Thread: ohhh boy what a mess...
View Single Post
Old 12-29-2008, 05:57 PM   #1 (permalink)
BUDFAN8
Registered User
 
Join Date: Apr 2007
Posts: 205
OS: XP


ohhh boy what a mess...
sorry in advance to whomever chooses to deal with my problem.

so the long story begins.... this all started 2 days ago with my wife wanting to watch a movie on the net. she opens the movie and avg instantly pops up threat found!!! so i tell her hit heal and close the movie out. so then she tries a differant tab (same movie) and it appears to be fine, that is until 2 minutes into the movie it automaticly goes out of full screen and she gets 2 random pop up pages from fire fox (she was using IE at the time). well she closes out the movie and i tell her to run avg to see if it finds anything. while tring to run avg random firefox windows kept popping up. so i uninstall firefox and they start popping up on IE just as they did through firefox.

the avg scan produced 3 threats
Freescan[1].htm
gadcom.exe
Kesekepe.dl.vir

i managed to get rid of gadcom i think but the others are still there i think i got to reading alot of other peoples troubled so i tried some of the things that were recommended to them. first thing after the problem started before tring anything i ran a hijackthis log (see below). after that i ran ad aware and avg several more times finding differant stuff every time, i didnt write them all down (sorry). after reading the many problems from others i decided to run Combofix that killed the pop ups after doing that but avg is still catching threats so i decided to run a dds file and ask for help. since the dds file i found out my avg wasnt up to date so i then downloaded 8.0 ran it and it found more if you need a new dds because of the avg update let me know thanks.

------------Hijackthis findings--------------

Logfile of HijackThis v1.99.1
Scan saved at 6:57:02 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\nHancer\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cadiz.mchsionline.net/community/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {024FD5E0-9FAD-494A-8AE5-143B6C6B09F4} - (no file)
O2 - BHO: (no name) - {08F09AE6-A770-4C13-80D5-8307CD6E6CC1} - (no file)
O2 - BHO: (no name) - {0E2523F3-3B32-4B36-A592-D6E4406E248B} - (no file)
O2 - BHO: (no name) - {0E46A419-586E-45CB-ADF3-85D64565732A} - (no file)
O2 - BHO: (no name) - {11343315-C8E0-44C8-9367-66AEB36D0B8B} - (no file)
O2 - BHO: (no name) - {16DB0ED2-300D-4FE2-8703-7D2C08999434} - (no file)
O2 - BHO: (no name) - {1D77037A-3965-482A-BCDA-F3749641106E} - (no file)
O2 - BHO: (no name) - {1ED2B7AF-D185-405E-8692-9622351DF54A} - (no file)
O2 - BHO: (no name) - {2F2979EA-6E36-4EBD-92BB-5588999BC071} - (no file)
O2 - BHO: (no name) - {306846B0-5BB0-402E-A2D7-3742CFDB0BF9} - (no file)
O2 - BHO: (no name) - {315CFAAF-8192-4DDB-BE67-54FC0CC6DF5F} - (no file)
O2 - BHO: (no name) - {38A4EE33-C274-41F6-9FD7-6B7791DA0D1E} - (no file)
O2 - BHO: (no name) - {39D1D1A2-E515-45BA-9B2B-5C4831362E42} - (no file)
O2 - BHO: (no name) - {3DE490CE-732D-45C8-AFC7-8C535CBC3DA7} - (no file)
O2 - BHO: (no name) - {3DF233F0-AA4D-42C8-8BEE-B0B3B126156F} - (no file)
O2 - BHO: (no name) - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - (no file)
O2 - BHO: (no name) - {497A07E0-D3C3-4288-AC1B-34A420FB43BD} - (no file)
O2 - BHO: (no name) - {4C13C1F5-1F24-438E-8A1F-76BEAB0451B0} - (no file)
O2 - BHO: (no name) - {557F69DE-0B5A-4B78-90BD-B140C29315A6} - (no file)
O2 - BHO: (no name) - {593A6A99-EE8A-41E1-9D24-A6750E32C2B7} - (no file)
O2 - BHO: (no name) - {5A6B1D0E-6F63-4D2D-AC67-87A2B03F6C44} - (no file)
O2 - BHO: (no name) - {5DE539E3-92B5-4100-8B5B-6FDF45E0D1C0} - (no file)
O2 - BHO: (no name) - {624EF74E-EF9A-4C83-B886-DCB0A65F40B3} - (no file)
O2 - BHO: (no name) - {66E88CEF-969B-4BBF-BA36-B7BF32407F6C} - (no file)
O2 - BHO: (no name) - {6B6C0BC1-87DE-495C-BE78-D44B4243BABD} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmnoOExx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {84074F03-E62E-4FFF-9AFD-5ED73A6875D3} - (no file)
O2 - BHO: (no name) - {85320ED4-EFF8-43A3-96A1-E3F94CC0E05C} - (no file)
O2 - BHO: (no name) - {8AE4E598-5A24-4876-8B9B-E01F142906BE} - (no file)
O2 - BHO: (no name) - {8BD5CE39-6936-419A-B7CC-E781103A0CC7} - (no file)
O2 - BHO: (no name) - {8BF4FDDE-A89B-4D0D-8CA2-033FE0D29A3E} - C:\WINDOWS\system32\cbXQhHXn.dll
O2 - BHO: (no name) - {8D5685F2-BA69-4544-8CE2-F86C1BF31A08} - (no file)
O2 - BHO: (no name) - {8F699ECE-C813-4E7E-AB16-BC5D9F7DFECB} - (no file)
O2 - BHO: {471503ee-8f02-c5eb-2474-6647757aa31a} - {a13aa757-7466-4742-be5c-20f8ee305174} - C:\WINDOWS\system32\xoopcv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {B307638C-401F-4FF7-B3A9-BCE9C7239957} - (no file)
O2 - BHO: (no name) - {BA2B7851-F4C1-4D41-8119-E1AFD885F7A8} - (no file)
O2 - BHO: (no name) - {BA725BD7-305B-4C05-AAB5-353A362AB8D8} - (no file)
O2 - BHO: (no name) - {BB0639DE-5490-418F-916F-FD78707F443F} - (no file)
O2 - BHO: (no name) - {BE9847ED-FF4C-4F02-BA6D-D715E894A398} - (no file)
O2 - BHO: (no name) - {C6DE1856-1A4C-4D50-9F64-23E36CFBBA98} - (no file)
O2 - BHO: (no name) - {C727C86C-F337-449A-BFFC-F2757EBE3EED} - (no file)
O2 - BHO: (no name) - {C9C193D5-3192-4FA0-B9AA-5780B2F2500F} - (no file)
O2 - BHO: (no name) - {CB499AD1-AAAF-4F5B-8E66-EC782C209166} - (no file)
O2 - BHO: (no name) - {CBD4B893-F06D-4272-8E34-7803E0B08405} - (no file)
O2 - BHO: (no name) - {D1593092-09F3-4F7F-99BB-7B40EEE516D4} - (no file)
O2 - BHO: (no name) - {D34E4BB8-8B43-4085-A3ED-296AAA9995B3} - (no file)
O2 - BHO: (no name) - {DB0CECE3-381C-4749-AFF2-5BDE6E593CBA} - (no file)
O2 - BHO: (no name) - {E2E6A4C1-6E3A-48B1-9FD1-0A893004354E} - (no file)
O2 - BHO: (no name) - {E37CF69D-06B5-40D4-B432-8DDEC01A057E} - (no file)
O2 - BHO: (no name) - {e6019b4f-64ce-431a-9653-e49d7e55a352} - C:\WINDOWS\system32\konazuki.dll
O2 - BHO: (no name) - {E89DD0A3-E0AC-4176-A2F0-80FEB50345A1} - (no file)
O2 - BHO: (no name) - {E9E43D73-F61C-4CEF-891E-2FF09C038046} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gokebiwazi] Rundll32.exe "C:\WINDOWS\system32\hakurevi.dll",s
O4 - HKLM\..\Run: [LifeChat] "C:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WindowsLivePhone] "C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe" /AutoRun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.doghq.net
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46.../bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37710.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game10.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/download...ameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\kesekepe.dll xoopcv.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: pmnoOExx - C:\WINDOWS\SYSTEM32\pmnoOExx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe


------------combofix report------------------

ComboFix 08-12-28.01 - Mike 2008-12-28 20:18:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.596 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Mike\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Mike\Application Data\FunWebProducts
c:\documents and settings\Mike\Application Data\GetModule
c:\documents and settings\Mike\Application Data\GetModule\dicik.gz
c:\documents and settings\Mike\Application Data\GetModule\kwdik.gz
c:\documents and settings\Mike\Application Data\GetModule\ofadik.gz
c:\documents and settings\Mike\Application Data\inst.exe
c:\documents and settings\Mike\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\GetModule\GetModule32.exe
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack26.exe
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\asbcrwpn.dll
c:\windows\system32\cbXQhHXn.dll
c:\windows\system32\digeste.dll
c:\windows\system32\ilevobam.ini
c:\windows\system32\kesekepe.dll
c:\windows\system32\maboveli.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\nXHhQXbc.ini
c:\windows\system32\nXHhQXbc.ini2
c:\windows\system32\ornblcpy.dll
c:\windows\system32\pmnoOExx.dll
c:\windows\system32\ttvwa.bak1
c:\windows\system32\ttvwa.bak2
c:\windows\system32\ttvwa.ini
c:\windows\system32\ttvwa.ini2
c:\windows\system32\wpv291229907513.cpx
c:\windows\system32\xoopcv.dll
c:\windows\system32\ypclbnro.ini
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 10:55 . 2008-12-28 10:55 22,016 --a------ c:\documents and settings\Mike\w.exe
2008-12-11 14:37 . 2008-12-11 14:37 42,320 --a------ c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 00:22 --------- d-----w c:\documents and settings\Mike\Application Data\Xfire
2008-12-28 19:18 --------- d-----w c:\documents and settings\Mike\Application Data\AVG7
2008-12-27 23:20 --------- d-----w c:\documents and settings\girls\Application Data\AVG7
2008-12-27 20:49 --------- d-----w c:\program files\Call of Duty Game of the Year Edition
2008-12-21 17:08 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-17 09:31 --------- d-s---w c:\program files\Xfire
2008-12-12 02:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 23:17 --------- d--h--w c:\documents and settings\Mike\Application Data\Move Networks
2008-12-06 17:04 --------- d-----w c:\program files\Dl_cats
2008-11-20 07:29 --------- d-----w c:\program files\Guild Wars
2008-11-08 14:32 --------- d-----w c:\documents and settings\Mike\Application Data\uTorrent
2008-11-08 03:22 --------- d-----w c:\program files\uTorrent
2008-10-28 22:45 22,328 -c--a-w c:\documents and settings\Mike\Application Data\PnkBstrK.sys
2008-10-28 22:43 --------- d-----w c:\program files\Activision
2008-03-04 19:26 47,360 -c--a-w c:\documents and settings\Mike\Application Data\pcouffin.sys
2006-11-25 01:44 92,064 -c--a-w c:\documents and settings\Mike\mqdmmdm.sys
2006-11-25 01:44 9,232 -c--a-w c:\documents and settings\Mike\mqdmmdfl.sys
2006-11-25 01:44 79,328 -c--a-w c:\documents and settings\Mike\mqdmserd.sys
2006-11-25 01:44 66,656 -c--a-w c:\documents and settings\Mike\mqdmbus.sys
2006-11-25 01:44 6,208 -c--a-w c:\documents and settings\Mike\mqdmcmnt.sys
2006-11-25 01:44 5,936 -c--a-w c:\documents and settings\Mike\mqdmwhnt.sys
2006-11-25 01:44 4,048 -c--a-w c:\documents and settings\Mike\mqdmcr.sys
2006-11-25 01:44 25,600 -c--a-w c:\documents and settings\Mike\usbsermptxp.sys
2006-11-25 01:44 22,768 -c--a-w c:\documents and settings\Mike\usbsermpt.sys
2006-12-22 20:07 56 --sh--r c:\windows\system32\14CE148FAD.sys
2006-12-22 20:07 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-24 01:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092320080924\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e6019b4f-64ce-431a-9653-e49d7e55a352}]
2008-09-28 11:02 64000 --ahs---- c:\windows\system32\konazuki.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WindowsLivePhone"="c:\progra~1\MSNMES~1\DEVICE~1\msgrdvmn.exe" [2006-12-04 709440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"gokebiwazi"="c:\windows\system32\hakurevi.dll" [2008-09-28 64000]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2007-01-26 259440]
"PMX Daemon"="ICO.EXE" [2006-06-09 c:\windows\system32\ico.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-01-03 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\kesekepe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--------- 2005-09-15 09:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
--a------ 2005-07-22 07:03 425984 c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gokebiwazi]
--ahs---- 2008-09-28 11:02 64000 c:\windows\system32\hakurevi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-06-17 07:56 139264 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 15:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 15:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Itiva Media Accelerator]
--a------ 2008-06-04 17:09 4994288 c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
--a------ 2007-01-26 13:31 259440 c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-09-08 19:20 8192 c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\progra~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-07-08 23:57 7110656 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-02-01 08:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-26 21:20 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
--------- 2005-09-19 07:42 1159168 c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--------- 2004-08-14 03:42 36864 c:\program files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsLivePhone]
--a------ 2006-12-04 09:33 709440 c:\progra~1\MSNMES~1\DEVICE~1\msgrdvmn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
--a------ 2005-05-19 11:54 1345520 c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
--a------ 2006-06-09 12:47 47104 c:\windows\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2004-12-22 19:40 24576 c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 04:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"dlcc_device"=3 (0x3)
"Creative Service for CDROM Access"=3 (0x3)
"Creative Labs Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War Beta\\CoDWaWbeta.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\girls\\Application Data\\MySpace\\IM\\bin\\MySpaceIM.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\IAANTMon.exe"=
"c:\\WINDOWS\\explorer.exe"=

S3 mamotou;mamotou;c:\windows\system32\DRIVERS\mamotou.sys [2008-07-01 49377]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-07-01 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-08-11 7680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{024FD5E0-9FAD-494A-8AE5-143B6C6B09F4} - (no file)
BHO-{08F09AE6-A770-4C13-80D5-8307CD6E6CC1} - (no file)
BHO-{0E2523F3-3B32-4B36-A592-D6E4406E248B} - (no file)
BHO-{0E46A419-586E-45CB-ADF3-85D64565732A} - (no file)
BHO-{11343315-C8E0-44C8-9367-66AEB36D0B8B} - (no file)
BHO-{16DB0ED2-300D-4FE2-8703-7D2C08999434} - (no file)
BHO-{1D77037A-3965-482A-BCDA-F3749641106E} - (no file)
BHO-{1ED2B7AF-D185-405E-8692-9622351DF54A} - (no file)
BHO-{2F2979EA-6E36-4EBD-92BB-5588999BC071} - (no file)
BHO-{306846B0-5BB0-402E-A2D7-3742CFDB0BF9} - (no file)
BHO-{315CFAAF-8192-4DDB-BE67-54FC0CC6DF5F} - (no file)
BHO-{38A4EE33-C274-41F6-9FD7-6B7791DA0D1E} - (no file)
BHO-{39D1D1A2-E515-45BA-9B2B-5C4831362E42} - (no file)
BHO-{3DE490CE-732D-45C8-AFC7-8C535CBC3DA7} - (no file)
BHO-{3DF233F0-AA4D-42C8-8BEE-B0B3B126156F} - (no file)
BHO-{497A07E0-D3C3-4288-AC1B-34A420FB43BD} - (no file)
BHO-{4C13C1F5-1F24-438E-8A1F-76BEAB0451B0} - (no file)
BHO-{557F69DE-0B5A-4B78-90BD-B140C29315A6} - (no file)
BHO-{593A6A99-EE8A-41E1-9D24-A6750E32C2B7} - (no file)
BHO-{5A6B1D0E-6F63-4D2D-AC67-87A2B03F6C44} - (no file)
BHO-{5DE539E3-92B5-4100-8B5B-6FDF45E0D1C0} - (no file)
BHO-{624EF74E-EF9A-4C83-B886-DCB0A65F40B3} - (no file)
BHO-{66E88CEF-969B-4BBF-BA36-B7BF32407F6C} - (no file)
BHO-{6B6C0BC1-87DE-495C-BE78-D44B4243BABD} - (no file)
BHO-{84074F03-E62E-4FFF-9AFD-5ED73A6875D3} - (no file)
BHO-{85320ED4-EFF8-43A3-96A1-E3F94CC0E05C} - (no file)
BHO-{8AE4E598-5A24-4876-8B9B-E01F142906BE} - (no file)
BHO-{8BD5CE39-6936-419A-B7CC-E781103A0CC7} - (no file)
BHO-{8BF4FDDE-A89B-4D0D-8CA2-033FE0D29A3E} - c:\windows\system32\cbXQhHXn.dll
BHO-{8D5685F2-BA69-4544-8CE2-F86C1BF31A08} - (no file)
BHO-{8F699ECE-C813-4E7E-AB16-BC5D9F7DFECB} - (no file)
BHO-{a13aa757-7466-4742-be5c-20f8ee305174} - c:\windows\system32\xoopcv.dll
BHO-{B307638C-401F-4FF7-B3A9-BCE9C7239957} - (no file)
BHO-{BA2B7851-F4C1-4D41-8119-E1AFD885F7A8} - (no file)
BHO-{BA725BD7-305B-4C05-AAB5-353A362AB8D8} - (no file)
BHO-{BB0639DE-5490-418F-916F-FD78707F443F} - (no file)
BHO-{BE9847ED-FF4C-4F02-BA6D-D715E894A398} - (no file)
BHO-{C6DE1856-1A4C-4D50-9F64-23E36CFBBA98} - (no file)
BHO-{C727C86C-F337-449A-BFFC-F2757EBE3EED} - (no file)
BHO-{C9C193D5-3192-4FA0-B9AA-5780B2F2500F} - (no file)
BHO-{CB499AD1-AAAF-4F5B-8E66-EC782C209166} - (no file)
BHO-{CBD4B893-F06D-4272-8E34-7803E0B08405} - (no file)
BHO-{D1593092-09F3-4F7F-99BB-7B40EEE516D4} - (no file)
BHO-{D34E4BB8-8B43-4085-A3ED-296AAA9995B3} - (no file)
BHO-{DB0CECE3-381C-4749-AFF2-5BDE6E593CBA} - (no file)
BHO-{E2E6A4C1-6E3A-48B1-9FD1-0A893004354E} - (no file)
BHO-{E37CF69D-06B5-40D4-B432-8DDEC01A057E} - (no file)
BHO-{E89DD0A3-E0AC-4176-A2F0-80FEB50345A1} - (no file)
BHO-{E9E43D73-F61C-4CEF-891E-2FF09C038046} - (no file)
MSConfigStartUp-GetModule32 - c:\program files\GetModule\GetModule32.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_09\bin\jusched.exe
MSConfigStartUp-Uniblue Quick Access - c:\program files\Uniblue\ProcessLibrary\qaccess.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cadiz.mchsionline.net/community/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79}
Trusted Zone: *.doghq.net

c:\windows\system32\atl.dll - O16 -: {7F8C8173-AD80-4807-AA75-5672F22B4582}
hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
c:\windows\Downloaded Program Files\ICSScanner.inf

c:\windows\Downloaded Program Files\zylomgamesplayer.dll - O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}
hxxp://game10.zylom.com/activex/zylomgamesplayer.cab
c:\windows\Downloaded Program Files\ZylomGamesPlayer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 20:26:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\nHancer\nHancerService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-12-28 20:28:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 02:28:45

Pre-Run: 95,779,418,112 bytes free
Post-Run: 95,660,900,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

329 --- E O F --- 2008-12-18 03:51:15


---------------------------------------------

and the dds report is attached

thanks in advance for the help. let me know if any more info is needed i tried to cover most i can think of right now.


Bud.
Attached Files
File Type: zip DDS.zip (3.7 KB, 1 views)
File Type: zip Attach.zip (3.6 KB, 1 views)
BUDFAN8 is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here