Tech Support Forum - View Single Post

rspatch · 07-05-2009, 07:48 AM

OK I ran Combofix. It gave me warnings that Symantec Auto-Protect was on, despite turning off all the auto-protects. Anyway, Here's the Combofix log. Hope it helps. Thanks again
Spatch

ComboFix 09-07-04.05 - Rick 07/05/2009 6:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1204 [GMT -7:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rick\obrfkm.exe
c:\windows\system32\baselid32.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-03 04:20 . 2009-07-03 04:20 1048576 ----a-w- c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\z1aylvvj.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash\components\IBitCometExtension.dll
2009-07-02 06:17 . 2009-07-02 06:21 -------- d-----w- C:\rei
2009-07-02 06:16 . 2009-07-02 06:17 -------- d-----w- c:\program files\Reimage
2009-06-30 01:03 . 2009-06-30 01:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PC_Drivers_Headquarters
2009-06-30 01:02 . 2009-06-30 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-06-30 01:02 . 2009-06-30 01:02 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-06-30 00:25 . 2006-12-01 20:54 626688 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\msvcr80.dll
2009-06-27 16:22 . 2009-06-27 16:23 -------- d-----w- c:\program files\Common Files\Real
2009-06-27 16:20 . 2009-06-27 16:22 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2009-06-27 16:12 . 2009-06-27 16:12 -------- d-----w- c:\program files\LG Electronics
2009-06-27 10:01 . 2009-06-27 10:01 -------- d-----w- c:\program files\MSXML 4.0
2009-06-26 15:05 . 2009-06-26 15:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-26 15:05 . 2009-06-26 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-26 14:41 . 2009-07-01 05:41 -------- d-----w- c:\program files\SpyZooka
2009-06-26 14:40 . 2009-06-26 14:42 -------- d-----w- c:\documents and settings\Rick\Application Data\GetRightToGo
2009-06-26 00:42 . 2009-07-03 08:06 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\AskToolbar
2009-06-26 00:34 . 2009-06-26 00:34 -------- d-----w- c:\program files\Ask.com
2009-06-26 00:33 . 2009-06-26 00:33 -------- d-----w- c:\program files\MSSOAP
2009-06-26 00:31 . 2009-06-26 00:31 -------- d-----w- c:\program files\Webroot
2009-06-26 00:29 . 2009-06-26 00:29 164 ----a-w- c:\windows\install.dat
2009-06-25 12:26 . 2009-06-25 12:27 -------- d-----w- c:\program files\TuneUp Utilities 2006
2009-06-25 12:26 . 2009-06-25 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-06-25 12:25 . 2009-06-25 12:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-24 16:58 . 2009-06-24 16:58 29696 ----a-w- c:\windows\system32\eimq.exe
2009-06-23 17:41 . 2009-06-29 17:55 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-23 17:41 . 2009-06-29 17:55 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-23 17:41 . 2009-06-29 17:55 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-23 17:41 . 2009-06-29 17:55 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-23 17:41 . 2009-06-29 17:53 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-23 17:41 . 2009-06-29 17:53 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-23 17:41 . 2009-06-29 17:51 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-23 17:41 . 2009-06-29 17:50 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-23 17:41 . 2009-06-29 17:49 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-23 17:41 . 2009-06-29 17:49 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-23 17:41 . 2009-06-30 17:41 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-23 17:40 . 2009-06-30 17:41 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-23 17:40 . 2009-06-30 17:41 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-23 17:40 . 2009-06-30 17:41 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-11 05:27 . 2009-06-11 05:27 -------- d-----w- c:\program files\iPod
2009-06-11 05:27 . 2009-06-11 05:28 -------- d-----w- c:\program files\iTunes
2009-06-11 05:27 . 2009-06-11 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-11 05:13 . 2009-06-11 05:14 -------- d-----w- c:\program files\QuickTime
2009-06-11 04:58 . 2009-06-11 04:58 152576 ----a-w- c:\documents and settings\Rick\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 13:37 . 2008-10-17 23:10 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-05 13:34 . 2009-03-11 10:08 7304 ----a-w- c:\windows\TMP0001.TMP
2009-07-05 12:56 . 2008-07-29 06:29 -------- d-----w- c:\program files\EPSON Print CD
2009-07-04 06:57 . 2008-07-31 02:54 -------- d-----w- c:\program files\BitComet
2009-07-04 01:00 . 2009-01-24 10:03 -------- d-----w- c:\program files\Norton Security Scan
2009-06-30 00:28 . 2009-06-30 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-06-30 00:27 . 2009-06-30 00:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-06-30 00:27 . 2009-06-30 00:27 -------- d-----w- c:\program files\Uniblue
2009-06-30 00:27 . 2009-06-30 00:27 -------- d-----w- c:\documents and settings\Rick\Application Data\Uniblue
2009-06-29 17:53 . 2009-05-26 17:41 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-29 17:51 . 2009-05-26 17:41 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-29 17:51 . 2009-05-26 17:41 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-27 16:12 . 2008-07-29 06:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 16:36 . 2009-02-28 01:53 -------- d-----w- c:\program files\Vstplugins
2009-06-24 16:34 . 2009-02-28 01:52 -------- d-----w- c:\program files\Sony
2009-06-24 16:26 . 2009-02-28 01:49 -------- d-----w- c:\program files\Sony Setup
2009-06-11 05:27 . 2008-07-30 15:32 -------- d-----w- c:\program files\Common Files\Apple
2009-06-11 05:01 . 2008-12-09 20:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-03 16:14 . 2009-06-03 16:14 -------- d-----w- c:\documents and settings\Rick\Application Data\gtk-2.0
2009-06-03 15:57 . 2009-06-03 15:57 -------- d-----w- c:\program files\GIMP-2.0
2009-05-30 19:50 . 2009-05-30 19:50 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-26 17:41 . 2009-05-26 17:41 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-26 17:41 . 2009-05-05 20:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-26 00:18 . 2009-05-17 06:27 -------- d-----w- c:\program files\ffdshow
2009-05-25 03:03 . 2008-08-11 22:17 -------- d-----w- c:\documents and settings\Rick\Application Data\U3
2009-05-19 13:05 . 2009-05-19 13:05 1380403 ----a-w- c:\windows\system32\avgsdk.dll
2009-05-17 06:39 . 2009-05-17 06:38 81102 ----a-w- c:\windows\system32\ffdshow.reg
2009-05-17 06:21 . 2009-05-17 06:20 -------- d-----w- c:\documents and settings\Rick\Application Data\Media Player Classic
2009-05-17 06:19 . 2009-05-17 06:19 -------- d-----w- c:\program files\Media Player Classic
2009-05-17 06:15 . 2009-05-17 06:15 -------- d-----w- c:\program files\Belarc
2009-05-17 06:11 . 2009-05-17 06:11 -------- d-----w- c:\program files\WinDirStat
2009-05-07 15:32 . 2004-08-04 07:56 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 17:39 . 2009-05-05 17:40 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-05 17:39 . 2009-05-05 17:39 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 04:56 . 2004-08-04 07:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 06:17 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 07:56 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 22:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]
"eimq"="c:\windows\system32\eimq.exe" [2009-06-24 29696]
"Reimage PC Booster"="c:\program files\Reimage\Reimage PC Booster\Postrebootexecuter.exe" [2009-06-23 83240]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1622016]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]

c:\documents and settings\Rick\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-11-25 728408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-2 565309]
E_SPSU01.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SPSU01.EXE [2008-8-7 52736]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Rick\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\WINDOWS\\system32\\eimq.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26934:TCP"= 26934:TCP:BitComet 26934 TCP
"26934:UDP"= 26934:UDP:BitComet 26934 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/5/2009 10:40 AM 64160]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2/27/2009 7:17 PM 11264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/16/2009 9:38 PM 210216]
S3 cpuz128;cpuz128;\??\c:\docume~1\Rick\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Rick\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [11/18/2008 6:36 AM 7808]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 7:36 PM 173392]
.
Contents of the 'Scheduled Tasks' folder

2009-07-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-22 05:35]

2009-06-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 17:49]

2009-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-04 c:\windows\Tasks\Norton Security Scan for Rick.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 12:18]

2009-07-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 22:06]
.
- - - - ORPHANS REMOVED - - - -

BHO-{CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103472 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\z1aylvvj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 06:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3868)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\kmw_show.exe
c:\program files\Reimage\Reimage PC Booster\reimageBooster.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Reimage\Reimage PC Booster\REI_Booster.exe
.
**************************************************************************
.
Completion time: 2009-07-05 6:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 13:43

Pre-Run: 190,639,525,888 bytes free
Post-Run: 190,998,470,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

243 --- E O F --- 2009-06-27 10:01

07-05-2009, 07:48 AM	#5 (permalink)
rspatch Registered User Join Date: Jun 2009 Posts: 8 OS: xp pro	Re: Going to reformat unless help arrives OK I ran Combofix. It gave me warnings that Symantec Auto-Protect was on, despite turning off all the auto-protects. Anyway, Here's the Combofix log. Hope it helps. Thanks again Spatch ComboFix 09-07-04.05 - Rick 07/05/2009 6:26.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1204 [GMT -7:00] Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition On-access scanning enabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Rick\obrfkm.exe c:\windows\system32\baselid32.dll . ((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 ))))))))))))))))))))))))))))))) . 2009-07-03 04:20 . 2009-07-03 04:20 1048576 ----a-w- c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\z1aylvvj.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash\components\IBitCometExtension.dll 2009-07-02 06:17 . 2009-07-02 06:21 -------- d-----w- C:\rei 2009-07-02 06:16 . 2009-07-02 06:17 -------- d-----w- c:\program files\Reimage 2009-06-30 01:03 . 2009-06-30 01:03 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PC_Drivers_Headquarters 2009-06-30 01:02 . 2009-06-30 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters 2009-06-30 01:02 . 2009-06-30 01:02 -------- d-----w- c:\program files\PC Drivers HeadQuarters 2009-06-30 00:25 . 2006-12-01 20:54 626688 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\msvcr80.dll 2009-06-27 16:22 . 2009-06-27 16:23 -------- d-----w- c:\program files\Common Files\Real 2009-06-27 16:20 . 2009-06-27 16:22 -------- d-----w- c:\program files\V CAST Music with Rhapsody 2009-06-27 16:12 . 2009-06-27 16:12 -------- d-----w- c:\program files\LG Electronics 2009-06-27 10:01 . 2009-06-27 10:01 -------- d-----w- c:\program files\MSXML 4.0 2009-06-26 15:05 . 2009-06-26 15:09 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-26 15:05 . 2009-06-26 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-26 14:41 . 2009-07-01 05:41 -------- d-----w- c:\program files\SpyZooka 2009-06-26 14:40 . 2009-06-26 14:42 -------- d-----w- c:\documents and settings\Rick\Application Data\GetRightToGo 2009-06-26 00:42 . 2009-07-03 08:06 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\AskToolbar 2009-06-26 00:34 . 2009-06-26 00:34 -------- d-----w- c:\program files\Ask.com 2009-06-26 00:33 . 2009-06-26 00:33 -------- d-----w- c:\program files\MSSOAP 2009-06-26 00:31 . 2009-06-26 00:31 -------- d-----w- c:\program files\Webroot 2009-06-26 00:29 . 2009-06-26 00:29 164 ----a-w- c:\windows\install.dat 2009-06-25 12:26 . 2009-06-25 12:27 -------- d-----w- c:\program files\TuneUp Utilities 2006 2009-06-25 12:26 . 2009-06-25 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software 2009-06-25 12:25 . 2009-06-25 12:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-06-24 16:58 . 2009-06-24 16:58 29696 ----a-w- c:\windows\system32\eimq.exe 2009-06-23 17:41 . 2009-06-29 17:55 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-06-23 17:41 . 2009-06-29 17:55 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-06-23 17:41 . 2009-06-29 17:55 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-06-23 17:41 . 2009-06-29 17:55 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-06-23 17:41 . 2009-06-29 17:53 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-06-23 17:41 . 2009-06-29 17:53 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-06-23 17:41 . 2009-06-29 17:51 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe 2009-06-23 17:41 . 2009-06-29 17:50 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-06-23 17:41 . 2009-06-29 17:49 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-06-23 17:41 . 2009-06-29 17:49 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-06-23 17:41 . 2009-06-30 17:41 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-06-23 17:40 . 2009-06-30 17:41 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe 2009-06-23 17:40 . 2009-06-30 17:41 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-06-23 17:40 . 2009-06-30 17:41 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2009-06-11 05:27 . 2009-06-11 05:27 -------- d-----w- c:\program files\iPod 2009-06-11 05:27 . 2009-06-11 05:28 -------- d-----w- c:\program files\iTunes 2009-06-11 05:27 . 2009-06-11 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-11 05:13 . 2009-06-11 05:14 -------- d-----w- c:\program files\QuickTime 2009-06-11 04:58 . 2009-06-11 04:58 152576 ----a-w- c:\documents and settings\Rick\Application Data\Sun\Java\jre1.6.0_13\lzma.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-05 13:37 . 2008-10-17 23:10 -------- d-----w- c:\program files\Symantec AntiVirus 2009-07-05 13:34 . 2009-03-11 10:08 7304 ----a-w- c:\windows\TMP0001.TMP 2009-07-05 12:56 . 2008-07-29 06:29 -------- d-----w- c:\program files\EPSON Print CD 2009-07-04 06:57 . 2008-07-31 02:54 -------- d-----w- c:\program files\BitComet 2009-07-04 01:00 . 2009-01-24 10:03 -------- d-----w- c:\program files\Norton Security Scan 2009-06-30 00:28 . 2009-06-30 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner 2009-06-30 00:27 . 2009-06-30 00:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E} 2009-06-30 00:27 . 2009-06-30 00:27 -------- d-----w- c:\program files\Uniblue 2009-06-30 00:27 . 2009-06-30 00:27 -------- d-----w- c:\documents and settings\Rick\Application Data\Uniblue 2009-06-29 17:53 . 2009-05-26 17:41 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-06-29 17:51 . 2009-05-26 17:41 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-06-29 17:51 . 2009-05-26 17:41 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-06-27 16:12 . 2008-07-29 06:12 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-24 16:36 . 2009-02-28 01:53 -------- d-----w- c:\program files\Vstplugins 2009-06-24 16:34 . 2009-02-28 01:52 -------- d-----w- c:\program files\Sony 2009-06-24 16:26 . 2009-02-28 01:49 -------- d-----w- c:\program files\Sony Setup 2009-06-11 05:27 . 2008-07-30 15:32 -------- d-----w- c:\program files\Common Files\Apple 2009-06-11 05:01 . 2008-12-09 20:09 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-06-03 16:14 . 2009-06-03 16:14 -------- d-----w- c:\documents and settings\Rick\Application Data\gtk-2.0 2009-06-03 15:57 . 2009-06-03 15:57 -------- d-----w- c:\program files\GIMP-2.0 2009-05-30 19:50 . 2009-05-30 19:50 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-05-26 17:41 . 2009-05-26 17:41 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-05-26 17:41 . 2009-05-05 20:27 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-05-26 00:18 . 2009-05-17 06:27 -------- d-----w- c:\program files\ffdshow 2009-05-25 03:03 . 2008-08-11 22:17 -------- d-----w- c:\documents and settings\Rick\Application Data\U3 2009-05-19 13:05 . 2009-05-19 13:05 1380403 ----a-w- c:\windows\system32\avgsdk.dll 2009-05-17 06:39 . 2009-05-17 06:38 81102 ----a-w- c:\windows\system32\ffdshow.reg 2009-05-17 06:21 . 2009-05-17 06:20 -------- d-----w- c:\documents and settings\Rick\Application Data\Media Player Classic 2009-05-17 06:19 . 2009-05-17 06:19 -------- d-----w- c:\program files\Media Player Classic 2009-05-17 06:15 . 2009-05-17 06:15 -------- d-----w- c:\program files\Belarc 2009-05-17 06:11 . 2009-05-17 06:11 -------- d-----w- c:\program files\WinDirStat 2009-05-07 15:32 . 2004-08-04 07:56 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-05 17:39 . 2009-05-05 17:40 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-05-05 17:39 . 2009-05-05 17:39 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys 2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr 2009-04-29 04:56 . 2004-08-04 07:56 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 12:26 . 2004-08-04 06:17 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-04 07:56 585216 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2009-02-09 22:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016] "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024] "eimq"="c:\windows\system32\eimq.exe" [2009-06-24 29696] "Reimage PC Booster"="c:\program files\Reimage\Reimage PC Booster\Postrebootexecuter.exe" [2009-06-23 83240] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1622016] "SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504] "kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496] c:\documents and settings\Rick\Start Menu\Programs\Startup\ Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-11-25 728408] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-2 565309] E_SPSU01.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SPSU01.EXE [2008-8-7 52736] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="" [HKLM\~\startupfolder\C:^Documents and Settings^Rick^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Rick\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"= "c:\\WINDOWS\\system32\\eimq.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26934:TCP"= 26934:TCP:BitComet 26934 TCP "26934:UDP"= 26934:UDP:BitComet 26934 UDP R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/5/2009 10:40 AM 64160] R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2/27/2009 7:17 PM 11264] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/16/2009 9:38 PM 210216] S3 cpuz128;cpuz128;\??\c:\docume~1\Rick\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Rick\LOCALS~1\Temp\cpuz_x32.sys [?] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [11/18/2008 6:36 AM 7808] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 7:36 PM 173392] . Contents of the 'Scheduled Tasks' folder 2009-07-04 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-22 05:35] 2009-06-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 17:49] 2009-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-07-04 c:\windows\Tasks\Norton Security Scan for Rick.job - c:\program files\Norton Security Scan\Nss.exe [2008-09-19 12:18] 2009-07-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2009-02-09 22:06] . - - - - ORPHANS REMOVED - - - - BHO-{CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file) HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103472 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\z1aylvvj.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/ FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q= FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-05 06:36 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3868) c:\program files\McAfee\SiteAdvisor\saHook.dll c:\windows\system32\kmw_dll.dll c:\windows\system32\WOW32.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe c:\windows\system32\nvsvc32.exe c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\system32\rundll32.exe c:\windows\system32\kmw_show.exe c:\program files\Reimage\Reimage PC Booster\reimageBooster.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe c:\program files\Reimage\Reimage PC Booster\REI_Booster.exe . ************************************************************************ . Completion time: 2009-07-05 6:43 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-05 13:43 Pre-Run: 190,639,525,888 bytes free Post-Run: 190,998,470,656 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 243 --- E O F --- 2009-06-27 10:01