Tech Support Forum - View Single Post

Kitzhof · 11-15-2008, 08:46 AM

ComboFix 08-11-09.04 - Sasa Johnen 2008-11-15 9:33:50.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.615 [GMT -6:00]
Running from: c:\documents and settings\Sasa Johnen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sasa Johnen\Desktop\CFScript.txt
* Created a new restore point

FILE ::
i:\recycler\Lcass.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-13 19:14 . 2008-11-13 19:16 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-11-12 16:50 . 2008-11-12 21:50 <DIR> d-------- c:\program files\FitWorkout 2.5
2008-11-12 16:11 . 2008-11-12 16:11 <DIR> d-------- c:\program files\EvenFit
2008-11-12 12:51 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 12:51 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-08 17:55 . 2008-11-08 21:04 345 --a------ c:\windows\gmer.ini
2008-11-08 16:36 . 2008-11-08 16:36 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 16:18 . 2008-11-10 15:58 <DIR> d-------- c:\program files\ThreatFire
2008-11-08 16:18 . 2008-11-08 16:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-11-08 16:18 . 2008-10-24 15:07 51,488 --a------ c:\windows\system32\drivers\TfFsMon.sys
2008-11-08 16:18 . 2008-10-24 15:07 39,200 --a------ c:\windows\system32\drivers\TfSysMon.sys
2008-11-08 16:18 . 2008-10-24 15:07 33,056 --a------ c:\windows\system32\drivers\TfNetMon.sys
2008-11-08 16:18 . 2008-10-24 15:07 12,576 --a------ c:\windows\system32\drivers\TfKbMon.sys
2008-10-23 12:32 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 14:27 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 22:48 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-14 01:13 --------- d-----w c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-11-12 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-11 00:13 --------- d-----w c:\program files\Dl_cats
2008-11-06 03:31 --------- d-----w c:\documents and settings\Sasa Johnen\Application Data\Azureus
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-08 20:47 --------- d-----w c:\documents and settings\Sasa Johnen\Application Data\AdobeUM
2008-10-04 17:45 --------- d-----w c:\program files\Google
2008-10-03 22:43 --------- d-----w c:\program files\LearnChinese
2008-10-03 22:43 --------- d-----w c:\program files\ICQLite
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-27 20:02 --------- d-----w c:\documents and settings\LocalService\Application Data\AdobeUM
2008-09-27 00:46 --------- d-----w c:\program files\Picasa2
2008-09-26 02:02 --------- d-----w c:\program files\Hattrick Manager
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2005-10-24 01:44 56 --sh--r c:\windows\system32\60493A6879.sys
2005-10-24 01:44 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-11-13_19.11.21.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-27 20:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll
+ 2008-02-11 15:39:26 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll
+ 2008-02-11 15:39:18 237,568 ----a-w c:\windows\system32\OnlineScannerDLLW.dll
+ 2008-02-08 19:53:46 110,592 ----a-w c:\windows\system32\OnlineScannerLang.dll
+ 2008-02-05 14:48:04 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-06 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-16 282624]
"Ulead Photo Express Calendar Checker"="c:\program files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 69632]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-06-06 151552]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2008-10-24 263456]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-20 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2006-10-06 19:56 11504 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"= sysaudio.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sasa Johnen^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Sasa Johnen\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sasa Johnen^Start Menu^Programs^Startup^Ubisoft register.lnk]
path=c:\documents and settings\Sasa Johnen\Start Menu\Programs\Startup\Ubisoft register.lnk
backup=c:\windows\pss\Ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 08:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
--a------ 2004-11-10 13:36 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 01:04 332800 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a--c--- 2005-01-27 00:02 86016 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a--c--- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a--c--- 2005-06-08 14:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a--c--- 2005-06-08 15:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a--c--- 2005-06-08 15:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2006-10-06 19:55 303864 c:\program files\LogMeIn\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-08-20 19:18 443968 c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a--c--- 2004-11-11 09:26 26112 c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-16 09:33 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-02-06 18:06 208941 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Replay Center]
-----c--- 2005-09-12 18:43 1675264 c:\program files\Replay Radio 6\ReplayRadio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-02-09 16:00 25388584 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-02-06 18:06 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Anno 1701\\Anno1701.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector Express\\PDX.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2008-04-14 22336]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-10-24 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-10-24 39200]
R1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2008-07-17 45376]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\RaInfo.sys [2006-10-06 11120]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [ ]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-10-24 33056]
S3 dump_wmimmc;dump_wmimmc;c:\windows\system32\drivers\dump_wmimmc.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-11-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 09:38:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-15 9:40:05
ComboFix-quarantined-files.txt 2008-11-15 15:39:31
ComboFix2.txt 2008-11-14 01:12:17
ComboFix3.txt 2008-11-10 22:13:45

Pre-Run: 58,645,364,736 bytes free
Post-Run: 58,682,142,720 bytes free

204 --- E O F --- 2008-11-14 23:03:14

11-15-2008, 08:46 AM	#14 (permalink)
Kitzhof Registered User Join Date: Nov 2008 Posts: 13 OS: XP	Re: HJT log+strange google search results ComboFix 08-11-09.04 - Sasa Johnen 2008-11-15 9:33:50.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.615 [GMT -6:00] Running from: c:\documents and settings\Sasa Johnen\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Sasa Johnen\Desktop\CFScript.txt * Created a new restore point FILE :: i:\recycler\Lcass.exe . ((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 ))))))))))))))))))))))))))))))) . 2008-11-13 19:14 . 2008-11-13 19:16 <DIR> d-------- c:\program files\EsetOnlineScanner 2008-11-12 16:50 . 2008-11-12 21:50 <DIR> d-------- c:\program files\FitWorkout 2.5 2008-11-12 16:11 . 2008-11-12 16:11 <DIR> d-------- c:\program files\EvenFit 2008-11-12 12:51 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 12:51 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-08 17:55 . 2008-11-08 21:04 345 --a------ c:\windows\gmer.ini 2008-11-08 16:36 . 2008-11-08 16:36 <DIR> d-------- c:\program files\Trend Micro 2008-11-08 16:18 . 2008-11-10 15:58 <DIR> d-------- c:\program files\ThreatFire 2008-11-08 16:18 . 2008-11-08 16:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools 2008-11-08 16:18 . 2008-10-24 15:07 51,488 --a------ c:\windows\system32\drivers\TfFsMon.sys 2008-11-08 16:18 . 2008-10-24 15:07 39,200 --a------ c:\windows\system32\drivers\TfSysMon.sys 2008-11-08 16:18 . 2008-10-24 15:07 33,056 --a------ c:\windows\system32\drivers\TfNetMon.sys 2008-11-08 16:18 . 2008-10-24 15:07 12,576 --a------ c:\windows\system32\drivers\TfKbMon.sys 2008-10-23 12:32 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-15 14:27 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-14 22:48 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-11-14 01:13 --------- d-----w c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic 2008-11-12 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-11 00:13 --------- d-----w c:\program files\Dl_cats 2008-11-06 03:31 --------- d-----w c:\documents and settings\Sasa Johnen\Application Data\Azureus 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-08 20:47 --------- d-----w c:\documents and settings\Sasa Johnen\Application Data\AdobeUM 2008-10-04 17:45 --------- d-----w c:\program files\Google 2008-10-03 22:43 --------- d-----w c:\program files\LearnChinese 2008-10-03 22:43 --------- d-----w c:\program files\ICQLite 2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-27 20:02 --------- d-----w c:\documents and settings\LocalService\Application Data\AdobeUM 2008-09-27 00:46 --------- d-----w c:\program files\Picasa2 2008-09-26 02:02 --------- d-----w c:\program files\Hattrick Manager 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2005-10-24 01:44 56 --sh--r c:\windows\system32\60493A6879.sys 2005-10-24 01:44 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot_2008-11-13_19.11.21.09 ))))))))))))))))))))))))))))))))))))))))) . + 2007-07-27 20:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll + 2007-07-27 20:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll + 2005-12-06 01:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll + 2005-12-05 18:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll + 2008-02-11 15:39:26 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll + 2008-02-11 15:39:18 237,568 ----a-w c:\windows\system32\OnlineScannerDLLW.dll + 2008-02-08 19:53:46 110,592 ----a-w c:\windows\system32\OnlineScannerLang.dll + 2008-02-05 14:48:04 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497] "DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-06 180269] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-16 282624] "Ulead Photo Express Calendar Checker"="c:\program files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 69632] "EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-06-06 151552] "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2008-10-24 263456] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-20 443968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2006-10-06 19:56 11504 c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux5"= sysaudio.sys [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Sasa Johnen^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Sasa Johnen\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Sasa Johnen^Start Menu^Programs^Startup^Ubisoft register.lnk] path=c:\documents and settings\Sasa Johnen\Start Menu\Programs\Startup\Ubisoft register.lnk backup=c:\windows\pss\Ubisoft register.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2005-12-10 08:57 133016 c:\program files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922] --a------ 2004-11-10 13:36 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2005-05-15 01:04 332800 c:\program files\Dell Support\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] --a--c--- 2005-01-27 00:02 86016 c:\program files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --a--c--- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate] --a--c--- 2005-06-08 14:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] --a--c--- 2005-06-08 15:24 458752 c:\program files\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] --a--c--- 2005-06-08 15:14 217088 c:\program files\Logitech\Video\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI] --a------ 2006-10-06 19:55 303864 c:\program files\LogMeIn\LogMeInSystray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] --a------ 2008-08-20 19:18 443968 c:\program files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] --a--c--- 2004-11-11 09:26 26112 c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-05-16 09:33 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2006-02-06 18:06 208941 c:\program files\Real\RealPlayer\realplay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Replay Center] -----c--- 2005-09-12 18:43 1675264 c:\program files\Replay Radio 6\ReplayRadio.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2007-02-09 16:00 25388584 c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2006-02-06 18:06 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\rtcshare.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Anno 1701\\Anno1701.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\Program Files\\CyberLink\\PowerDirector Express\\PDX.exe"= "c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"= "c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2008-04-14 22336] R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-10-24 51488] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-10-24 39200] R1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2008-07-17 45376] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\RaInfo.sys [2006-10-06 11120] R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [ ] R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-10-24 33056] S3 dump_wmimmc;dump_wmimmc;c:\windows\system32\drivers\dump_wmimmc.sys [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-11-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] 2008-11-15 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-15 09:38:28 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-15 9:40:05 ComboFix-quarantined-files.txt 2008-11-15 15:39:31 ComboFix2.txt 2008-11-14 01:12:17 ComboFix3.txt 2008-11-10 22:13:45 Pre-Run: 58,645,364,736 bytes free Post-Run: 58,682,142,720 bytes free 204 --- E O F --- 2008-11-14 23:03:14