C:\Program Files\iRacing\iRacingService.exe [2008-08-04 10:56]
S3 athrusb;Wireless LAN USB device driver;C:\WINDOWS\system32\DRIVERS\athrusb.sys [2006-11-30 06:14]
.
Contents of the 'Scheduled Tasks' folder

2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2005-09-29 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-20299561 - C:\WINDOWS\system32\fnvpmhru.dll
HKLM-Run-BM231aa6fd - C:\WINDOWS\system32\xxsiyndb.dll
MSConfigStartUp-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-AOL Spyware Protection - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-BM231aa6fd - C:\WINDOWS\system32\pkrxmeaj.dll
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-PC Connection Agent - C:\PROGRA~1\MICROS~4\wcescomm.exe
MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1122639952\EE\AOLHostManager.exe
MSConfigStartUp-IS CfgWiz - C:\Program Files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
MSConfigStartUp-URLLSTCK - C:\Program Files\Norton Internet Security\UrlLstCk.exe
MSConfigStartUp-_AntiSpyware - C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v8so1txu.default\

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 15:21:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-13 15:28:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-13 19:28:48
ComboFix2.txt 2007-09-15 16:59:33

Pre-Run: 136,219,860,992 bytes free
Post-Run: 136,748,593,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

267
------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:38 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\peek.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC
Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8377 bytes

08-13-2008, 01:33 PM	#7 (permalink)
lee42lee Registered User Join Date: Aug 2005 Posts: 30 OS: XP	Re: Slow Intenet and Bad PopUps Please Help Here is the Combofix log along with the new HJT log. Sorry it took so long. ----------------------------------------------------------- ComboFix 08-08-12.01 - Owner 2008-08-13 15:05:20.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT -4:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\6STQ3CA7\interclick.com C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\6STQ3CA7\interclick.com\ud.sol C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\WINDOWS\BM231aa6fd.txt C:\WINDOWS\BM231aa6fd.xml C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\pskt.ini C:\WINDOWS\system32\albqwtmk.dll C:\WINDOWS\system32\aukvjp.dll C:\WINDOWS\system32\bqjnkgov.dll C:\WINDOWS\system32\cbshqv.dll C:\WINDOWS\system32\DMTuvGgh.ini C:\WINDOWS\system32\DMTuvGgh.ini2 C:\WINDOWS\system32\efcDWmJc.dll C:\WINDOWS\system32\gccmqa.dll C:\WINDOWS\system32\gveuhkrr.dll C:\WINDOWS\system32\hgGvuTMD.dll C:\WINDOWS\system32\hrmjdmco.dll C:\WINDOWS\system32\jqqnsllo.dll C:\WINDOWS\system32\kudvnose.dll C:\WINDOWS\system32\lcgzuf.dll C:\WINDOWS\system32\lszhth.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\ndhdiu.dll C:\WINDOWS\system32\nfimxclp.ini C:\WINDOWS\system32\okqimtrr.ini C:\WINDOWS\system32\qordmbjt.ini C:\WINDOWS\system32\qubeksee.ini C:\WINDOWS\system32\qwcmtdpf.dll C:\WINDOWS\system32\rdrpyduw.ini C:\WINDOWS\system32\rrtmiqko.dll C:\WINDOWS\system32\sprerkgq.dll C:\WINDOWS\system32\upxhuqfl.ini C:\WINDOWS\system32\urhmpvnf.ini C:\WINDOWS\system32\wjyogwvn.ini C:\WINDOWS\system32\wkvlwsjk.dll C:\WINDOWS\system32\xxsiyndb.dll C:\WINDOWS\system32\ykmhjbdm.dll ----- BITS: Possible infected sites ----- http://www.thenmnetwork.com . ((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 ))))))))))))))))))))))))))))))) . 2008-08-13 13:37 . 2008-08-13 13:46 <DIR> d-------- C:\Program Files\Ekahau 2008-08-13 12:40 . 2006-11-30 06:14 446,976 -ra------ C:\WINDOWS\system32\drivers\athrusb.sys 2008-08-13 12:39 . 2004-01-14 11:25 81,920 --a------ C:\WINDOWS\system32\ZDPN50.DLL 2008-08-13 12:39 . 2005-03-18 15:35 31,744 --a------ C:\WINDOWS\system32\drivers\ZDPSp50a64.sys 2008-08-13 12:39 . 2005-06-08 18:44 29,184 --a------ C:\WINDOWS\system32\drivers\BRGSp50a64.sys 2008-08-13 12:39 . 2004-03-23 16:38 28,672 --a------ C:\WINDOWS\system32\InsDrvZD.dll 2008-08-13 12:39 . 2003-03-14 12:24 24,576 --a------ C:\WINDOWS\system32\ZyDelReg.exe 2008-08-13 12:39 . 2005-06-08 18:44 20,608 --a------ C:\WINDOWS\system32\drivers\BRGSp50.sys 2008-08-13 12:39 . 2004-10-25 13:40 17,664 --a------ C:\WINDOWS\system32\drivers\ZDPSp50.sys 2008-08-13 12:39 . 2004-01-14 11:30 17,151 --a------ C:\WINDOWS\system32\ZDPNDIS5.SYS 2008-08-13 12:39 . 2005-07-12 14:44 15,872 --a------ C:\WINDOWS\system32\InsDrvZD64.DLL 2008-08-13 11:54 . 2008-08-13 11:54 <DIR> d-------- C:\VundoFix Backups 2008-08-13 11:23 . 2008-08-13 11:23 2,048 --a------ C:\WINDOWS\system32\ihimpnii.exe 2008-08-12 16:41 . 2008-08-12 16:41 <DIR> d-------- C:\Program Files\Panda Security 2008-08-12 16:41 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-08-12 14:48 . 2008-08-12 14:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-08-12 13:30 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-12 11:28 . 2008-08-12 11:28 2,048 --a------ C:\WINDOWS\system32\ldhfotsy.exe 2008-08-11 11:29 . 2008-08-11 11:29 2,048 --a------ C:\WINDOWS\system32\untvrrpc.exe 2008-08-11 11:14 . 2008-08-11 11:14 2,048 --a------ C:\WINDOWS\system32\wjqyjgav.exe 2008-08-09 11:09 . 2008-08-09 11:09 2,048 --a------ C:\WINDOWS\system32\fwvrhlns.exe 2008-08-08 09:27 . 2008-08-08 09:27 2,048 --a------ C:\WINDOWS\system32\wjajvfsl.exe 2008-07-31 12:32 . 2008-07-31 12:32 <DIR> d-------- C:\Program Files\Microsoft Works 2008-07-31 12:31 . 2008-07-31 12:31 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-07-31 12:28 . 2008-07-31 12:31 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-07-31 12:27 . 2008-07-31 12:27 <DIR> dr-h----- C:\MSOCache 2008-07-31 10:28 . 2008-07-31 10:28 <DIR> d-------- C:\Program Files\Jarte 2008-07-31 10:28 . 2008-07-31 10:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jarte 2008-07-29 10:39 . 2008-07-29 10:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Blackberry Desktop 2008-07-28 17:37 . 2008-07-28 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RIM Palm&PPC Upgrade Wizard 2008-07-28 16:45 . 2008-07-28 16:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Research In Motion 2008-07-28 16:45 . 2008-07-29 18:20 256 --a------ C:\WINDOWS\system32\pool.bin 2008-07-28 16:34 . 2008-07-28 16:45 256 --a------ C:\Documents and Settings\Owner\pool.bin 2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic 2008-07-28 16:33 . 2008-07-28 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield 2008-07-28 16:31 . 2008-07-28 16:32 <DIR> d-------- C:\Program Files\Roxio 2008-07-28 16:31 . 2008-07-28 16:33 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared 2008-07-28 16:31 . 2008-07-28 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio 2008-07-28 16:30 . 2008-07-28 16:32 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared 2008-07-28 16:25 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys 2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Research In Motion 2008-07-28 16:24 . 2008-07-28 16:24 <DIR> d-------- C:\Program Files\Common Files\Research In Motion 2008-07-28 16:19 . 2008-07-28 16:19 <DIR> d--hs---- C:\WINDOWS\ftpcache 2008-07-22 10:39 . 2008-07-22 10:40 <DIR> d-------- C:\Program Files\Auction Client . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-13 17:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-12 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-08-09 15:34 --------- d-----w C:\Program Files\LimeWire 2008-08-08 19:44 --------- d-----w C:\Program Files\Java 2008-08-07 14:58 --------- d-----w C:\Program Files\Apple Software Update 2008-08-04 14:56 --------- d-----w C:\Program Files\iRacing 2008-07-31 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-07-31 13:38 --------- d-----w C:\Program Files\palmOne 2008-07-28 21:21 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-07-15 19:24 --------- d-----w C:\Program Files\Netscape 2008-07-03 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\ieSpell 2008-06-30 21:05 --------- d-----w C:\Program Files\Automotix 2008-06-28 16:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield 2008-06-23 15:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\Automotix 2007-06-20 18:49 49 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6500.dat 2006-10-23 14:58 337 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb1942.dat 2006-10-23 14:51 13,046 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5436.dat 2006-10-23 14:51 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4604.dat 2006-10-23 13:49 179,200 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4827.dat 2006-10-20 15:20 9,216 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb9169.dat 2006-10-20 15:20 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5724.dat 2006-10-20 13:12 49 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb41.dat 2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8253.dat 2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb3902.dat 2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb2391.dat 2006-10-20 13:08 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb153.dat 2006-10-20 13:07 9,216 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb8467.dat 2006-10-20 13:07 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat 2005-12-02 17:15 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360] "LGBLiveUpdate"="C:\WINDOWS\system32\lgbpd.exe" [2008-07-09 12:58 1043456] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-12 15:36 180269] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 08:56 236016] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3acm"= l3codecp.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^palmOne Registration.lnk] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\palmOne Registration.lnk backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0] --a------ 2004-11-11 22:00 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] --a------ 2004-04-14 15:04 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] --a------ 2004-04-14 14:46 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] --a------ 2002-09-14 02:42 212992 C:\WINDOWS\SMINST\Recguard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] --a------ 2005-03-15 13:04 966656 C:\WINDOWS\creator\remind_xp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt] --------- 2004-11-11 17:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] -ra------ 2003-10-14 10:22 155648 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt] --a------ 2004-11-02 16:59 218240 C:\Program Files\Common Files\Symantec Shared\Security Center\usrprmpt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] --a------ 2004-11-15 18:04 135168 C:\Program Files\Digital Media Reader\shwiconEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2005-10-12 15:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2003-12-09 14:17 67584 C:\WINDOWS\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] --a------ 2005-03-08 06:33 53248 C:\WINDOWS\system32\VTTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp] --a------ 2005-03-11 20:33 147456 C:\WINDOWS\system32\VTTrayp.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"= "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"= "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Documents and Settings\\Owner\\Desktop\\incredimail_install.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R2 iRacingService;iRacing helper service;C:\Program Files\iRacing\iRacingService.exe [2008-08-04 10:56] S3 athrusb;Wireless LAN USB device driver;C:\WINDOWS\system32\DRIVERS\athrusb.sys [2006-11-30 06:14] . Contents of the 'Scheduled Tasks' folder 2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2005-09-29 C:\WINDOWS\Tasks\ISP signup reminder 2.job - C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 15:00] . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKLM-Run-20299561 - C:\WINDOWS\system32\fnvpmhru.dll HKLM-Run-BM231aa6fd - C:\WINDOWS\system32\xxsiyndb.dll MSConfigStartUp-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe MSConfigStartUp-AOL Spyware Protection - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe MSConfigStartUp-BM231aa6fd - C:\WINDOWS\system32\pkrxmeaj.dll MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe MSConfigStartUp-PC Connection Agent - C:\PROGRA~1\MICROS~4\wcescomm.exe MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1122639952\EE\AOLHostManager.exe MSConfigStartUp-IS CfgWiz - C:\Program Files\Norton Internet Security\cfgwiz.exe MSConfigStartUp-MCAgentExe - c:\PROGRA~1\mcafee.com\agent\mcagent.exe MSConfigStartUp-MCUpdateExe - C:\PROGRA~1\mcafee.com\agent\McUpdate.exe MSConfigStartUp-RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe MSConfigStartUp-URLLSTCK - C:\Program Files\Norton Internet Security\UrlLstCk.exe MSConfigStartUp-_AntiSpyware - C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v8so1txu.default\ ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-13 15:21:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-08-13 15:28:51 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-13 19:28:48 ComboFix2.txt 2007-09-15 16:59:33 Pre-Run: 136,219,860,992 bytes free Post-Run: 136,748,593,152 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 267 ------------------------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:32:38 PM, on 8/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\iRacing\iRacingService.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\lgbpd.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\Netscape\Navigator 9\navigator.exe C:\Program Files\Trend Micro\HijackThis\peek.exe.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://www.carad.com/images/eBay_Enh..._v1-0-3-50.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1189622259578 O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.onlineringman.com/auction...l/isetupml.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: iRacing helper service (iRacingService) - iRacing.com Motorsport Simulations, LLC Bedford, MA 01730 - C:\Program Files\iRacing\iRacingService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 8377 bytes