Sound clips playing every 30 seconds

kokleman · 11-05-2008, 07:39 PM

Every 30 seconds or so I get voice clips saying "Who doesn't want free stuff click here to get it now!" or "You've won a $1000 dollar gift card click here" or its just a beeping noise that goes for 10-15 seconds

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:41 PM, on 11/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rm6lMh37.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rm6lMh37.exe
C:\WINDOWS\system32\rm6lMh37.exe
C:\WINDOWS\system32\rm6lMh37.exe
C:\WINDOWS\system32\rm6lMh37.exe
C:\Program Files\Ventrilo\Ventrilo.exe
c:\program files\valve\steam\steamapps\redman27678\counter-strike\hl.exe
C:\program files\valve\steam\GameOverlayUI.exe
C:\WINDOWS\system32\rm6lMh37.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [CM108Sound] RunDll32 CM108.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1215755931595
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9054 bytes

tetonbob · 11-08-2008, 06:53 PM

Hello and Welcome.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, you shall have a proper set of logs. Please post them.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

kokleman · 11-10-2008, 12:29 PM

Logfile of random's system information tool 1.04 (written by random/random)
Run by Lucien at 2008-11-10 13:15:25
Microsoft Windows XP Professional Service Pack 3
System drive C: has 171 GB (73%) free of 234 GB
Total RAM: 2045 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:30 PM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rm6lMh37.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Lucien\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Lucien.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {61963761-8dfa-43bf-9237-ed0fb6368c5b} - C:\WINDOWS\system32\bezuyiza.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [kefijihebi] Rundll32.exe "C:\WINDOWS\system32\rupetapa.dll",s
O4 - HKLM\..\Run: [2864debc] rundll32.exe "C:\WINDOWS\system32\kewowupa.dll",b
O4 - HKLM\..\Run: [CPM2b57ed20] Rundll32.exe "c:\windows\system32\tazeyubo.dll",a
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [kefijihebi] Rundll32.exe "C:\WINDOWS\system32\rupetapa.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [kefijihebi] Rundll32.exe "C:\WINDOWS\system32\rupetapa.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1215755931595
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\yeneriho.dll c:\windows\system32\tazeyubo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tazeyubo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tazeyubo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9385 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61963761-8dfa-43bf-9237-ed0fb6368c5b}]
C:\WINDOWS\system32\bezuyiza.dll [2008-08-07 60928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-02 13529088]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2007-04-12 282624]
"RoxioDragToDisc"=C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2006-08-17 1116920]
"PDVDDXSrv"=C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]
"pccguide.exe"=C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe [2006-11-21 1807960]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-10-03 81920]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2006-10-03 221184]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"ECenter"=C:\Dell\E-Center\EULALauncher.exe [2007-05-24 17920]
"DeathAdder"=C:\Program Files\Razer\DeathAdder\razerhid.exe [2007-09-07 159744]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-02 86016]
"Tarantula"=C:\Program Files\Razer\Tarantula\razerhid.exe [2006-09-30 176128]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-08 289576]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"kefijihebi"=C:\WINDOWS\system32\rupetapa.dll [2008-08-07 60928]
"2864debc"=C:\WINDOWS\system32\kewowupa.dll [2008-11-09 86580]
"CPM2b57ed20"=c:\windows\system32\tazeyubo.dll [2008-11-10 92212]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Steam"=c:\program files\valve\steam\steam.exe [2008-10-07 1410296]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2007-03-15 454784]
"OE_OEM"=C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe [2006-08-04 321040]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2006-11-05 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\yeneriho.dll c:\windows\system32\tazeyubo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tazeyubo.dll [2008-11-10 92212]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tazeyubo.dll [2008-11-10 92212]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\yeneriho.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\World of Warcraft\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Valve\Steam\SteamApps\redman27678\condition zero\hl.exe"="C:\Program Files\Valve\Steam\SteamApps\redman27678\condition zero\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\Valve\Steam\SteamApps\redman27678\counter-strike\hl.exe"="C:\Program Files\Valve\Steam\SteamApps\redman27678\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Valve\Steam\SteamApps\redman27678\counter-strike source\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\redman27678\counter-strike source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"="C:\Program Files\World of Warcraft\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:iexplore"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\Program Files\iPod\bin\iPodService.exe"="C:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
shell\AutoRun\command - E:\setup.exe

======List of files/folders created in the last 1 months======

2008-11-10 13:15:25 ----D---- C:\rsit
2008-11-10 13:04:18 ----A---- C:\WINDOWS\gmer.ini
2008-11-10 13:04:17 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-11-10 13:04:17 ----A---- C:\WINDOWS\gmer.exe
2008-11-10 13:04:17 ----A---- C:\WINDOWS\gmer.dll
2008-11-10 12:59:44 ----SH---- C:\WINDOWS\system32\iruharap.ini
2008-11-09 21:13:29 ----SH---- C:\WINDOWS\system32\ugorutim.ini
2008-11-09 09:13:36 ----SH---- C:\WINDOWS\system32\apuwowek.ini
2008-11-08 19:50:37 ----SH---- C:\WINDOWS\system32\upalohuh.ini
2008-11-08 18:00:39 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-11-08 17:52:00 ----SHD---- C:\RECYCLER
2008-11-08 17:51:01 ----D---- C:\Program Files\Yahoo!
2008-11-06 18:13:44 ----A---- C:\WINDOWS\system32\to3nOj04.dll
2008-11-06 16:13:46 ----A---- C:\WINDOWS\system32\rm6lMh37.exe.a_a
2008-11-06 15:50:56 ----D---- C:\WINDOWS\temp
2008-11-06 15:50:56 ----A---- C:\ComboFix.txt
2008-11-06 15:47:05 ----A---- C:\Boot.bak
2008-11-06 15:46:57 ----RASHD---- C:\cmdcons
2008-11-06 15:45:57 ----A---- C:\WINDOWS\zip.exe
2008-11-06 15:45:57 ----A---- C:\WINDOWS\VFIND.exe
2008-11-06 15:45:57 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-06 15:45:57 ----A---- C:\WINDOWS\SWSC.exe
2008-11-06 15:45:57 ----A---- C:\WINDOWS\SWREG.exe
2008-11-06 15:45:57 ----A---- C:\WINDOWS\sed.exe
2008-11-06 15:45:57 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-06 15:45:57 ----A---- C:\WINDOWS\grep.exe
2008-11-06 15:45:57 ----A---- C:\WINDOWS\fdsv.exe
2008-11-06 15:45:54 ----D---- C:\WINDOWS\ERDNT
2008-11-06 15:45:54 ----D---- C:\Qoobox
2008-11-06 15:45:54 ----D---- C:\ComboFix
2008-11-02 10:00:06 ----D---- C:\Program Files\Adobe
2008-11-02 09:59:51 ----SHD---- C:\Config.Msi
2008-11-02 03:14:23 ----A---- C:\WINDOWS\system32\rm6lMh37.exe_
2008-11-02 03:14:23 ----A---- C:\WINDOWS\system32\rm6lMh37.exe
2008-10-30 19:18:41 ----A---- C:\WINDOWS\system32\mst120.dll
2008-10-23 16:21:27 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-14 18:00:42 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-14 18:00:39 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-14 18:00:37 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-14 18:00:33 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-14 18:00:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-14 17:59:32 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2008-10-14 16:39:08 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard

======List of files/folders modified in the last 1 months======

2008-11-10 13:12:50 ----D---- C:\WINDOWS\system32
2008-11-10 13:12:50 ----D---- C:\WINDOWS\Prefetch
2008-11-10 13:10:35 ----D---- C:\Program Files\Mozilla Firefox
2008-11-10 13:04:18 ----D---- C:\WINDOWS
2008-11-10 13:04:17 ----D---- C:\WINDOWS\system32\drivers
2008-11-10 13:03:21 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-10 12:59:42 ----ASH---- C:\WINDOWS\system32\tazeyubo.dll
2008-11-10 12:59:40 ----ASH---- C:\WINDOWS\system32\parahuri.dll
2008-11-10 12:59:37 ----D---- C:\MDT
2008-11-10 12:59:28 ----D---- C:\WINDOWS\Registration
2008-11-09 22:30:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-09 22:30:02 ----D---- C:\Documents and Settings\Lucien\Application Data\mIRC
2008-11-09 21:13:29 ----ASH---- C:\WINDOWS\system32\kamukufo.dll
2008-11-09 21:13:28 ----ASH---- C:\WINDOWS\system32\miturogu.dll
2008-11-09 16:15:31 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-09 16:01:42 ----D---- C:\Program Files\mIRC
2008-11-09 09:13:34 ----N---- C:\WINDOWS\system32\kewowupa.dll
2008-11-09 09:13:34 ----ASH---- C:\WINDOWS\system32\dijineho.dll
2008-11-08 19:50:28 ----ASH---- C:\WINDOWS\system32\gobewowi.dll
2008-11-08 19:50:27 ----N---- C:\WINDOWS\system32\huholapu.dll
2008-11-08 17:54:32 ----RD---- C:\Program Files
2008-11-08 17:52:09 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 07:50:14 ----ASH---- C:\WINDOWS\system32\wejuwava.dll
2008-11-07 23:52:43 ----D---- C:\Program Files\World of Warcraft
2008-11-07 16:18:52 ----ASH---- C:\WINDOWS\system32\malaruwo.dll
2008-11-06 15:50:13 ----N---- C:\WINDOWS\system.ini
2008-11-06 15:49:17 ----D---- C:\WINDOWS\AppPatch
2008-11-06 15:49:17 ----D---- C:\Program Files\Common Files
2008-11-06 15:47:05 ----RASH---- C:\boot.ini
2008-11-05 20:27:49 ----D---- C:\Program Files\Trend Micro
2008-11-02 10:00:39 ----SHD---- C:\WINDOWS\Installer
2008-11-02 10:00:19 ----D---- C:\Program Files\Common Files\Adobe
2008-11-02 10:00:16 ----D---- C:\WINDOWS\WinSxS
2008-11-02 10:00:13 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-01 10:17:20 ----D---- C:\Documents and Settings\Lucien\Application Data\LimeWire
2008-10-31 14:59:18 ----HD---- C:\WINDOWS\inf
2008-10-28 14

50 ----D---- C:\WINDOWS\Minidump
2008-10-23 16:21:29 ----RSHD---- C:\WINDOWS\system32\dllcache
2008-10-23 16:21:21 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-21 14:02:11 ----D---- C:\Program Files\Microsoft Silverlight
2008-10-15 15:11:12 ----D---- C:\WINDOWS\Debug
2008-10-15 10:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2006-08-11 12920]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2006-11-09 73288]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-08-18 35096]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-08-18 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-08-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-08-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2006-08-11 51768]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 elagopro;GoProto Protocol Driver for LELA; C:\WINDOWS\system32\DRIVERS\elagopro.sys [2007-03-22 28672]
R2 elaunidr;UniDriver for LELA; C:\WINDOWS\system32\DRIVERS\elaunidr.sys [2007-03-22 5376]
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2008-08-16 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\drivers\TmXPFlt.sys [2008-08-16 205328]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2008-08-16 1195448]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-04-25 160256]
R3 CM1083264;C-Media CM108 Like Sound UDAX Interface; C:\WINDOWS\system32\drivers\CM108.sys [2006-12-21 1294336]
R3 DAdderFltr;DeathAdder Mouse; C:\WINDOWS\system32\drivers\dadder.sys [2007-08-02 22784]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-02 6554496]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-04-12 1171464]
R3 TarFltr;Razer Tarantula USB Keyboard; C:\WINDOWS\System32\Drivers\UsbFltr.sys [2006-09-27 44800]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2006-11-09 280392]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S1 OMCI;OMCI; \??\C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS []
S2 zumbus;Zune Bus Enumerator Driver; C:\WINDOWS\system32\DRIVERS\zumbus.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-10 85969]
S3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 USB_RNDIS;USB Remote NDIS Network Device Driver; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-05 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-02 159812]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-08 536872]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 PcCtlCom;Trend Micro Central Control Component; C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe [2008-05-19 1475936]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
S2 Tmntsrv;Trend Micro Real-time Service; C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-08 345696]
S2 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-11-09 923216]
S2 tmproxy;Trend Micro Proxy Service; C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-11-09 566872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-19 70656]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe Start=service []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

tetonbob · 11-10-2008, 01:17 PM

It appears as though you've recently run ComboFix. ComboFix should not be run unless instructed to by a trained helper.

Since you have, please post it's log, located at C:\ComboFix.txt

kokleman · 11-10-2008, 02:23 PM

My apologies i was not aware of that rule.

ComboFix 08-11-05.02 - Lucien 2008-11-06 15:48:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1524 [GMT -6:00]
Running from: c:\documents and settings\Lucien\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rm6lMh37.exe.a_a
c:\windows\system32\to3nOj04.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-02 03:14 . 2008-11-05 15:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe_
2008-11-02 03:14 . 2008-11-05 16:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe
2008-10-30 19:18 . 2008-10-30 19:18 7,704 --a------ c:\windows\system32\mst120.dll
2008-10-23 15:03 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 16:39 . 2008-10-14 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-10-14 13:16 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 13:16 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 13:16 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 13:16 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 13:16 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-14 13:16 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-08 11:14 . 2008-10-08 11:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-08 11:14 . 2008-09-09 23:04 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-08 11:14 . 2008-09-09 23:03 17,200 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 02:27 --------- d-----w c:\program files\Trend Micro
2008-11-04 21:50 --------- d-----w c:\program files\World of Warcraft
2008-11-02 16:00 --------- d-----w c:\program files\Common Files\Adobe
2008-11-01 16:17 --------- d-----w c:\documents and settings\Lucien\Application Data\LimeWire
2008-10-31 01:39 --------- d-----w c:\documents and settings\Lucien\Application Data\mIRC
2008-10-31 01:25 --------- d-----w c:\program files\mIRC
2008-10-30 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 02:16 336 ----a-w c:\documents and settings\Lucien\Application Data\wklnhst.dat
2008-10-21 20:02 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-04 18:42 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-03 02:01 --------- d-----w c:\documents and settings\Lucien\Application Data\Template
2008-10-02 22:52 --------- d-----w c:\program files\CCleaner
2008-10-02 22:49 --------- d-----w c:\documents and settings\Lucien\Application Data\Malwarebytes
2008-10-02 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-02 21:03 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype
2008-09-20 20:13 30,272 ----a-w c:\windows\system32\13H8MJt4.exe
2008-09-20 13:31 24 ----a-w c:\documents and settings\Lucien\jagex_runescape_preferences.dat
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-11 22:26 --------- d-----w c:\program files\iTunes
2008-09-11 22:26 --------- d-----w c:\program files\iPod
2008-09-11 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-11 22:25 --------- d-----w c:\program files\QuickTime
2008-09-11 22:25 --------- d-----w c:\program files\Common Files\Apple
2008-09-11 22:25 --------- d-----w c:\program files\Bonjour
2008-09-09 20:50 --------- d-----w c:\program files\Microsoft Works
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-07 05:39 --------- d-----w c:\program files\SwiftKit
2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-16 16:58 60,968 ----a-w c:\documents and settings\Lucien\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-10-07 1410296]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"Tarantula"="c:\program files\Razer\Tarantula\razerhid.exe" [2006-09-30 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-12 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 12:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 11:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\condition zero\\hl.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard Downloader

R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [2006-12-21 1294336]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]
R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800]
S2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [ ]
S3 GoToAssist;GoToAssist;c:\program files\Citrix\GoToAssist\480\g2aservice.exe Start=service [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-02 c:\windows\Tasks\At1.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-01 c:\windows\Tasks\At10.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At11.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At12.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At13.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At14.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At15.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At16.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At17.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At18.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At19.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At2.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At20.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At21.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At22.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At23.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At24.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At25.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At26.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At27.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At28.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At29.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At3.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At30.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-10-02 c:\windows\Tasks\At31.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-10-02 c:\windows\Tasks\At32.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-10-02 c:\windows\Tasks\At33.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-01 c:\windows\Tasks\At34.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At35.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At36.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At37.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At38.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At39.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At4.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At40.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-05 c:\windows\Tasks\At41.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-05 c:\windows\Tasks\At42.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At43.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At44.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At45.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At46.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-05 c:\windows\Tasks\At47.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At48.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At5.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At6.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-10-02 c:\windows\Tasks\At7.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-10-02 c:\windows\Tasks\At8.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-10-02 c:\windows\Tasks\At9.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-CM108Sound - CM108.cpl
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Lucien\Application Data\Mozilla\Firefox\Profiles\cyv1ncpy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com/?src=aim
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 15:50:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Lucien\LOCALS~1\Temp\RGI26.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-11-06 15:50:55
ComboFix-quarantined-files.txt 2008-11-06 21:50:41

Pre-Run: 178,902,425,600 bytes free
Post-Run: 179,082,887,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

285 --- E O F --- 2008-10-23 22:21:32

tetonbob · 11-10-2008, 03:31 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Using Internet Explorer, Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
- Open Spybot Search & Destroy.
- In the Mode menu click "Advanced mode" if not already selected.
- Choose "Yes" at the Warning prompt.
- Expand the "Tools" menu.
- Click "Resident".
- Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
- In the File menu click "Exit" to exit Spybot Search & Destroy.
- See this link for a tutorial

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/309931-sound-clips-playing-every-30-seconds.html#post1796315

File::
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\system32\iruharap.ini
C:\WINDOWS\system32\ugorutim.ini
C:\WINDOWS\system32\apuwowek.ini
C:\WINDOWS\system32\upalohuh.ini

Collect::
C:\WINDOWS\system32\rm6lMh37.exe.a_a
C:\WINDOWS\system32\rm6lMh37.exe_
C:\WINDOWS\system32\rm6lMh37.exe
c:\windows\system32\13H8MJt4.exe
C:\WINDOWS\system32\tazeyubo.dll
C:\WINDOWS\system32\parahuri.dll
C:\WINDOWS\system32\kamukufo.dll
C:\WINDOWS\system32\miturogu.dll
C:\WINDOWS\system32\kewowupa.dll
C:\WINDOWS\system32\dijineho.dll
C:\WINDOWS\system32\gobewowi.dll
C:\WINDOWS\system32\huholapu.dll
C:\WINDOWS\system32\wejuwava.dll
C:\WINDOWS\system32\malaruwo.dll

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix should request to be allowed to update. Please do so, allow it.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

---------------------------------------------------------------------------------------------
Open HijackThis (not RSIT this time) and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

kokleman · 11-10-2008, 04:28 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:34 PM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rm6lMh37.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\findstr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {61963761-8dfa-43bf-9237-ed0fb6368c5b} - C:\WINDOWS\system32\bezuyiza.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [kefijihebi] Rundll32.exe "C:\WINDOWS\system32\rupetapa.dll",s
O4 - HKLM\..\Run: [2864debc] rundll32.exe "C:\WINDOWS\system32\kewowupa.dll",b
O4 - HKLM\..\Run: [CPM2b57ed20] Rundll32.exe "c:\windows\system32\tazeyubo.dll",a
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [kefijihebi] Rundll32.exe "C:\WINDOWS\system32\rupetapa.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [kefijihebi] Rundll32.exe "C:\WINDOWS\system32\rupetapa.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1215755931595
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\yeneriho.dll c:\windows\system32\tazeyubo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tazeyubo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tazeyubo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9293 bytes

tetonbob · 11-10-2008, 05:43 PM

Did you run ComboFix according to the instructions in post #6? From the HijackThis log, it's not clear that you did. I also require the ComboFix log, if you have run it according to the instructions.

Quote:

6. When finished, it shall produce a log for you. Post that log in your next reply

Please post the latest ComboFix log, located at C:\ComboFix.txt

If you've not run it according to the instructions in post #6, please do so now.

kokleman · 11-10-2008, 05:47 PM

When i dragged it the loading screen had popped up but it never produced a log so what should i do?

tetonbob · 11-10-2008, 05:54 PM

I'm sorry, but I'm not quite understanding what you're trying to tell me.

Please use more detail in explaining what happened and when. Take your time, and give as much detail as you can.

Did ComboFix begin to run? Did it pass the disclaimer screen again? Did the ComboFix window open? close? Were your protection applications disabled? Is there a log at C:\ComboFix.txt ?

kokleman · 11-10-2008, 05:59 PM

This was the new Combofix log though

ComboFix 08-11-05.02 - Lucien 2008-11-06 15:48:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1524 [GMT -6:00]
Running from: c:\documents and settings\Lucien\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rm6lMh37.exe.a_a
c:\windows\system32\to3nOj04.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-02 03:14 . 2008-11-05 15:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe_
2008-11-02 03:14 . 2008-11-05 16:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe
2008-10-30 19:18 . 2008-10-30 19:18 7,704 --a------ c:\windows\system32\mst120.dll
2008-10-23 15:03 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 16:39 . 2008-10-14 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-10-14 13:16 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 13:16 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 13:16 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 13:16 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 13:16 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-14 13:16 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-08 11:14 . 2008-10-08 11:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-08 11:14 . 2008-09-09 23:04 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-08 11:14 . 2008-09-09 23:03 17,200 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 02:27 --------- d-----w c:\program files\Trend Micro
2008-11-04 21:50 --------- d-----w c:\program files\World of Warcraft
2008-11-02 16:00 --------- d-----w c:\program files\Common Files\Adobe
2008-11-01 16:17 --------- d-----w c:\documents and settings\Lucien\Application Data\LimeWire
2008-10-31 01:39 --------- d-----w c:\documents and settings\Lucien\Application Data\mIRC
2008-10-31 01:25 --------- d-----w c:\program files\mIRC
2008-10-30 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 02:16 336 ----a-w c:\documents and settings\Lucien\Application Data\wklnhst.dat
2008-10-21 20:02 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-04 18:42 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-03 02:01 --------- d-----w c:\documents and settings\Lucien\Application Data\Template
2008-10-02 22:52 --------- d-----w c:\program files\CCleaner
2008-10-02 22:49 --------- d-----w c:\documents and settings\Lucien\Application Data\Malwarebytes
2008-10-02 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-02 21:03 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype
2008-09-20 20:13 30,272 ----a-w c:\windows\system32\13H8MJt4.exe
2008-09-20 13:31 24 ----a-w c:\documents and settings\Lucien\jagex_runescape_preferences.dat
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-11 22:26 --------- d-----w c:\program files\iTunes
2008-09-11 22:26 --------- d-----w c:\program files\iPod
2008-09-11 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-11 22:25 --------- d-----w c:\program files\QuickTime
2008-09-11 22:25 --------- d-----w c:\program files\Common Files\Apple
2008-09-11 22:25 --------- d-----w c:\program files\Bonjour
2008-09-09 20:50 --------- d-----w c:\program files\Microsoft Works
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-07 05:39 --------- d-----w c:\program files\SwiftKit
2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-16 16:58 60,968 ----a-w c:\documents and settings\Lucien\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-10-07 1410296]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"Tarantula"="c:\program files\Razer\Tarantula\razerhid.exe" [2006-09-30 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-12 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 12:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 11:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\condition zero\\hl.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard Downloader

R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [2006-12-21 1294336]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]
R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800]
S2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [ ]
S3 GoToAssist;GoToAssist;c:\program files\Citrix\GoToAssist\480\g2aservice.exe Start=service [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-02 c:\windows\Tasks\At1.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-01 c:\windows\Tasks\At10.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At11.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At12.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At13.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At14.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At15.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At16.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At17.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At18.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At19.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At2.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At20.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At21.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At22.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At23.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At24.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At25.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At26.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At27.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At28.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At29.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At3.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At30.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-10-02 c:\windows\Tasks\At31.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-10-02 c:\windows\Tasks\At32.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-10-02 c:\windows\Tasks\At33.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-01 c:\windows\Tasks\At34.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At35.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At36.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At37.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At38.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At39.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At4.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At40.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-05 c:\windows\Tasks\At41.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-05 c:\windows\Tasks\At42.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At43.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At44.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At45.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At46.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-05 c:\windows\Tasks\At47.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At48.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At5.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At6.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-10-02 c:\windows\Tasks\At7.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-10-02 c:\windows\Tasks\At8.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-10-02 c:\windows\Tasks\At9.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-CM108Sound - CM108.cpl
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Lucien\Application Data\Mozilla\Firefox\Profiles\cyv1ncpy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com/?src=aim
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 15:50:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Lucien\LOCALS~1\Temp\RGI26.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-11-06 15:50:55
ComboFix-quarantined-files.txt 2008-11-06 21:50:41

Pre-Run: 178,902,425,600 bytes free
Post-Run: 179,082,887,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

285 --- E O F --- 2008-10-23 22:21:32

kokleman · 11-10-2008, 06:06 PM

Quote:

Originally Posted by tetonbob

I'm sorry, but I'm not quite understanding what you're trying to tell me.

Please use more detail in explaining what happened and when. Take your time, and give as much detail as you can.

Did ComboFix begin to run? Did it pass the disclaimer screen again? Did the ComboFix window open? close? Were your protection applications disabled? Is there a log at C:\ComboFix.txt ?

Ok i dragged the text file onto the Combfix icon. The loading bar popped up and nothing else happend. The window did not open there was no new disclaimer. Yes all my other applications were disabled

tetonbob · 11-10-2008, 06:10 PM

Ok, thanks...that's more helpful.

What I'd like you to do is this.

Copy these instructions to notepad, for easy access while offline.

Delete the existing version of ComboFix.exe

Download a new copy from one of these links

Link 1
Link 2
Link 3

Restart the machine in safe mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Perform the same steps as in Post #6, using the same script.

If ComboFix restarts the machine, after it does, go back into safe mode to allow ComboFix to complete it's routine.

Once ComboFix has completed it's routine and the log is produced, restart in normal mode, and post the log from ComboFix.

kokleman · 11-11-2008, 02:49 PM

Ok I have now tried both normal and safe modes to use Combofix neither of them seem to get it to work. It just brings up the loading bar and nothing else happens. Not sure what to do

tetonbob · 11-11-2008, 03:08 PM

Ok, rather than use the script from Post # 6, first, rename ComboFix.exe to ComboFxx.exe and simply double click on ComboFxx.exe again to run it.

kokleman · 11-11-2008, 05:42 PM

Same thing happened I even tried to reinstall it and then rename it again and the same thing continues to happen. By any chance is there a different program we could use?

tetonbob · 11-11-2008, 06:49 PM

This doesn't make much sense, since you were able to run it the first time.

Have you re-enabled autoruns, by any chance?

Let's try one more thing...

Delete the exsting version of ComboFix. This time, rename it before saving it.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

If still no joy....

Move Combo-Fix to the root of your drive, C: and try it from there.

If still no joy....

You have Malwarebytes' AntiMalware on the machine. Update it using the update tab, and run a quick scan. Post the log it produces and a new HijackThis log.

kokleman · 11-11-2008, 08:30 PM

Ok im just flustered with the combofix in general so i did my second option

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:13 PM, on 11/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\rm6lMh37.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
c:\program files\valve\steam\steamapps\redman27678\counter-strike\hl.exe
C:\program files\valve\steam\GameOverlayUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

tetonbob · 11-11-2008, 08:44 PM

Quote:

Ok im just flustered with the combofix in general

Did you perform any of the last suggestions?

kokleman · 11-11-2008, 08:46 PM

Yes i did and like you said still no joy :(

11-05-2008, 07:39 PM	#1 (permalink)
kokleman Registered User Join Date: Nov 2008 Posts: 17 OS: xp	Sound clips playing every 30 seconds Every 30 seconds or so I get voice clips saying "Who doesn't want free stuff click here to get it now!" or "You've won a $1000 dollar gift card click here" or its just a beeping noise that goes for 10-15 seconds Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:38:41 PM, on 11/5/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Razer\DeathAdder\razerhid.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Razer\Tarantula\razerhid.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\program files\valve\steam\steam.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\Program Files\Razer\Tarantula\razertra.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\rm6lMh37.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rm6lMh37.exe C:\WINDOWS\system32\rm6lMh37.exe C:\WINDOWS\system32\rm6lMh37.exe C:\WINDOWS\system32\rm6lMh37.exe C:\Program Files\Ventrilo\Ventrilo.exe c:\program files\valve\steam\steamapps\redman27678\counter-strike\hl.exe C:\program files\valve\steam\GameOverlayUI.exe C:\WINDOWS\system32\rm6lMh37.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe O4 - HKLM\..\Run: [CM108Sound] RunDll32 CM108.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1215755931595 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe -- End of file - 9054 bytes

11-10-2008, 01:17 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Re: Sound clips playing every 30 seconds It appears as though you've recently run ComboFix. ComboFix should not be run unless instructed to by a trained helper. Since you have, please post it's log, located at C:\ComboFix.txt __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-10-2008, 02:23 PM	#5 (permalink)
kokleman Registered User Join Date: Nov 2008 Posts: 17 OS: xp	Re: Sound clips playing every 30 seconds My apologies i was not aware of that rule. ComboFix 08-11-05.02 - Lucien 2008-11-06 15:48:52.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1524 [GMT -6:00] Running from: c:\documents and settings\Lucien\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\rm6lMh37.exe.a_a c:\windows\system32\to3nOj04.dll . ((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 ))))))))))))))))))))))))))))))) . 2008-11-02 03:14 . 2008-11-05 15:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe_ 2008-11-02 03:14 . 2008-11-05 16:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe 2008-10-30 19:18 . 2008-10-30 19:18 7,704 --a------ c:\windows\system32\mst120.dll 2008-10-23 15:03 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll 2008-10-14 16:39 . 2008-10-14 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard 2008-10-14 13:16 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-14 13:16 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-14 13:16 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-14 13:16 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-14 13:16 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys 2008-10-14 13:16 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys 2008-10-08 11:14 . 2008-10-08 11:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-10-08 11:14 . 2008-09-09 23:04 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-10-08 11:14 . 2008-09-09 23:03 17,200 --a------ c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-06 02:27 --------- d-----w c:\program files\Trend Micro 2008-11-04 21:50 --------- d-----w c:\program files\World of Warcraft 2008-11-02 16:00 --------- d-----w c:\program files\Common Files\Adobe 2008-11-01 16:17 --------- d-----w c:\documents and settings\Lucien\Application Data\LimeWire 2008-10-31 01:39 --------- d-----w c:\documents and settings\Lucien\Application Data\mIRC 2008-10-31 01:25 --------- d-----w c:\program files\mIRC 2008-10-30 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-24 02:16 336 ----a-w c:\documents and settings\Lucien\Application Data\wklnhst.dat 2008-10-21 20:02 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-04 18:42 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-10-03 02:01 --------- d-----w c:\documents and settings\Lucien\Application Data\Template 2008-10-02 22:52 --------- d-----w c:\program files\CCleaner 2008-10-02 22:49 --------- d-----w c:\documents and settings\Lucien\Application Data\Malwarebytes 2008-10-02 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-10-02 21:03 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype 2008-09-20 20:13 30,272 ----a-w c:\windows\system32\13H8MJt4.exe 2008-09-20 13:31 24 ----a-w c:\documents and settings\Lucien\jagex_runescape_preferences.dat 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-11 22:26 --------- d-----w c:\program files\iTunes 2008-09-11 22:26 --------- d-----w c:\program files\iPod 2008-09-11 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-11 22:25 --------- d-----w c:\program files\QuickTime 2008-09-11 22:25 --------- d-----w c:\program files\Common Files\Apple 2008-09-11 22:25 --------- d-----w c:\program files\Bonjour 2008-09-09 20:50 --------- d-----w c:\program files\Microsoft Works 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys 2008-09-07 05:39 --------- d-----w c:\program files\SwiftKit 2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll 2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll 2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll 2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll 2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys 2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe 2007-12-16 16:58 60,968 ----a-w c:\documents and settings\Lucien\GoToAssistDownloadHelper.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\valve\steam\steam.exe" [2008-10-07 1410296] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016] "Tarantula"="c:\program files\Razer\Tarantula\razerhid.exe" [2006-09-30 176128] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SigmatelSysTrayApp"="stsystra.exe" [2007-04-12 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= c:\windows\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2007-03-15 12:09 460784 c:\program files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2006-11-05 11:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\condition zero\\hl.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike source\\hl2.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader "6881:TCP"= 6881:TCP:Blizzard Downloader R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184] R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [2006-12-21 1294336] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784] R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800] S2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [ ] S3 GoToAssist;GoToAssist;c:\program files\Citrix\GoToAssist\480\g2aservice.exe Start=service [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-11-02 c:\windows\Tasks\At1.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-01 c:\windows\Tasks\At10.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At11.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At12.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At13.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At14.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At15.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At16.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At17.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At18.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At19.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At2.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At20.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At21.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At22.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At23.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At24.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At25.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At26.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At27.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At28.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At29.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At3.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At30.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-10-02 c:\windows\Tasks\At31.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-10-02 c:\windows\Tasks\At32.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-10-02 c:\windows\Tasks\At33.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-01 c:\windows\Tasks\At34.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At35.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At36.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At37.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At38.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At39.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At4.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At40.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-05 c:\windows\Tasks\At41.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-05 c:\windows\Tasks\At42.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At43.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At44.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At45.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At46.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-05 c:\windows\Tasks\At47.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At48.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At5.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At6.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-10-02 c:\windows\Tasks\At7.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-10-02 c:\windows\Tasks\At8.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-10-02 c:\windows\Tasks\At9.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] . - - - - ORPHANS REMOVED - - - - HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe HKLM-Run-CM108Sound - CM108.cpl Notify-GoToAssist - c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Lucien\Application Data\Mozilla\Firefox\Profiles\cyv1ncpy.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com/?src=aim FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-06 15:50:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\Lucien\LOCALS~1\Temp\RGI26.tmp scan completed successfully hidden files: 1 ************************************************************************ . Completion time: 2008-11-06 15:50:55 ComboFix-quarantined-files.txt 2008-11-06 21:50:41 Pre-Run: 178,902,425,600 bytes free Post-Run: 179,082,887,168 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 285 --- E O F --- 2008-10-23 22:21:32

11-10-2008, 04:28 PM	#7 (permalink)
kokleman Registered User Join Date: Nov 2008 Posts: 17 OS: xp	Re: Sound clips playing every 30 seconds Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:27:34 PM, on 11/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Razer\DeathAdder\razerhid.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Razer\Tarantula\razerhid.exe C:\Program Files\Razer\DeathAdder\razertra.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Razer\DeathAdder\razerofa.exe C:\Program Files\iTunes\iTunesHelper.exe C:\program files\valve\steam\steam.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Razer\Tarantula\razertra.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rm6lMh37.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\Program Files\mIRC\mirc.exe C:\WINDOWS\system32\cmd.execf C:\WINDOWS\system32\findstr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6071210 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {61963761-8dfa-43bf-9237-ed0fb6368c5b} - C:\WINDOWS\system32\bezuyiza.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [kefijihebi] Rundll32.exe "C:\WINDOWS\system32\rupetapa.dll",s O4 - HKLM\..\Run: [2864debc] rundll32.exe "C:\WINDOWS\system32\kewowupa.dll",b O4 - HKLM\..\Run: [CPM2b57ed20] Rundll32.exe "c:\windows\system32\tazeyubo.dll",a O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" O4 - HKUS\S-1-5-19\..\Run: [kefijihebi] Rundll32.exe "C:\WINDOWS\system32\rupetapa.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [kefijihebi] Rundll32.exe "C:\WINDOWS\system32\rupetapa.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1215755931595 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\yeneriho.dll c:\windows\system32\tazeyubo.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tazeyubo.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tazeyubo.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe -- End of file - 9293 bytes

11-10-2008, 05:47 PM	#9 (permalink)
kokleman Registered User Join Date: Nov 2008 Posts: 17 OS: xp	Re: Sound clips playing every 30 seconds When i dragged it the loading screen had popped up but it never produced a log so what should i do?

11-10-2008, 05:54 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Re: Sound clips playing every 30 seconds I'm sorry, but I'm not quite understanding what you're trying to tell me. Please use more detail in explaining what happened and when. Take your time, and give as much detail as you can. Did ComboFix begin to run? Did it pass the disclaimer screen again? Did the ComboFix window open? close? Were your protection applications disabled? Is there a log at C:\ComboFix.txt ? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-10-2008, 05:59 PM	#11 (permalink)
kokleman Registered User Join Date: Nov 2008 Posts: 17 OS: xp	Re: Sound clips playing every 30 seconds This was the new Combofix log though ComboFix 08-11-05.02 - Lucien 2008-11-06 15:48:52.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1524 [GMT -6:00] Running from: c:\documents and settings\Lucien\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\rm6lMh37.exe.a_a c:\windows\system32\to3nOj04.dll . ((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 ))))))))))))))))))))))))))))))) . 2008-11-02 03:14 . 2008-11-05 15:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe_ 2008-11-02 03:14 . 2008-11-05 16:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe 2008-10-30 19:18 . 2008-10-30 19:18 7,704 --a------ c:\windows\system32\mst120.dll 2008-10-23 15:03 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll 2008-10-14 16:39 . 2008-10-14 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard 2008-10-14 13:16 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-14 13:16 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-14 13:16 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-14 13:16 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-14 13:16 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys 2008-10-14 13:16 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys 2008-10-08 11:14 . 2008-10-08 11:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-10-08 11:14 . 2008-09-09 23:04 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-10-08 11:14 . 2008-09-09 23:03 17,200 --a------ c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-06 02:27 --------- d-----w c:\program files\Trend Micro 2008-11-04 21:50 --------- d-----w c:\program files\World of Warcraft 2008-11-02 16:00 --------- d-----w c:\program files\Common Files\Adobe 2008-11-01 16:17 --------- d-----w c:\documents and settings\Lucien\Application Data\LimeWire 2008-10-31 01:39 --------- d-----w c:\documents and settings\Lucien\Application Data\mIRC 2008-10-31 01:25 --------- d-----w c:\program files\mIRC 2008-10-30 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-24 02:16 336 ----a-w c:\documents and settings\Lucien\Application Data\wklnhst.dat 2008-10-21 20:02 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-04 18:42 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-10-03 02:01 --------- d-----w c:\documents and settings\Lucien\Application Data\Template 2008-10-02 22:52 --------- d-----w c:\program files\CCleaner 2008-10-02 22:49 --------- d-----w c:\documents and settings\Lucien\Application Data\Malwarebytes 2008-10-02 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-10-02 21:03 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype 2008-09-20 20:13 30,272 ----a-w c:\windows\system32\13H8MJt4.exe 2008-09-20 13:31 24 ----a-w c:\documents and settings\Lucien\jagex_runescape_preferences.dat 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-11 22:26 --------- d-----w c:\program files\iTunes 2008-09-11 22:26 --------- d-----w c:\program files\iPod 2008-09-11 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-11 22:25 --------- d-----w c:\program files\QuickTime 2008-09-11 22:25 --------- d-----w c:\program files\Common Files\Apple 2008-09-11 22:25 --------- d-----w c:\program files\Bonjour 2008-09-09 20:50 --------- d-----w c:\program files\Microsoft Works 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys 2008-09-07 05:39 --------- d-----w c:\program files\SwiftKit 2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll 2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll 2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll 2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll 2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys 2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe 2007-12-16 16:58 60,968 ----a-w c:\documents and settings\Lucien\GoToAssistDownloadHelper.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\valve\steam\steam.exe" [2008-10-07 1410296] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016] "Tarantula"="c:\program files\Razer\Tarantula\razerhid.exe" [2006-09-30 176128] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SigmatelSysTrayApp"="stsystra.exe" [2007-04-12 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= c:\windows\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2007-03-15 12:09 460784 c:\program files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2006-11-05 11:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\condition zero\\hl.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike source\\hl2.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader "6881:TCP"= 6881:TCP:Blizzard Downloader R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184] R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [2006-12-21 1294336] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784] R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800] S2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [ ] S3 GoToAssist;GoToAssist;c:\program files\Citrix\GoToAssist\480\g2aservice.exe Start=service [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-11-02 c:\windows\Tasks\At1.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-01 c:\windows\Tasks\At10.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At11.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At12.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At13.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At14.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At15.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At16.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At17.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At18.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At19.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At2.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At20.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At21.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At22.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At23.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At24.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At25.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At26.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At27.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At28.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At29.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At3.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At30.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-10-02 c:\windows\Tasks\At31.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-10-02 c:\windows\Tasks\At32.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-10-02 c:\windows\Tasks\At33.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-01 c:\windows\Tasks\At34.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At35.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At36.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At37.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At38.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At39.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At4.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At40.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-05 c:\windows\Tasks\At41.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-05 c:\windows\Tasks\At42.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At43.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At44.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At45.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At46.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-05 c:\windows\Tasks\At47.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At48.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At5.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At6.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-10-02 c:\windows\Tasks\At7.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-10-02 c:\windows\Tasks\At8.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-10-02 c:\windows\Tasks\At9.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] . - - - - ORPHANS REMOVED - - - - HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe HKLM-Run-CM108Sound - CM108.cpl Notify-GoToAssist - c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Lucien\Application Data\Mozilla\Firefox\Profiles\cyv1ncpy.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com/?src=aim FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-06 15:50:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\Lucien\LOCALS~1\Temp\RGI26.tmp scan completed successfully hidden files: 1 ************************************************************************ . Completion time: 2008-11-06 15:50:55 ComboFix-quarantined-files.txt 2008-11-06 21:50:41 Pre-Run: 178,902,425,600 bytes free Post-Run: 179,082,887,168 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 285 --- E O F --- 2008-10-23 22:21:32

11-10-2008, 06:10 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Re: Sound clips playing every 30 seconds Ok, thanks...that's more helpful. What I'd like you to do is this. Copy these instructions to notepad, for easy access while offline. Delete the existing version of ComboFix.exe Download a new copy from one of these links Link 1 Link 2 Link 3 Restart the machine in safe mode. Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Perform the same steps as in Post #6, using the same script. If ComboFix restarts the machine, after it does, go back into safe mode to allow ComboFix to complete it's routine. Once ComboFix has completed it's routine and the log is produced, restart in normal mode, and post the log from ComboFix. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-11-2008, 02:49 PM	#14 (permalink)
kokleman Registered User Join Date: Nov 2008 Posts: 17 OS: xp	Re: Sound clips playing every 30 seconds Ok I have now tried both normal and safe modes to use Combofix neither of them seem to get it to work. It just brings up the loading bar and nothing else happens. Not sure what to do

11-11-2008, 03:08 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Re: Sound clips playing every 30 seconds Ok, rather than use the script from Post # 6, first, rename ComboFix.exe to ComboFxx.exe and simply double click on ComboFxx.exe again to run it. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-11-2008, 05:42 PM	#16 (permalink)
kokleman Registered User Join Date: Nov 2008 Posts: 17 OS: xp	Re: Sound clips playing every 30 seconds Same thing happened I even tried to reinstall it and then rename it again and the same thing continues to happen. By any chance is there a different program we could use?

11-11-2008, 06:49 PM	#17 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,155 OS: 2000 Pro; XP Pro; XP Home	Re: Sound clips playing every 30 seconds This doesn't make much sense, since you were able to run it the first time. Have you re-enabled autoruns, by any chance? Let's try one more thing... Delete the exsting version of ComboFix. This time, rename it before saving it. Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 Link 3 -------------------------------------------------------------------- Double click on Combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall If still no joy.... Move Combo-Fix to the root of your drive, C: and try it from there. If still no joy.... You have Malwarebytes' AntiMalware on the machine. Update it using the update tab, and run a quick scan. Post the log it produces and a new HijackThis log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 11-11-2008 at 06:56 PM.

11-11-2008, 08:46 PM	#20 (permalink)
kokleman Registered User Join Date: Nov 2008 Posts: 17 OS: xp	Re: Sound clips playing every 30 seconds Yes i did and like you said still no joy :(