Tech Support Forum - View Single Post

neilturpin · 01-19-2009, 08:29 PM

Here are the results to the combofix scan:

ComboFix 09-01-19.03 - Helen 2009-01-20 3

36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.227 [GMT 0:00]
Running from: c:\documents and settings\Helen\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\components\iamfamous.dll
C:\resycled
c:\windows\IE4 Error Log.txt
c:\windows\system32\kdjzp.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-16 00:13 . 2009-01-16 00:13 <DIR> d-------- c:\documents and settings\Helen\Application Data\Canon
2009-01-11 17:25 . 2009-01-11 17:25 <DIR> d-------- c:\program files\Smith Micro
2009-01-11 12:49 . 2009-01-11 12:49 250 --a------ c:\windows\gmer.ini
2009-01-08 23:31 . 2009-01-08 23:31 <DIR> d-------- c:\program files\Common Files\Control Panels
2009-01-08 00:12 . 2009-01-08 00:12 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-07 13:35 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-01-07 13:35 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-01-07 13:35 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-01-05 22:33 . 2009-01-05 22:33 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2009-01-04 22:50 . 2009-01-04 22:50 <DIR> d-------- c:\program files\Lavasoft
2009-01-04 22:50 . 2009-01-04 22:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-04 22:46 . 2009-01-04 22:46 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-04 22:15 . 2009-01-04 22:15 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-27 00:42 . 2009-01-18 16:27 <DIR> d-------- c:\documents and settings\Helen\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 02:55 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-20 01:49 --------- d-----w c:\program files\LogMeIn
2009-01-19 20:44 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-01-18 07:44 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-18 05:28 --------- d-----w c:\documents and settings\Helen\Application Data\Azureus
2009-01-17 21:16 --------- d-----w c:\program files\Common Files\Adobe
2009-01-08 22:54 --------- d-----w c:\program files\MagicISO
2009-01-04 21:10 --------- d-----w c:\program files\Google
2009-01-04 21:08 --------- d-----w c:\program files\MSN Messenger
2009-01-04 21:06 --------- d-----w c:\program files\Common Files\Autodesk Shared
2009-01-04 21:05 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2009-01-04 21:03 --------- d-----w c:\program files\AutoCAD 2007
2009-01-04 20:53 --------- d-----w c:\program files\AutoCAD Architecture 2008
2009-01-04 20:50 --------- d-----w c:\documents and settings\Helen\Application Data\dvdcss
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 01:03 --------- d-----w c:\documents and settings\Helen\Application Data\Skype
2008-12-03 11:19 --------- d-----w c:\documents and settings\Helen\Application Data\Autodesk
2008-12-01 01:23 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
2008-11-28 01:57 --------- d-----w c:\program files\MSBuild
2008-11-28 01:52 --------- d-----w c:\program files\Reference Assemblies
2008-11-28 01:20 27,904 ----a-w c:\windows\system32\drivers\ndisprot.sys
2008-11-21 22:43 --------- d-----w c:\program files\Azureus
2008-11-20 23:01 --------- d-----w c:\program files\Autodesk
2008-11-20 22:49 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2008-11-20 22:47 --------- d--h--w c:\program files\CanonBJ
2008-11-20 21:53 --------- d-----w c:\program files\3dsmax
2008-04-12 18:19 3,723,256 ----a-w c:\program files\channel4_on_demand.exe
2007-12-12 01:48 1,206,366 ----a-w c:\program files\wrar371.exe
2006-03-16 17:11 148 ----a-w c:\documents and settings\Helen\Application Data\wklnhst.dat
2005-03-16 07:25 79 ----a-w c:\program files\Show Desktop.scf
2004-09-15 17:42 1,597,440 ----a-w c:\documents and settings\Helen\Application Data\SecureTraveler.exe
2007-08-09 12:08 8,784 -c--a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 12:10 245,408 -c--a-w c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 c:\windows\system32\P0620Pin.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-07-21 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-12-01 01:22 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk
backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Helen^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Helen\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2008-02-27 16:56 1032376 c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-10-30 16:46 192512 c:\program files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2003-01-27 16:16 376912 c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-09 21:59 115816 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
--a--c--- 2005-01-21 21:48 675840 c:\program files\TOSHIBA\E-KEY\CeEKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-09-28 19:09 700416 c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2005-01-14 01:05 122939 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2007-11-20 16:40 731136 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-11-13 15:51 133104 c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-22 23:00 385024 c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2004-05-12 14:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
--a--c--- 2004-12-23 18:07 28672 c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-11-02 09:03 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-11-15 13:11 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2008-02-27 16:56 1032376 c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-08-03 14:09 63048 c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcqu]
-----c--- 2006-03-08 07:56 278528 c:\program files\Creative\MediaSource5\MtdAcqu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-11-17 10:56 1077327 c:\program files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAFEHOME HotKeys]
--a--c--- 2007-03-21 16:59 25088 c:\program files\Steganos Safe Home\SteganosHotKeyService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a--c--- 2002-04-17 09:42 69632 c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 17:52 20067880 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2004-11-15 09:14 118784 c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
--------- 2008-02-20 16:19 356352 c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
--a--c--- 2005-02-25 15:59 65536 c:\program files\TOSHIBA\Windows Utilities\SVPWUTIL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2005-03-02 08:56 65536 c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA Accessibility]
--a--c--- 2004-12-07 21:24 24576 c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
--a--c--- 2004-11-29 21:06 53248 c:\program files\TOSHIBA\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
--a--c--- 2004-11-12 17:57 73728 c:\program files\TOSHIBA\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-----c--- 2005-08-18 10:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2004-10-28 14:37 88363 c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCtryIOHook]
--a--c--- 2005-02-16 14:43 28672 c:\windows\system32\TCtrlIOHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
--a------ 2005-01-21 08:53 266240 c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
--a--c--- 2004-07-14 16:07 24576 c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Helen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Helen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\VectorWorks 11\\VectorWorks.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kontiki\\KHost.exe"=

R1 SLEE_15_DRIVER;Steganos Live Encryption Engine 15 [Driver];c:\windows\system32\drivers\sleen15.sys [2007-02-21 12:33:54 80232]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-12-19 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-08-30 112688]
R4 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-08-03 12856]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-04-01 47640]
S3 L6TportK;Service - Line 6 TonePort KB37;c:\windows\system32\drivers\L6TportK.sys [2007-12-21 514432]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-28 27904]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [2006-07-31 17536]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c9a8a48-f696-11dc-8193-000fb0830519}]
\Shell\AutoRun\command - E:\ClickMe.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f76e65-ba44-11dd-8270-0012f054c2fe}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca44a9e4-44eb-11db-bf45-0011f60504d0}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef873fb1-e4cc-11dd-82aa-0012f054c2fe}]
\Shell\AutoRun\command - AutoRun\AutoStart.exe
\Shell\Explore\Command - AutoRun\AutoStart.exe
\Shell\Open\Command - AutoRun\AutoStart.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3728980726-1084162681-1200691173-1006.job
- c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 15:51]

2005-07-21 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 00:12]

2005-07-21 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 00:12]

2005-07-21 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 00:12]

2009-01-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []

2009-01-19 c:\windows\Tasks\WebReg 20060214203114.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2003-07-07 00:43]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-c:\windows\system32\kdjzp.exe - c:\windows\system32\kdjzp.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-WinUpdater AutoRun - c:\autoprotect\DrvMonitor.exe
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-TFncKy - TFncKy.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.line6.net
FF - ProfilePath - c:\documents and settings\Helen\Application Data\Mozilla\Firefox\Profiles\39ulhfrz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
FF - plugin: c:\documents and settings\Helen\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 03:12:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3728980726-1084162681-1200691173-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\DVDRAMSV.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-20 3:19:06 - machine was rebooted [Helen]
ComboFix-quarantined-files.txt 2009-01-20 03:18:51

Pre-Run: 7,270,617,088 bytes free
Post-Run: 7,762,128,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

336 --- E O F --- 2009-01-15 00:07:21

thanks:)

01-19-2009, 08:29 PM	#6 (permalink)
neilturpin Registered User Join Date: Jan 2009 Posts: 4 OS: xp	Re: Browser search redirecting Here are the results to the combofix scan: ComboFix 09-01-19.03 - Helen 2009-01-20 336.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.227 [GMT 0:00] Running from: c:\documents and settings\Helen\Desktop\ComboFix.exe AV: Norton Internet Security On-access scanning disabled (Outdated) FW: Norton Internet Security disabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Mozilla Firefox\components\iamfamous.dll C:\resycled c:\windows\IE4 Error Log.txt c:\windows\system32\kdjzp.exe . ((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 ))))))))))))))))))))))))))))))) . 2009-01-16 00:13 . 2009-01-16 00:13 <DIR> d-------- c:\documents and settings\Helen\Application Data\Canon 2009-01-11 17:25 . 2009-01-11 17:25 <DIR> d-------- c:\program files\Smith Micro 2009-01-11 12:49 . 2009-01-11 12:49 250 --a------ c:\windows\gmer.ini 2009-01-08 23:31 . 2009-01-08 23:31 <DIR> d-------- c:\program files\Common Files\Control Panels 2009-01-08 00:12 . 2009-01-08 00:12 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2 2009-01-07 13:35 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll 2009-01-07 13:35 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll 2009-01-07 13:35 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui 2009-01-05 22:33 . 2009-01-05 22:33 3,751,995 --a------ c:\windows\system32\GPhotos.scr 2009-01-04 22:50 . 2009-01-04 22:50 <DIR> d-------- c:\program files\Lavasoft 2009-01-04 22:50 . 2009-01-04 22:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-04 22:46 . 2009-01-04 22:46 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-01-04 22:15 . 2009-01-04 22:15 <DIR> d-------- c:\program files\Microsoft Silverlight 2008-12-27 00:42 . 2009-01-18 16:27 <DIR> d-------- c:\documents and settings\Helen\Application Data\vlc . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-20 02:55 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-01-20 01:49 --------- d-----w c:\program files\LogMeIn 2009-01-19 20:44 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995 2009-01-18 07:44 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki 2009-01-18 05:28 --------- d-----w c:\documents and settings\Helen\Application Data\Azureus 2009-01-17 21:16 --------- d-----w c:\program files\Common Files\Adobe 2009-01-08 22:54 --------- d-----w c:\program files\MagicISO 2009-01-04 21:10 --------- d-----w c:\program files\Google 2009-01-04 21:08 --------- d-----w c:\program files\MSN Messenger 2009-01-04 21:06 --------- d-----w c:\program files\Common Files\Autodesk Shared 2009-01-04 21:05 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk 2009-01-04 21:03 --------- d-----w c:\program files\AutoCAD 2007 2009-01-04 20:53 --------- d-----w c:\program files\AutoCAD Architecture 2008 2009-01-04 20:50 --------- d-----w c:\documents and settings\Helen\Application Data\dvdcss 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-10 01:03 --------- d-----w c:\documents and settings\Helen\Application Data\Skype 2008-12-03 11:19 --------- d-----w c:\documents and settings\Helen\Application Data\Autodesk 2008-12-01 01:23 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys 2008-11-28 01:57 --------- d-----w c:\program files\MSBuild 2008-11-28 01:52 --------- d-----w c:\program files\Reference Assemblies 2008-11-28 01:20 27,904 ----a-w c:\windows\system32\drivers\ndisprot.sys 2008-11-21 22:43 --------- d-----w c:\program files\Azureus 2008-11-20 23:01 --------- d-----w c:\program files\Autodesk 2008-11-20 22:49 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ 2008-11-20 22:47 --------- d--h--w c:\program files\CanonBJ 2008-11-20 21:53 --------- d-----w c:\program files\3dsmax 2008-04-12 18:19 3,723,256 ----a-w c:\program files\channel4_on_demand.exe 2007-12-12 01:48 1,206,366 ----a-w c:\program files\wrar371.exe 2006-03-16 17:11 148 ----a-w c:\documents and settings\Helen\Application Data\wklnhst.dat 2005-03-16 07:25 79 ----a-w c:\program files\Show Desktop.scf 2004-09-15 17:42 1,597,440 ----a-w c:\documents and settings\Helen\Application Data\SecureTraveler.exe 2007-08-09 12:08 8,784 -c--a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-08-09 12:10 245,408 -c--a-w c:\program files\mozilla firefox\plugins\unicows.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl] "PD0620 STISvc"="P0620Pin.dll" [2005-05-10 c:\windows\system32\P0620Pin.dll] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-07-21 155648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-12-01 01:22 87352 c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.jxvd"= JetMPVx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk backup=c:\windows\pss\Device Detector 3.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk backup=c:\windows\pss\Personal Coach.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Helen^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] path=c:\documents and settings\Helen\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] c:\windows\system32\dumprep 0 -u [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD] --a------ 2008-02-27 16:56 1032376 c:\program files\Kontiki\KHost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] --a------ 2003-10-30 16:46 192512 c:\program files\Apoint2K\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD] --a------ 2003-01-27 16:16 376912 c:\program files\BroadJump\Client Foundation\CFD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2007-01-09 21:59 115816 c:\program files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY] --a--c--- 2005-01-21 21:48 675840 c:\program files\TOSHIBA\E-KEY\CeEKey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe] --------- 2006-09-28 19:09 700416 c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] --a--c--- 2005-01-14 01:05 122939 c:\windows\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43] --a------ 2007-11-20 16:40 731136 c:\program files\dvd43\DVD43_Tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-11-13 15:51 133104 c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O] --a------ 2005-10-22 23:00 385024 c:\program files\Syncrosoft\POS\H2O\cledx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a--c--- 2004-05-12 14:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a--c--- 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup] --a--c--- 2004-12-23 18:07 28672 c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --a--c--- 2004-11-02 09:03 155648 c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a--c--- 2007-11-15 13:11 267048 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx] --a------ 2008-02-27 16:56 1032376 c:\program files\Kontiki\KHost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI] --a------ 2007-08-03 14:09 63048 c:\program files\LogMeIn\x86\LogMeInSystray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] --a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcqu] -----c--- 2006-03-08 07:56 278528 c:\program files\Creative\MediaSource5\MtdAcqu.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch] --a------ 2004-11-17 10:56 1077327 c:\program files\TOSHIBA\Touch and Launch\PadExe.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-11-14 23:43 286720 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAFEHOME HotKeys] --a--c--- 2007-03-21 16:59 25088 c:\program files\Steganos Safe Home\SteganosHotKeyService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a--c--- 2002-04-17 09:42 69632 c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] --a------ 2006-10-13 17:52 20067880 c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] --a------ 2004-11-15 09:14 118784 c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] --------- 2008-02-20 16:19 356352 c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL] --a--c--- 2005-02-25 15:59 65536 c:\program files\TOSHIBA\Windows Utilities\SVPWUTIL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD] --a------ 2005-03-02 08:56 65536 c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA Accessibility] --a--c--- 2004-12-07 21:24 24576 c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF] --a--c--- 2004-11-29 21:06 53248 c:\program files\TOSHIBA\TouchPad\TPTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs] --a--c--- 2004-11-12 17:57 73728 c:\program files\TOSHIBA\Tvs\TvsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -----c--- 2005-08-18 10:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a--c--- 2004-10-28 14:37 88363 c:\windows\agrsmmsg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCtryIOHook] --a--c--- 2005-02-16 14:43 28672 c:\windows\system32\TCtrlIOHook.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain] --a------ 2005-01-21 08:53 266240 c:\windows\system32\TPSMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming] --a--c--- 2004-07-14 16:07 24576 c:\windows\system32\ZoomingHook.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Helen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Helen\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\VectorWorks 11\\VectorWorks.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"= "c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"= "c:\\Program Files\\Autodesk\\Backburner\\manager.exe"= "c:\\Program Files\\Autodesk\\Backburner\\server.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Kontiki\\KHost.exe"= R1 SLEE_15_DRIVER;Steganos Live Encryption Engine 15 [Driver];c:\windows\system32\drivers\sleen15.sys [2007-02-21 12:33:54 80232] R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-12-19 33792] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-08-30 112688] R4 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-08-03 12856] R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-04-01 47640] S3 L6TportK;Service - Line 6 TonePort KB37;c:\windows\system32\drivers\L6TportK.sys [2007-12-21 514432] S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-28 27904] S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [2006-07-31 17536] S4 LMIRfsClientNP;LMIRfsClientNP; [x] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c9a8a48-f696-11dc-8193-000fb0830519}] \Shell\AutoRun\command - E:\ClickMe.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f76e65-ba44-11dd-8270-0012f054c2fe}] \Shell\AutoRun\command - AutoRun\AutoStart.exe \Shell\Explore\Command - AutoRun\AutoStart.exe \Shell\Open\Command - AutoRun\AutoStart.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca44a9e4-44eb-11db-bf45-0011f60504d0}] \Shell\AutoRun\command - AutoRun\AutoStart.exe \Shell\Explore\Command - AutoRun\AutoStart.exe \Shell\Open\Command - AutoRun\AutoStart.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef873fb1-e4cc-11dd-82aa-0012f054c2fe}] \Shell\AutoRun\command - AutoRun\AutoStart.exe \Shell\Explore\Command - AutoRun\AutoStart.exe \Shell\Open\Command - AutoRun\AutoStart.exe . Contents of the 'Scheduled Tasks' folder 2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2009-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3728980726-1084162681-1200691173-1006.job - c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 15:51] 2005-07-21 c:\windows\Tasks\Registration reminder 1.job - c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 00:12] 2005-07-21 c:\windows\Tasks\Registration reminder 2.job - c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 00:12] 2005-07-21 c:\windows\Tasks\Registration reminder 3.job - c:\windows\system32\OOBE\oobebaln.exe [2008-04-14 00:12] 2009-01-20 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDetect.exe [] 2009-01-19 c:\windows\Tasks\WebReg 20060214203114.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2003-07-07 00:43] . - - - - ORPHANS REMOVED - - - - HKLM-Run-c:\windows\system32\kdjzp.exe - c:\windows\system32\kdjzp.exe MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe MSConfigStartUp-WinUpdater AutoRun - c:\autoprotect\DrvMonitor.exe MSConfigStartUp-NDSTray - NDSTray.exe MSConfigStartUp-TFncKy - TFncKy.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.virginmedia.com uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: .line6.net FF - ProfilePath - c:\documents and settings\Helen\Application Data\Mozilla\Firefox\Profiles\39ulhfrz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/ FF - plugin: c:\documents and settings\Helen\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\Helen\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-20 03:12:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3728980726-1084162681-1200691173-1006\Software\Microsoft\SystemCertificates\AddressBook] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(740) c:\windows\system32\LMIinit.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\system32\DVDRAMSV.exe c:\program files\LogMeIn\x86\ramaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe . ************************************************************************* . Completion time: 2009-01-20 3:19:06 - machine was rebooted [Helen] ComboFix-quarantined-files.txt 2009-01-20 03:18:51 Pre-Run: 7,270,617,088 bytes free Post-Run: 7,762,128,896 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 336 --- E O F --- 2009-01-15 00:07:21 thanks:)