OK. I haven't had any detections for a couple days now. I managed to delete all my temorary internet files and I found that the jpg was in two different places in my local settings. Avg update manager was working but now it's not again and also adaware won't update either. I guess that could be a seperate issue though.
I also still can't get in to my temporary internet files from windows explorer.
Here's my two logs. The first one is the earliest but they were both created after getting this virus.
----------------------------------------------------------------------
ComboFix 08-12-02.02 - Administrator 2008-12-03 19:14:19.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.773 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\virus\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\mxp.dll
c:\windows\system32\Scrax.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.
2008-12-03 18:05 . 2008-12-03 18:21 <DIR> d-------- c:\windows\LastGood
2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent
2008-11-27 17:56 . 2008-12-03 02:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-26 21:27 . 2008-11-26 21:27 <DIR> d-------- c:\program files\Goldeneye
2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks
2008-11-22 00:58 . 2008-12-03 18:00 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-22 00:58 . 2008-11-22 00:58 1,409 --a------ c:\windows\QTFont.for
2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works
2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache
2008-11-15 19:45 . 2008-11-15 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-12 18:23 . 2008-11-12 19:50 <DIR> d-------- C:\New Folder
2008-11-10 23:21 . 2008-11-12 09:45 45,016,576 --a------ C:\120.-.Oil.Painting.avi
2008-11-07 00:00 . 2008-11-07 00:00 <DIR> d-------- c:\program files\Perfect Privacy SSH Client
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-12-03 06:02 --------- d-----w c:\program files\MetFileRegenerator
2008-12-03 06:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater
2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-11-21 02:12 --------- d-----w c:\program files\eMule
2008-11-07 00:08 --------- d-----w c:\program files\Eraser
2008-11-02 17:17 --------- d-----w c:\program files\DC++
2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN
2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ
2008-10-30 20:47 --------- d-----w c:\program files\Tencent
2008-10-30 08:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys
2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys
2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys
2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys
2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys
2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys
2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys
2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\dc\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\stuff\\Mirc\\mirc.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\stuff\\PI\\pi232.1146921652.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8681:TCP"= 8681:TCP:WWW
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S2 aqqamk;aqqamk;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S2 hwdorvtqi;hwdorvtqi;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys []
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hwdorvtqi
aqqamk
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
*Newly Created Service* - PROCEXP90
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B6FBC9D-FB5F-6DC0-12D0-CD6F4752DEA5}]
c:\windows\system32:messagetec.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
- - - - ORPHANS REMOVED - - - -
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
www.google.com
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-03 19:15:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-03 19:16:56
ComboFix-quarantined-files.txt 2008-12-04 03:16:54
Pre-Run: 150,141,743,104 bytes free
Post-Run: 150,137,982,976 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (bootscreen)" /noexecute=optin /fastdetect /KERNEL=kernel1.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
212 --- E O F --- 2008-01-10 11:01:27
-------------------------------------------------------------------------
2nd LOG
ComboFix 08-12-07.04 - Administrator 2008-12-08 18:21:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.
2008-12-04 00:37 . 2008-12-08 18:03 250 --a------ c:\windows\gmer.ini
2008-12-03 19:33 . 2008-12-04 04:13 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-03 19:33 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-03 19:33 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-03 18:05 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent
2008-11-27 17:56 . 2008-12-08 06:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-26 21:27 . 2008-11-26 21:27 <DIR> d-------- c:\program files\Goldeneye
2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks
2008-11-22 00:58 . 2008-12-08 03:15 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-22 00:58 . 2008-11-22 00:58 1,409 --a------ c:\windows\QTFont.for
2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works
2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache
2008-11-15 19:45 . 2008-11-15 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-12 18:23 . 2008-11-12 19:50 <DIR> d-------- C:\New Folder
2008-11-10 23:21 . 2008-11-12 09:45 45,016,576 --a------ C:\120.-.Oil.Painting.avi
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 02:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-09 02:02 --------- d-----w c:\program files\MetFileRegenerator
2008-12-09 01:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 19:21 --------- d-----w c:\program files\eMule
2008-12-08 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater
2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-11-07 08:00 --------- d-----w c:\program files\Perfect Privacy SSH Client
2008-11-07 00:08 --------- d-----w c:\program files\Eraser
2008-11-02 17:17 --------- d-----w c:\program files\DC++
2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN
2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ
2008-10-30 20:47 --------- d-----w c:\program files\Tencent
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys
2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys
2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys
2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys
2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys
2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys
2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys
2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\dc\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\stuff\\Mirc\\mirc.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\stuff\\PI\\pi232.1146921652.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8681:TCP"= 8681:TCP:WWW
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S2 aqqamk;aqqamk;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S2 hwdorvtqi;hwdorvtqi;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys []
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584]
S3 VZUXJBFOZUVLW;VZUXJBFOZUVLW;c:\docume~1\ADMINI~1\LOCALS~1\Temp\VZUXJBFOZUVLW.exe []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hwdorvtqi
aqqamk
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
*Newly Created Service* - CATCHME
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B6FBC9D-FB5F-6DC0-12D0-CD6F4752DEA5}]
c:\windows\system32:messagetec.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8020
uInternet Settings,ProxyOverride = *.local
IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
www.google.com
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-08 18:24:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-08 18:25:35
ComboFix-quarantined-files.txt 2008-12-09 02:25:32
ComboFix2.txt 2008-12-09 02:12:03
ComboFix3.txt 2008-12-04 05:46:05
ComboFix4.txt 2008-12-04 03:16:58
Pre-Run: 137,658,707,968 bytes free
Post-Run: 137,645,658,112 bytes free
218 --- E O F --- 2008-12-09 01:34:17