Tech Support Forum - View Single Post - Constant page re-directing and trojan horse

MICKFLAN · 12-03-2008, 02:05 PM

Yes foolishly i thought i could fix myself, heres combofix3 txt.
ComboFix 08-12-01.03 - mick 2008-12-02 18:04:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1412 [GMT 0:00]
Running from: c:\documents and settings\mick\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc11.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc13.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc14.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc16.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc22.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc23.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc28.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc29.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc2A.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc2D.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc30.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc31.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc3A.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc4.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc57.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc59.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc5A.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc72.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc89.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc8E.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccA6.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccC.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccD.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccE.tmp
c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccF.tmp
C:\resycled
c:\windows\Downloaded Program Files\setup.inf
F:\resycled
f:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-19 22:20 . 2008-06-19 19:27 <DIR> d-------- c:\documents and settings\Administrator
2008-12-19 22:19 . 2008-12-19 22:19 268 --ah----- C:\sqmdata02.sqm
2008-12-19 22:19 . 2008-12-19 22:19 244 --ah----- C:\sqmnoopt02.sqm
2008-12-19 22:15 . 2008-12-19 22:15 <DIR> d-------- c:\windows\Sun
2008-12-19 22:15 . 2008-12-19 22:15 268 --ah----- C:\sqmdata01.sqm
2008-12-19 22:15 . 2008-12-19 22:15 244 --ah----- C:\sqmnoopt01.sqm
2008-12-19 22:14 . 2008-09-24 17:19 <DIR> d-------- c:\program files\Java
2008-12-19 22:11 . 2008-12-19 22:11 <DIR> d-------- c:\program files\Common Files\Java
2008-12-02 14:03 . 2008-12-02 14:06 250 --a------ c:\windows\gmer.ini
2008-12-02 13:14 . 2008-12-02 13:14 <DIR> d-------- C:\VundoFix Backups
2008-12-01 22:18 . 2008-12-02 09:57 241 --a------ c:\windows\wininit.ini
2008-12-01 13:28 . 2008-12-01 13:28 <DIR> d-------- c:\program files\Studio Surveillance
2008-12-01 13:28 . 2005-09-10 20:09 860,160 --a------ c:\windows\system32\xVideoOCX.ocx
2008-12-01 13:28 . 1998-06-24 00:00 137,000 --a------ c:\windows\system32\msmapi32.ocx
2008-12-01 13:28 . 1998-06-24 00:00 103,744 --a------ c:\windows\system32\MSCOMM32.ocx
2008-12-01 13:28 . 2001-05-08 05:00 26,896 --a------ c:\windows\system32\hh.exe
2008-12-01 00:32 . 2008-12-01 00:32 2,657 --a------ C:\timhillone.mov
2008-12-01 00:32 . 2008-12-01 00:32 785 --a------ C:\qtviewer.html
2008-12-01 00:32 . 2008-12-01 00:32 620 --a------ C:\qtviewer.smil
2008-12-01 00:18 . 2008-12-01 16:17 <DIR> d-------- C:\TimHO_Rec
2008-12-01 00:11 . 2008-12-01 00:11 <DIR> d-------- c:\program files\LEDSET
2008-11-30 11:29 . 2008-12-02 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-24 11:42 . 2008-11-24 11:42 <DIR> d-------- c:\program files\Karaoke Zip Scanner
2008-11-24 11:42 . 2008-11-24 11:42 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{174BEB07-CB76-4EAC-91FD-95CD34E9901B}
2008-11-22 16:35 . 2008-11-28 22:27 <DIR> d-a------ C:\Myriad
2008-11-16 19:18 . 2004-09-27 04:54 237,568 -ra------ c:\windows\system32\SiSWPars.dll
2008-11-16 19:18 . 2004-12-31 07:47 167,424 -ra------ c:\windows\system32\drivers\sis163u.sys
2008-11-16 19:18 . 2004-09-27 04:54 155,648 -ra------ c:\windows\system32\SiSWInst.dll
2008-11-16 19:18 . 2004-09-27 04:54 49,152 -ra------ c:\windows\system32\SiSWBase.dll
2008-11-16 19:18 . 2008-11-16 19:18 0 --a------ c:\windows\system32\swunilog.ini
2008-11-13 08:12 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 08:12 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-06 19:27 . 2006-05-22 19:35 175,872 --a------ c:\windows\system32\drivers\RTL8187.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 11:41 --------- d-----w c:\program files\eMule
2008-12-01 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 21:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-30 20:27 --------- d-----w c:\program files\MP3+G Toolz .NET 4
2008-11-30 11:30 --------- d-----w c:\program files\Google
2008-11-30 09:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-24 17:08 67,864 ----a-w c:\documents and settings\mick\Application Data\GDIPFONTCACHEV1.DAT
2008-11-23 13:04 --------- d-----w c:\program files\Karaoke Song List Creator
2008-11-18 07:06 --------- d-----w c:\program files\Xfire
2008-11-17 21:16 --------- d-----w c:\documents and settings\mick\Application Data\Xfire
2008-11-03 20:23 183,120 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-03 20:23 137,480 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-31 10:03 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-10-31 09:58 --------- d-----w c:\documents and settings\mick\Application Data\Motive
2008-10-31 09:57 --------- d-----w c:\program files\BT Broadband Desktop Help
2008-10-31 09:56 --------- d-----w c:\program files\Common Files\Motive
2008-10-30 01:24 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-10-26 09:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 22:36 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-20 23:25 --------- d-----w c:\program files\SpeedFan
2008-10-20 15:03 --------- d-----w c:\program files\Total Video2DVD Author
2008-10-20 15:02 --------- d-----w c:\program files\Sony Ericsson
2008-10-20 15:01 --------- d-----w c:\program files\k4uTool
2008-10-20 15:00 --------- d-----w c:\program files\IKEA Home Planner Kitchen
2008-10-20 15:00 --------- d-----w c:\program files\dvdSanta
2008-10-20 15:00 --------- d-----w c:\program files\Canon
2008-10-20 14:59 --------- d-----w c:\program files\BulletProof MP3 Ripper
2008-10-20 14:59 --------- d-----w c:\program files\Axis Communications
2008-10-20 14:58 --------- d--h--w c:\documents and settings\All Users\Application Data\ActiveSMART
2008-10-20 14:58 --------- d-----w c:\program files\ArcSoft
2008-10-18 18:53 --------- d-----w c:\program files\MagicISO
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 05:22 --------- d-----w c:\program files\Microsoft
2008-10-13 05:21 --------- d-----w c:\program files\Common Files\Windows Live
2008-10-05 19:18 --------- d-----w c:\program files\Devnz
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-08 23:03 51,712 ----a-w c:\windows\system32\sirenacm.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-07-13 06:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-08 3513344]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-02-13 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2005-06-03 729088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-08 185896]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"nwiz"="nwiz.exe" [2006-02-13 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\Exif Launcher\QuickDCF.exe [2008-08-27 188416]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gigabyte\\BIOS\\gwf32.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Gigabyte\\BIOS\\gwflash.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\mick\\Desktop\\combat flight sim\\COMBATFS.EXE"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Myriad\\mirc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-10 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-10 76040]
R2 McciCMService;McciCMService;"c:\program files\Common Files\Motive\McciCMService.exe" [2008-10-31 303104]
R3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50.SYS [2008-10-31 20096]
R3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2008-11-16 167424]
S2 713xTVCard;SAA7134 TV Card;c:\windows\system32\DRIVERS\SAA713x.sys [2005-03-15 277504]
S3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2008-01-02 945920]
S3 Cap7134;Philips Cap7134 Capture;c:\windows\system32\DRIVERS\Cap7134.sys []
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-07-06 31592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-05-23 13352]
S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50.SYS [2008-10-31 21248]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-11-06 175872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{789f5c52-b8a7-11dc-b2cf-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa3d234-6d5b-11dd-ba06-00120e825303}]
\Shell\AutoRun\command - nideiect.com
\Shell\explore\Command - nideiect.com
\Shell\open\Command - nideiect.com

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-kdx - c:\program files\KHost.exe
HKLM-Run-NWEReboot - (no file)
Notify-svrme - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://magnet.2020.net/virtualplanner/Core/Player/2020PlayerAX_Win32.cab
c:\windows\Downloaded Program Files\2020Player.inf

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://79.148.110.209:8080/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\MSCOMCTL.OCX - c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\toolkit_widget.gif
c:\windows\Downloaded Program Files\common.dat
c:\windows\Downloaded Program Files\unknown.dat
c:\windows\system32\Codejock.PropertyGrid.v10.4.0.ocx
c:\windows\system32\Codejock.DockingPane.v10.4.0.ocx
c:\windows\system32\Codejock.CommandBars.v10.4.0.ocx
c:\windows\system32\Codejock.ReportControl.v10.4.0.ocx
c:\windows\Downloaded Program Files\DGTx.ocx
O16 -: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
hxxp://66.98.130.69/DGTx.CAB
c:\windows\Downloaded Program Files\DGTx.INF
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 18

21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-02 18:07:20
ComboFix-quarantined-files.txt 2008-12-02 18:07:00

Pre-Run: 94,068,969,472 bytes free
Post-Run: 94,267,162,624 bytes free

270 --- E O F --- 2008-11-13 08:18:14

12-03-2008, 02:05 PM	#5 (permalink)
MICKFLAN Registered User Join Date: Dec 2007 Posts: 9 OS: WINXP	Re: Constant page re-directing and trojan horse Yes foolishly i thought i could fix myself, heres combofix3 txt. ComboFix 08-12-01.03 - mick 2008-12-02 18:04:48.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1412 [GMT 0:00] Running from: c:\documents and settings\mick\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc10.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc11.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc12.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc13.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc14.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc15.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc16.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc22.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc23.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc28.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc29.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc2A.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc2D.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc30.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc31.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc3A.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc4.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc57.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc59.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc5A.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc72.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc89.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mcc8E.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccA6.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccC.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccD.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccE.tmp c:\documents and settings\mick\Local Settings\Temporary Internet Files\mccF.tmp C:\resycled c:\windows\Downloaded Program Files\setup.inf F:\resycled f:\resycled\boot.com . ((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 ))))))))))))))))))))))))))))))) . 2008-12-19 22:20 . 2008-06-19 19:27 <DIR> d-------- c:\documents and settings\Administrator 2008-12-19 22:19 . 2008-12-19 22:19 268 --ah----- C:\sqmdata02.sqm 2008-12-19 22:19 . 2008-12-19 22:19 244 --ah----- C:\sqmnoopt02.sqm 2008-12-19 22:15 . 2008-12-19 22:15 <DIR> d-------- c:\windows\Sun 2008-12-19 22:15 . 2008-12-19 22:15 268 --ah----- C:\sqmdata01.sqm 2008-12-19 22:15 . 2008-12-19 22:15 244 --ah----- C:\sqmnoopt01.sqm 2008-12-19 22:14 . 2008-09-24 17:19 <DIR> d-------- c:\program files\Java 2008-12-19 22:11 . 2008-12-19 22:11 <DIR> d-------- c:\program files\Common Files\Java 2008-12-02 14:03 . 2008-12-02 14:06 250 --a------ c:\windows\gmer.ini 2008-12-02 13:14 . 2008-12-02 13:14 <DIR> d-------- C:\VundoFix Backups 2008-12-01 22:18 . 2008-12-02 09:57 241 --a------ c:\windows\wininit.ini 2008-12-01 13:28 . 2008-12-01 13:28 <DIR> d-------- c:\program files\Studio Surveillance 2008-12-01 13:28 . 2005-09-10 20:09 860,160 --a------ c:\windows\system32\xVideoOCX.ocx 2008-12-01 13:28 . 1998-06-24 00:00 137,000 --a------ c:\windows\system32\msmapi32.ocx 2008-12-01 13:28 . 1998-06-24 00:00 103,744 --a------ c:\windows\system32\MSCOMM32.ocx 2008-12-01 13:28 . 2001-05-08 05:00 26,896 --a------ c:\windows\system32\hh.exe 2008-12-01 00:32 . 2008-12-01 00:32 2,657 --a------ C:\timhillone.mov 2008-12-01 00:32 . 2008-12-01 00:32 785 --a------ C:\qtviewer.html 2008-12-01 00:32 . 2008-12-01 00:32 620 --a------ C:\qtviewer.smil 2008-12-01 00:18 . 2008-12-01 16:17 <DIR> d-------- C:\TimHO_Rec 2008-12-01 00:11 . 2008-12-01 00:11 <DIR> d-------- c:\program files\LEDSET 2008-11-30 11:29 . 2008-12-02 14:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater 2008-11-24 11:42 . 2008-11-24 11:42 <DIR> d-------- c:\program files\Karaoke Zip Scanner 2008-11-24 11:42 . 2008-11-24 11:42 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{174BEB07-CB76-4EAC-91FD-95CD34E9901B} 2008-11-22 16:35 . 2008-11-28 22:27 <DIR> d-a------ C:\Myriad 2008-11-16 19:18 . 2004-09-27 04:54 237,568 -ra------ c:\windows\system32\SiSWPars.dll 2008-11-16 19:18 . 2004-12-31 07:47 167,424 -ra------ c:\windows\system32\drivers\sis163u.sys 2008-11-16 19:18 . 2004-09-27 04:54 155,648 -ra------ c:\windows\system32\SiSWInst.dll 2008-11-16 19:18 . 2004-09-27 04:54 49,152 -ra------ c:\windows\system32\SiSWBase.dll 2008-11-16 19:18 . 2008-11-16 19:18 0 --a------ c:\windows\system32\swunilog.ini 2008-11-13 08:12 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-13 08:12 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-06 19:27 . 2006-05-22 19:35 175,872 --a------ c:\windows\system32\drivers\RTL8187.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-02 11:41 --------- d-----w c:\program files\eMule 2008-12-01 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-01 21:10 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-30 20:27 --------- d-----w c:\program files\MP3+G Toolz .NET 4 2008-11-30 11:30 --------- d-----w c:\program files\Google 2008-11-30 09:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-24 17:08 67,864 ----a-w c:\documents and settings\mick\Application Data\GDIPFONTCACHEV1.DAT 2008-11-23 13:04 --------- d-----w c:\program files\Karaoke Song List Creator 2008-11-18 07:06 --------- d-----w c:\program files\Xfire 2008-11-17 21:16 --------- d-----w c:\documents and settings\mick\Application Data\Xfire 2008-11-03 20:23 183,120 ----a-w c:\windows\system32\PnkBstrB.exe 2008-11-03 20:23 137,480 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-10-31 10:03 --------- d-----w c:\documents and settings\All Users\Application Data\Motive 2008-10-31 09:58 --------- d-----w c:\documents and settings\mick\Application Data\Motive 2008-10-31 09:57 --------- d-----w c:\program files\BT Broadband Desktop Help 2008-10-31 09:56 --------- d-----w c:\program files\Common Files\Motive 2008-10-30 01:24 42,320 ----a-w c:\windows\system32\xfcodec.dll 2008-10-26 09:08 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-21 22:36 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-20 23:25 --------- d-----w c:\program files\SpeedFan 2008-10-20 15:03 --------- d-----w c:\program files\Total Video2DVD Author 2008-10-20 15:02 --------- d-----w c:\program files\Sony Ericsson 2008-10-20 15:01 --------- d-----w c:\program files\k4uTool 2008-10-20 15:00 --------- d-----w c:\program files\IKEA Home Planner Kitchen 2008-10-20 15:00 --------- d-----w c:\program files\dvdSanta 2008-10-20 15:00 --------- d-----w c:\program files\Canon 2008-10-20 14:59 --------- d-----w c:\program files\BulletProof MP3 Ripper 2008-10-20 14:59 --------- d-----w c:\program files\Axis Communications 2008-10-20 14:58 --------- d--h--w c:\documents and settings\All Users\Application Data\ActiveSMART 2008-10-20 14:58 --------- d-----w c:\program files\ArcSoft 2008-10-18 18:53 --------- d-----w c:\program files\MagicISO 2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-13 05:22 --------- d-----w c:\program files\Microsoft 2008-10-13 05:21 --------- d-----w c:\program files\Common Files\Windows Live 2008-10-05 19:18 --------- d-----w c:\program files\Devnz 2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-09-08 23:03 51,712 ----a-w c:\windows\system32\sirenacm.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-07-13 06:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071320080714\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-08 3513344] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-02-13 86016] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632] "ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2005-06-03 729088] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-08 185896] "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336] "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032] "nwiz"="nwiz.exe" [2006-02-13 c:\windows\system32\nwiz.exe] "SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Exif Launcher.lnk - c:\program files\Exif Launcher\QuickDCF.exe [2008-08-27 188416] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Gigabyte\\BIOS\\gwf32.exe"= "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"= "c:\\Program Files\\Gigabyte\\BIOS\\gwflash.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\WINDOWS\\system32\\dplaysvr.exe"= "c:\\Documents and Settings\\mick\\Desktop\\combat flight sim\\COMBATFS.EXE"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\TVAnts\\Tvants.exe"= "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"= "c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"= "c:\\Myriad\\mirc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-10 97928] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 875288] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 231704] R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-10 76040] R2 McciCMService;McciCMService;"c:\program files\Common Files\Motive\McciCMService.exe" [2008-10-31 303104] R3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50.SYS [2008-10-31 20096] R3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2008-11-16 167424] S2 713xTVCard;SAA7134 TV Card;c:\windows\system32\DRIVERS\SAA713x.sys [2005-03-15 277504] S3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2008-01-02 945920] S3 Cap7134;Philips Cap7134 Capture;c:\windows\system32\DRIVERS\Cap7134.sys [] S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-07-06 31592] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-05-23 13352] S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50.SYS [2008-10-31 21248] S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50a64.SYS [] S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50a64.SYS [] S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-11-06 175872] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{789f5c52-b8a7-11dc-b2cf-806d6172696f}] \Shell\AutoRun\command - D:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa3d234-6d5b-11dd-ba06-00120e825303}] \Shell\AutoRun\command - nideiect.com \Shell\explore\Command - nideiect.com \Shell\open\Command - nideiect.com Newly Created Service - CATCHME Newly Created Service - GMER Newly Created Service - PROCEXP90 . - - - - ORPHANS REMOVED - - - - HKCU-Run-kdx - c:\program files\KHost.exe HKLM-Run-NWEReboot - (no file) Notify-svrme - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uInternet Settings,ProxyOverride = 127.0.0.1 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd O16 -: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://magnet.2020.net/virtualplanner/Core/Player/2020PlayerAX_Win32.cab c:\windows\Downloaded Program Files\2020Player.inf O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://79.148.110.209:8080/activex/AMC.cab c:\windows\Downloaded Program Files\setup.inf c:\windows\system32\MSCOMCTL.OCX - c:\windows\system32\msvbvm60.dll c:\windows\system32\oleaut32.dll c:\windows\system32\olepro32.dll c:\windows\system32\asycfilt.dll c:\windows\system32\stdole2.tlb c:\windows\system32\comcat.dll c:\windows\Downloaded Program Files\toolkit_widget.gif c:\windows\Downloaded Program Files\common.dat c:\windows\Downloaded Program Files\unknown.dat c:\windows\system32\Codejock.PropertyGrid.v10.4.0.ocx c:\windows\system32\Codejock.DockingPane.v10.4.0.ocx c:\windows\system32\Codejock.CommandBars.v10.4.0.ocx c:\windows\system32\Codejock.ReportControl.v10.4.0.ocx c:\windows\Downloaded Program Files\DGTx.ocx O16 -: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} hxxp://66.98.130.69/DGTx.CAB c:\windows\Downloaded Program Files\DGTx.INF . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-02 1821 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-12-02 18:07:20 ComboFix-quarantined-files.txt 2008-12-02 18:07:00 Pre-Run: 94,068,969,472 bytes free Post-Run: 94,267,162,624 bytes free 270 --- E O F --- 2008-11-13 08:18:14