Tech Support Forum - View Single Post

maddog2018 · 11-10-2008, 01:25 PM

Thanks for reply. Here is combo fix log.

ComboFix 08-11-09.04 - Randy Maddox 2008-11-10 14:42:46.1 - NTFSx86
Running from: c:\documents and settings\Randy Maddox\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\dbi102.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\RANDYM~1\LOCALS~1\Temp\WowInitcode.dll
c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo
c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo\Terms.lnk
c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo\Uninstall.lnk
c:\windows\Install.txt
c:\windows\system32\__c00249DF.dat
c:\windows\system32\__c003CBD1.dat
c:\windows\system32\__c00AE347.dat
c:\windows\system32\~.exe
c:\windows\system32\afisicx.exe
c:\windows\system32\atsxyzd.sys
c:\windows\system32\comsa32.sys
c:\windows\SYSTEM32\dbi102.dll.vir
c:\windows\system32\Install.txt
c:\windows\system32\KBPK080812.log
c:\windows\system32\mabidwe.exe
c:\windows\system32\macidwe.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\MSINET.oca
c:\windows\system32\noytcyr.exe
c:\windows\system32\oduxftw.sys
c:\windows\system32\roytctm.exe
c:\windows\system32\sobicyt.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\syspilog.pil
c:\windows\system32\tdydowkc.exe
c:\windows\system32\tmp0_29171611636.bk
c:\windows\system32\tmp1_477757584426.bk
c:\windows\system32\tpszxyd.sys
c:\windows\system32\uvvwa.ini
c:\windows\system32\wsldoekd.exe
c:\windows\system32\zxdnt3d.cfg
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_AFISICX
-------\Legacy_DOMAINSERVICE
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_NOBICYT
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SEUICTOL
-------\Legacy_SOBICYT
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDXDOWKC
-------\Legacy_TDYDOWKC
-------\Legacy_WSERVING
-------\Legacy_WSLDOEKD
-------\Service_afinding
-------\Service_afisicx
-------\Service_DomainService
-------\Service_mabidwe
-------\Service_macidwe
-------\Service_nobicyt
-------\Service_noxtcyr
-------\Service_noytcyr
-------\Service_perfs
-------\Service_routing
-------\Service_roxtctm
-------\Service_roytctm
-------\Service_seuictol
-------\Service_sobicyt
-------\Service_sotpeca
-------\Service_soxpeca
-------\Service_tdxdowkc
-------\Service_tdydowkc
-------\Service_wserving
-------\Service_wsldoekd

((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-05 10:01 . 2008-11-05 10:01 <DIR> d-------- C:\rsit
2008-11-05 09:34 . 2008-11-05 09:41 250 --a------ c:\windows\gmer.ini
2008-10-23 22:43 . 2008-10-15 11:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-14 23:20 . 2008-09-08 05:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-10-14 23:19 . 2008-08-14 05:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-14 23:19 . 2008-08-14 05:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-14 23:19 . 2008-08-14 04:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-14 23:19 . 2008-08-14 04:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-14 23:19 . 2008-09-15 07:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 19:22 --------- d-----w c:\program files\EZ-FilingNew
2008-11-10 16:25 --------- d-----w c:\documents and settings\Randy Maddox\Application Data\AdobeUM
2008-10-24 20:12 --------- d-----w c:\program files\QUICKENW
2008-09-30 12:25 --------- d-----w c:\program files\DYMO Label
2008-06-27 14:13 56,912 ----a-w c:\documents and settings\Randy Maddox\g2mdlhlpx.exe
2004-10-11 23:46 205,312 ----a-w c:\program files\ltefx13n.dll
2004-01-19 18:31 153,600 ----a-w c:\program files\ltfil13n.DLL
2004-01-19 17:31 27,648 ----a-w c:\program files\lfiff13n.dll
2004-01-19 17:31 20,480 ----a-w c:\program files\lfCUT13n.dll
2004-01-19 16:31 453,120 ----a-w c:\program files\ltkrn13n.dll
2004-01-19 16:12 89,600 ----a-w c:\program files\Lfcgm13n.dll
2004-01-19 15:49 278,016 ----a-w c:\program files\LFJ2K13n.dll
2004-01-19 15:49 180,736 ----a-w c:\program files\Lfpng13n.dll
2004-01-19 15:47 76,800 ----a-w c:\program files\Lfwmf13n.dll
2004-01-19 15:47 509,440 ----a-w c:\program files\LFCMW13n.dll
2004-01-19 15:45 420,352 ----a-w c:\program files\LFCMP13n.DLL
2004-01-19 15:44 143,872 ----a-w c:\program files\lftif13n.dll
2004-01-19 15:36 65,536 ----a-w c:\program files\Lfpct13n.dll
2004-01-19 15:36 56,832 ----a-w c:\program files\lfpsd13n.dll
2004-01-19 15:36 26,624 ----a-w c:\program files\lfpcx13n.dll
2004-01-19 15:36 19,968 ----a-w c:\program files\lfpcd13n.dll
2004-01-19 15:36 18,944 ----a-w c:\program files\lfmsp13n.dll
2004-01-19 15:35 20,992 ----a-w c:\program files\lfimg13n.dll
2004-01-19 15:35 18,944 ----a-w c:\program files\lfmac13n.dll
2004-01-19 15:34 31,744 ----a-w c:\program files\lfclp13n.dll
2004-01-19 15:34 30,208 ----a-w c:\program files\lfbmp13n.dll
2004-01-19 15:33 444,928 ----a-w c:\program files\ltimg13n.dll
2004-01-19 15:32 265,216 ----a-w c:\program files\LTDIS13n.dll
2000-05-02 08:17 212,480 ----a-w c:\program files\PCDLIB32.DLL
1999-11-19 03:00 284,032 ----a-w c:\program files\XceedZip.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-12 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-22 151597]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"PfuSsSct.exe"="c:\program files\PFU\ScanSnap\PfuSsSct.exe" [2003-12-22 110592]
"CardMinder"="c:\program files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe" [2004-02-17 36864]
"Pdfquickview"="c:\program files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe" [2003-12-22 32768]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-12 11776]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 618496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

c:\documents and settings\Randy Maddox\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 972064]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2004-08-02 712704]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\ProDoc\\ProWin.Exe"=
"c:\\ProDoc\\prosend.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-05-16 759072]
R2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2002-08-29 46592]
R2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2002-08-29 45568]
R2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe [2002-08-29 45568]
R2 roytctm;roytctm Service;c:\windows\system32\roytctm.exe [2002-08-29 46592]
R2 solewxte;solewxte Service;c:\windows\system32\solewxte.exe [2002-08-29 45056]
R2 soxpeca;soxpeca Service;c:\windows\system32\soxpeca.exe [2002-08-29 47104]
R2 tdydowkc;tdydowkc Service;c:\windows\system32\tdydowkc.exe [2002-08-29 46080]
R2 wsldoekd;wsldoekd Service;c:\windows\system32\wsldoekd.exe [2002-08-29 46592]
R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2006-06-12 9344]
S2 UXRJNHMC;UXRJNHMC;c:\windows\system32\uxrjnhmc.tuj [ ]

*Newly Created Service* - AFISICX
*Newly Created Service* - MABIDWE
*Newly Created Service* - NOYTCYR
*Newly Created Service* - ROYTCTM
*Newly Created Service* - SOXPECA
*Newly Created Service* - TDYDOWKC
*Newly Created Service* - WSLDOEKD
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 17:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-CMLoader - c:\program files\crystalys media\cm.dll
HKU-Default-Run-A00F14436CF5.exe - c:\windows\TEMP\_A00F14436CF5.exe
Notify-__c003CBD1 - c:\windows\system32\__c003CBD1.dat
Notify-__c00EC4CD - c:\windows\system32\__c00EC4CD.dat

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Start Page = about:blank
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf
c:\windows\Downloaded Program Files\Manager.exe
c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 14:52:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\SYSTEM32\solewxte.exe [1772] 0x82A8E5D0
c:\windows\SYSTEM32\tpszxyd.sys [3496] 0x82DEC4F8
c:\windows\SYSTEM32\noytcyr.exe [2344] 0x82D8AC50
c:\windows\SYSTEM32\wsldoekd.exe [3484] 0x82C1C248
c:\windows\SYSTEM32\afisicx.exe [3976] 0x82C2FBE8
c:\windows\SYSTEM32\roytctm.exe [1100] 0x82D6BDA0
c:\windows\SYSTEM32\tdydowkc.exe [4032] 0x82B97C38

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\afisicx.exe 46592 bytes executable
c:\windows\system32\wsldoekd.exe 46592 bytes executable
c:\windows\system32\tpszxyd.sys 274944 bytes executable
c:\windows\system32\mabidwe.exe 45568 bytes executable
c:\windows\system32\Install.txt
c:\windows\system32\soxpeca.exe 47104 bytes executable
c:\windows\system32\roytctm.exe 46592 bytes executable

scan completed successfully
hidden files: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UXRJNHMC]
"ImagePath"="\??\c:\windows\system32\uxrjnhmc.tuj"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRece.exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\udxfytw.sys
c:\windows\SYSTEM32\tpszxyd.sys
.
**************************************************************************
.
Completion time: 2008-11-10 15

13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 20

08
ComboFix2.txt 2007-06-21 16:35:24

Pre-Run: 7,186,391,040 bytes free
Post-Run: 8,588,689,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

292 --- E O F --- 2008-10-24 07:01:32

11-10-2008, 01:25 PM	#3 (permalink)
maddog2018 Registered User Join Date: May 2007 Posts: 26 OS: xp	Re: Pop ups and trojans, low memory Thanks for reply. Here is combo fix log. ComboFix 08-11-09.04 - Randy Maddox 2008-11-10 14:42:46.1 - NTFSx86 Running from: c:\documents and settings\Randy Maddox\Desktop\ComboFix.exe * Created a new restore point . The following files were disabled during the run: c:\windows\system32\dbi102.dll ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\RANDYM~1\LOCALS~1\Temp\WowInitcode.dll c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo\Terms.lnk c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo\Uninstall.lnk c:\windows\Install.txt c:\windows\system32\__c00249DF.dat c:\windows\system32\__c003CBD1.dat c:\windows\system32\__c00AE347.dat c:\windows\system32\~.exe c:\windows\system32\afisicx.exe c:\windows\system32\atsxyzd.sys c:\windows\system32\comsa32.sys c:\windows\SYSTEM32\dbi102.dll.vir c:\windows\system32\Install.txt c:\windows\system32\KBPK080812.log c:\windows\system32\mabidwe.exe c:\windows\system32\macidwe.exe c:\windows\system32\mcrh.tmp c:\windows\system32\MSINET.oca c:\windows\system32\noytcyr.exe c:\windows\system32\oduxftw.sys c:\windows\system32\roytctm.exe c:\windows\system32\sobicyt.exe c:\windows\system32\soxpeca.exe c:\windows\system32\syspilog.pil c:\windows\system32\tdydowkc.exe c:\windows\system32\tmp0_29171611636.bk c:\windows\system32\tmp1_477757584426.bk c:\windows\system32\tpszxyd.sys c:\windows\system32\uvvwa.ini c:\windows\system32\wsldoekd.exe c:\windows\system32\zxdnt3d.cfg C:\xcrashdump.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFINDING -------\Legacy_AFISICX -------\Legacy_DOMAINSERVICE -------\Legacy_MABIDWE -------\Legacy_MACIDWE -------\Legacy_NOBICYT -------\Legacy_NOXTCYR -------\Legacy_NOYTCYR -------\Legacy_PERFS -------\Legacy_ROUTING -------\Legacy_ROXTCTM -------\Legacy_ROYTCTM -------\Legacy_SEUICTOL -------\Legacy_SOBICYT -------\Legacy_SOTPECA -------\Legacy_SOXPECA -------\Legacy_TDXDOWKC -------\Legacy_TDYDOWKC -------\Legacy_WSERVING -------\Legacy_WSLDOEKD -------\Service_afinding -------\Service_afisicx -------\Service_DomainService -------\Service_mabidwe -------\Service_macidwe -------\Service_nobicyt -------\Service_noxtcyr -------\Service_noytcyr -------\Service_perfs -------\Service_routing -------\Service_roxtctm -------\Service_roytctm -------\Service_seuictol -------\Service_sobicyt -------\Service_sotpeca -------\Service_soxpeca -------\Service_tdxdowkc -------\Service_tdydowkc -------\Service_wserving -------\Service_wsldoekd ((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 ))))))))))))))))))))))))))))))) . 2008-11-05 10:01 . 2008-11-05 10:01 <DIR> d-------- C:\rsit 2008-11-05 09:34 . 2008-11-05 09:41 250 --a------ c:\windows\gmer.ini 2008-10-23 22:43 . 2008-10-15 11:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-14 23:20 . 2008-09-08 05:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys 2008-10-14 23:19 . 2008-08-14 05:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2008-10-14 23:19 . 2008-08-14 05:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2008-10-14 23:19 . 2008-08-14 04:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2008-10-14 23:19 . 2008-08-14 04:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe 2008-10-14 23:19 . 2008-09-15 07:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-10 19:22 --------- d-----w c:\program files\EZ-FilingNew 2008-11-10 16:25 --------- d-----w c:\documents and settings\Randy Maddox\Application Data\AdobeUM 2008-10-24 20:12 --------- d-----w c:\program files\QUICKENW 2008-09-30 12:25 --------- d-----w c:\program files\DYMO Label 2008-06-27 14:13 56,912 ----a-w c:\documents and settings\Randy Maddox\g2mdlhlpx.exe 2004-10-11 23:46 205,312 ----a-w c:\program files\ltefx13n.dll 2004-01-19 18:31 153,600 ----a-w c:\program files\ltfil13n.DLL 2004-01-19 17:31 27,648 ----a-w c:\program files\lfiff13n.dll 2004-01-19 17:31 20,480 ----a-w c:\program files\lfCUT13n.dll 2004-01-19 16:31 453,120 ----a-w c:\program files\ltkrn13n.dll 2004-01-19 16:12 89,600 ----a-w c:\program files\Lfcgm13n.dll 2004-01-19 15:49 278,016 ----a-w c:\program files\LFJ2K13n.dll 2004-01-19 15:49 180,736 ----a-w c:\program files\Lfpng13n.dll 2004-01-19 15:47 76,800 ----a-w c:\program files\Lfwmf13n.dll 2004-01-19 15:47 509,440 ----a-w c:\program files\LFCMW13n.dll 2004-01-19 15:45 420,352 ----a-w c:\program files\LFCMP13n.DLL 2004-01-19 15:44 143,872 ----a-w c:\program files\lftif13n.dll 2004-01-19 15:36 65,536 ----a-w c:\program files\Lfpct13n.dll 2004-01-19 15:36 56,832 ----a-w c:\program files\lfpsd13n.dll 2004-01-19 15:36 26,624 ----a-w c:\program files\lfpcx13n.dll 2004-01-19 15:36 19,968 ----a-w c:\program files\lfpcd13n.dll 2004-01-19 15:36 18,944 ----a-w c:\program files\lfmsp13n.dll 2004-01-19 15:35 20,992 ----a-w c:\program files\lfimg13n.dll 2004-01-19 15:35 18,944 ----a-w c:\program files\lfmac13n.dll 2004-01-19 15:34 31,744 ----a-w c:\program files\lfclp13n.dll 2004-01-19 15:34 30,208 ----a-w c:\program files\lfbmp13n.dll 2004-01-19 15:33 444,928 ----a-w c:\program files\ltimg13n.dll 2004-01-19 15:32 265,216 ----a-w c:\program files\LTDIS13n.dll 2000-05-02 08:17 212,480 ----a-w c:\program files\PCDLIB32.DLL 1999-11-19 03:00 284,032 ----a-w c:\program files\XceedZip.dll 2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll 2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll 2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll 2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll 2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll 2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll 2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll 2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800] "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-12 110592] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-22 151597] "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456] "PfuSsSct.exe"="c:\program files\PFU\ScanSnap\PfuSsSct.exe" [2003-12-22 110592] "CardMinder"="c:\program files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe" [2004-02-17 36864] "Pdfquickview"="c:\program files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe" [2003-12-22 32768] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-12 11776] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440] "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152] "hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 618496] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064] c:\documents and settings\Randy Maddox\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-04-13 299008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 972064] ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2004-08-02 712704] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"= "c:\\Program Files\\Real\\RealOne Player\\realplay.exe"= "c:\\ProDoc\\ProWin.Exe"= "c:\\ProDoc\\prosend.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-05-16 759072] R2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2002-08-29 46592] R2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2002-08-29 45568] R2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe [2002-08-29 45568] R2 roytctm;roytctm Service;c:\windows\system32\roytctm.exe [2002-08-29 46592] R2 solewxte;solewxte Service;c:\windows\system32\solewxte.exe [2002-08-29 45056] R2 soxpeca;soxpeca Service;c:\windows\system32\soxpeca.exe [2002-08-29 47104] R2 tdydowkc;tdydowkc Service;c:\windows\system32\tdydowkc.exe [2002-08-29 46080] R2 wsldoekd;wsldoekd Service;c:\windows\system32\wsldoekd.exe [2002-08-29 46592] R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2006-06-12 9344] S2 UXRJNHMC;UXRJNHMC;c:\windows\system32\uxrjnhmc.tuj [ ] Newly Created Service - AFISICX Newly Created Service - MABIDWE Newly Created Service - NOYTCYR Newly Created Service - ROYTCTM Newly Created Service - SOXPECA Newly Created Service - TDYDOWKC Newly Created Service - WSLDOEKD . Contents of the 'Scheduled Tasks' folder 2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] 2008-11-10 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 17:12] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Sonic RecordNow! - (no file) HKLM-Run-CMLoader - c:\program files\crystalys media\cm.dll HKU-Default-Run-A00F14436CF5.exe - c:\windows\TEMP\_A00F14436CF5.exe Notify-__c003CBD1 - c:\windows\system32\__c003CBD1.dat Notify-__c00EC4CD - c:\windows\system32\__c00EC4CD.dat . ------- Supplementary Scan ------- . R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 R0 -: HKLM-Main,Start Page = about:blank R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dellnet.com/ R1 -: HKCU-Internet Settings,ProxyOverride = .local O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab c:\windows\Downloaded Program Files\DownloadManagerV2.inf c:\windows\Downloaded Program Files\Manager.exe c:\windows\Downloaded Program Files\DownloadManagerV2.ocx . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-10 14:52:44 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... c:\windows\SYSTEM32\solewxte.exe [1772] 0x82A8E5D0 c:\windows\SYSTEM32\tpszxyd.sys [3496] 0x82DEC4F8 c:\windows\SYSTEM32\noytcyr.exe [2344] 0x82D8AC50 c:\windows\SYSTEM32\wsldoekd.exe [3484] 0x82C1C248 c:\windows\SYSTEM32\afisicx.exe [3976] 0x82C2FBE8 c:\windows\SYSTEM32\roytctm.exe [1100] 0x82D6BDA0 c:\windows\SYSTEM32\tdydowkc.exe [4032] 0x82B97C38 scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\afisicx.exe 46592 bytes executable c:\windows\system32\wsldoekd.exe 46592 bytes executable c:\windows\system32\tpszxyd.sys 274944 bytes executable c:\windows\system32\mabidwe.exe 45568 bytes executable c:\windows\system32\Install.txt c:\windows\system32\soxpeca.exe 47104 bytes executable c:\windows\system32\roytctm.exe 46592 bytes executable scan completed successfully hidden files: 7 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2] "ImagePath"="\"\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UXRJNHMC] "ImagePath"="\??\c:\windows\system32\uxrjnhmc.tuj" . ------------------------ Other Running Processes ------------------------ . c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe c:\program files\Bonjour\mDNSResponder.exe c:\progra~1\Iomega\System32\AppServices.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\SYSTEM32\nvsvc32.exe c:\program files\Iomega\AutoDisk\ADService.exe c:\windows\SYSTEM32\wscntfy.exe c:\program files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRece.exe c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe c:\program files\iPod\bin\iPodService.exe c:\windows\SYSTEM32\udxfytw.sys c:\windows\SYSTEM32\tpszxyd.sys . ************************************************************************ . Completion time: 2008-11-10 1513 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-10 2008 ComboFix2.txt 2007-06-21 16:35:24 Pre-Run: 7,186,391,040 bytes free Post-Run: 8,588,689,408 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 292 --- E O F --- 2008-10-24 07:01:32