Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page ohhh boy what a mess...
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 12-29-2008, 05:57 PM   #1 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 205
OS: XP


ohhh boy what a mess...
sorry in advance to whomever chooses to deal with my problem.

so the long story begins.... this all started 2 days ago with my wife wanting to watch a movie on the net. she opens the movie and avg instantly pops up threat found!!! so i tell her hit heal and close the movie out. so then she tries a differant tab (same movie) and it appears to be fine, that is until 2 minutes into the movie it automaticly goes out of full screen and she gets 2 random pop up pages from fire fox (she was using IE at the time). well she closes out the movie and i tell her to run avg to see if it finds anything. while tring to run avg random firefox windows kept popping up. so i uninstall firefox and they start popping up on IE just as they did through firefox.

the avg scan produced 3 threats
Freescan[1].htm
gadcom.exe
Kesekepe.dl.vir

i managed to get rid of gadcom i think but the others are still there i think i got to reading alot of other peoples troubled so i tried some of the things that were recommended to them. first thing after the problem started before tring anything i ran a hijackthis log (see below). after that i ran ad aware and avg several more times finding differant stuff every time, i didnt write them all down (sorry). after reading the many problems from others i decided to run Combofix that killed the pop ups after doing that but avg is still catching threats so i decided to run a dds file and ask for help. since the dds file i found out my avg wasnt up to date so i then downloaded 8.0 ran it and it found more if you need a new dds because of the avg update let me know thanks.

------------Hijackthis findings--------------

Logfile of HijackThis v1.99.1
Scan saved at 6:57:02 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\nHancer\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cadiz.mchsionline.net/community/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {024FD5E0-9FAD-494A-8AE5-143B6C6B09F4} - (no file)
O2 - BHO: (no name) - {08F09AE6-A770-4C13-80D5-8307CD6E6CC1} - (no file)
O2 - BHO: (no name) - {0E2523F3-3B32-4B36-A592-D6E4406E248B} - (no file)
O2 - BHO: (no name) - {0E46A419-586E-45CB-ADF3-85D64565732A} - (no file)
O2 - BHO: (no name) - {11343315-C8E0-44C8-9367-66AEB36D0B8B} - (no file)
O2 - BHO: (no name) - {16DB0ED2-300D-4FE2-8703-7D2C08999434} - (no file)
O2 - BHO: (no name) - {1D77037A-3965-482A-BCDA-F3749641106E} - (no file)
O2 - BHO: (no name) - {1ED2B7AF-D185-405E-8692-9622351DF54A} - (no file)
O2 - BHO: (no name) - {2F2979EA-6E36-4EBD-92BB-5588999BC071} - (no file)
O2 - BHO: (no name) - {306846B0-5BB0-402E-A2D7-3742CFDB0BF9} - (no file)
O2 - BHO: (no name) - {315CFAAF-8192-4DDB-BE67-54FC0CC6DF5F} - (no file)
O2 - BHO: (no name) - {38A4EE33-C274-41F6-9FD7-6B7791DA0D1E} - (no file)
O2 - BHO: (no name) - {39D1D1A2-E515-45BA-9B2B-5C4831362E42} - (no file)
O2 - BHO: (no name) - {3DE490CE-732D-45C8-AFC7-8C535CBC3DA7} - (no file)
O2 - BHO: (no name) - {3DF233F0-AA4D-42C8-8BEE-B0B3B126156F} - (no file)
O2 - BHO: (no name) - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - (no file)
O2 - BHO: (no name) - {497A07E0-D3C3-4288-AC1B-34A420FB43BD} - (no file)
O2 - BHO: (no name) - {4C13C1F5-1F24-438E-8A1F-76BEAB0451B0} - (no file)
O2 - BHO: (no name) - {557F69DE-0B5A-4B78-90BD-B140C29315A6} - (no file)
O2 - BHO: (no name) - {593A6A99-EE8A-41E1-9D24-A6750E32C2B7} - (no file)
O2 - BHO: (no name) - {5A6B1D0E-6F63-4D2D-AC67-87A2B03F6C44} - (no file)
O2 - BHO: (no name) - {5DE539E3-92B5-4100-8B5B-6FDF45E0D1C0} - (no file)
O2 - BHO: (no name) - {624EF74E-EF9A-4C83-B886-DCB0A65F40B3} - (no file)
O2 - BHO: (no name) - {66E88CEF-969B-4BBF-BA36-B7BF32407F6C} - (no file)
O2 - BHO: (no name) - {6B6C0BC1-87DE-495C-BE78-D44B4243BABD} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmnoOExx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {84074F03-E62E-4FFF-9AFD-5ED73A6875D3} - (no file)
O2 - BHO: (no name) - {85320ED4-EFF8-43A3-96A1-E3F94CC0E05C} - (no file)
O2 - BHO: (no name) - {8AE4E598-5A24-4876-8B9B-E01F142906BE} - (no file)
O2 - BHO: (no name) - {8BD5CE39-6936-419A-B7CC-E781103A0CC7} - (no file)
O2 - BHO: (no name) - {8BF4FDDE-A89B-4D0D-8CA2-033FE0D29A3E} - C:\WINDOWS\system32\cbXQhHXn.dll
O2 - BHO: (no name) - {8D5685F2-BA69-4544-8CE2-F86C1BF31A08} - (no file)
O2 - BHO: (no name) - {8F699ECE-C813-4E7E-AB16-BC5D9F7DFECB} - (no file)
O2 - BHO: {471503ee-8f02-c5eb-2474-6647757aa31a} - {a13aa757-7466-4742-be5c-20f8ee305174} - C:\WINDOWS\system32\xoopcv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {B307638C-401F-4FF7-B3A9-BCE9C7239957} - (no file)
O2 - BHO: (no name) - {BA2B7851-F4C1-4D41-8119-E1AFD885F7A8} - (no file)
O2 - BHO: (no name) - {BA725BD7-305B-4C05-AAB5-353A362AB8D8} - (no file)
O2 - BHO: (no name) - {BB0639DE-5490-418F-916F-FD78707F443F} - (no file)
O2 - BHO: (no name) - {BE9847ED-FF4C-4F02-BA6D-D715E894A398} - (no file)
O2 - BHO: (no name) - {C6DE1856-1A4C-4D50-9F64-23E36CFBBA98} - (no file)
O2 - BHO: (no name) - {C727C86C-F337-449A-BFFC-F2757EBE3EED} - (no file)
O2 - BHO: (no name) - {C9C193D5-3192-4FA0-B9AA-5780B2F2500F} - (no file)
O2 - BHO: (no name) - {CB499AD1-AAAF-4F5B-8E66-EC782C209166} - (no file)
O2 - BHO: (no name) - {CBD4B893-F06D-4272-8E34-7803E0B08405} - (no file)
O2 - BHO: (no name) - {D1593092-09F3-4F7F-99BB-7B40EEE516D4} - (no file)
O2 - BHO: (no name) - {D34E4BB8-8B43-4085-A3ED-296AAA9995B3} - (no file)
O2 - BHO: (no name) - {DB0CECE3-381C-4749-AFF2-5BDE6E593CBA} - (no file)
O2 - BHO: (no name) - {E2E6A4C1-6E3A-48B1-9FD1-0A893004354E} - (no file)
O2 - BHO: (no name) - {E37CF69D-06B5-40D4-B432-8DDEC01A057E} - (no file)
O2 - BHO: (no name) - {e6019b4f-64ce-431a-9653-e49d7e55a352} - C:\WINDOWS\system32\konazuki.dll
O2 - BHO: (no name) - {E89DD0A3-E0AC-4176-A2F0-80FEB50345A1} - (no file)
O2 - BHO: (no name) - {E9E43D73-F61C-4CEF-891E-2FF09C038046} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gokebiwazi] Rundll32.exe "C:\WINDOWS\system32\hakurevi.dll",s
O4 - HKLM\..\Run: [LifeChat] "C:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WindowsLivePhone] "C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe" /AutoRun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.doghq.net
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46.../bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37710.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game10.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/download...ameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\kesekepe.dll xoopcv.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: pmnoOExx - C:\WINDOWS\SYSTEM32\pmnoOExx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe


------------combofix report------------------

ComboFix 08-12-28.01 - Mike 2008-12-28 20:18:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.596 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Mike\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Mike\Application Data\FunWebProducts
c:\documents and settings\Mike\Application Data\GetModule
c:\documents and settings\Mike\Application Data\GetModule\dicik.gz
c:\documents and settings\Mike\Application Data\GetModule\kwdik.gz
c:\documents and settings\Mike\Application Data\GetModule\ofadik.gz
c:\documents and settings\Mike\Application Data\inst.exe
c:\documents and settings\Mike\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\GetModule\GetModule32.exe
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack26.exe
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\asbcrwpn.dll
c:\windows\system32\cbXQhHXn.dll
c:\windows\system32\digeste.dll
c:\windows\system32\ilevobam.ini
c:\windows\system32\kesekepe.dll
c:\windows\system32\maboveli.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\nXHhQXbc.ini
c:\windows\system32\nXHhQXbc.ini2
c:\windows\system32\ornblcpy.dll
c:\windows\system32\pmnoOExx.dll
c:\windows\system32\ttvwa.bak1
c:\windows\system32\ttvwa.bak2
c:\windows\system32\ttvwa.ini
c:\windows\system32\ttvwa.ini2
c:\windows\system32\wpv291229907513.cpx
c:\windows\system32\xoopcv.dll
c:\windows\system32\ypclbnro.ini
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 10:55 . 2008-12-28 10:55 22,016 --a------ c:\documents and settings\Mike\w.exe
2008-12-11 14:37 . 2008-12-11 14:37 42,320 --a------ c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 00:22 --------- d-----w c:\documents and settings\Mike\Application Data\Xfire
2008-12-28 19:18 --------- d-----w c:\documents and settings\Mike\Application Data\AVG7
2008-12-27 23:20 --------- d-----w c:\documents and settings\girls\Application Data\AVG7
2008-12-27 20:49 --------- d-----w c:\program files\Call of Duty Game of the Year Edition
2008-12-21 17:08 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-17 09:31 --------- d-s---w c:\program files\Xfire
2008-12-12 02:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 23:17 --------- d--h--w c:\documents and settings\Mike\Application Data\Move Networks
2008-12-06 17:04 --------- d-----w c:\program files\Dl_cats
2008-11-20 07:29 --------- d-----w c:\program files\Guild Wars
2008-11-08 14:32 --------- d-----w c:\documents and settings\Mike\Application Data\uTorrent
2008-11-08 03:22 --------- d-----w c:\program files\uTorrent
2008-10-28 22:45 22,328 -c--a-w c:\documents and settings\Mike\Application Data\PnkBstrK.sys
2008-10-28 22:43 --------- d-----w c:\program files\Activision
2008-03-04 19:26 47,360 -c--a-w c:\documents and settings\Mike\Application Data\pcouffin.sys
2006-11-25 01:44 92,064 -c--a-w c:\documents and settings\Mike\mqdmmdm.sys
2006-11-25 01:44 9,232 -c--a-w c:\documents and settings\Mike\mqdmmdfl.sys
2006-11-25 01:44 79,328 -c--a-w c:\documents and settings\Mike\mqdmserd.sys
2006-11-25 01:44 66,656 -c--a-w c:\documents and settings\Mike\mqdmbus.sys
2006-11-25 01:44 6,208 -c--a-w c:\documents and settings\Mike\mqdmcmnt.sys
2006-11-25 01:44 5,936 -c--a-w c:\documents and settings\Mike\mqdmwhnt.sys
2006-11-25 01:44 4,048 -c--a-w c:\documents and settings\Mike\mqdmcr.sys
2006-11-25 01:44 25,600 -c--a-w c:\documents and settings\Mike\usbsermptxp.sys
2006-11-25 01:44 22,768 -c--a-w c:\documents and settings\Mike\usbsermpt.sys
2006-12-22 20:07 56 --sh--r c:\windows\system32\14CE148FAD.sys
2006-12-22 20:07 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-24 01:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092320080924\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e6019b4f-64ce-431a-9653-e49d7e55a352}]
2008-09-28 11:02 64000 --ahs---- c:\windows\system32\konazuki.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WindowsLivePhone"="c:\progra~1\MSNMES~1\DEVICE~1\msgrdvmn.exe" [2006-12-04 709440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"gokebiwazi"="c:\windows\system32\hakurevi.dll" [2008-09-28 64000]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2007-01-26 259440]
"PMX Daemon"="ICO.EXE" [2006-06-09 c:\windows\system32\ico.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-01-03 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\kesekepe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--------- 2005-09-15 09:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
--a------ 2005-07-22 07:03 425984 c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gokebiwazi]
--ahs---- 2008-09-28 11:02 64000 c:\windows\system32\hakurevi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-06-17 07:56 139264 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 15:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 15:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Itiva Media Accelerator]
--a------ 2008-06-04 17:09 4994288 c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
--a------ 2007-01-26 13:31 259440 c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-09-08 19:20 8192 c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\progra~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-07-08 23:57 7110656 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-02-01 08:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-26 21:20 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
--------- 2005-09-19 07:42 1159168 c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--------- 2004-08-14 03:42 36864 c:\program files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsLivePhone]
--a------ 2006-12-04 09:33 709440 c:\progra~1\MSNMES~1\DEVICE~1\msgrdvmn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
--a------ 2005-05-19 11:54 1345520 c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
--a------ 2006-06-09 12:47 47104 c:\windows\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2004-12-22 19:40 24576 c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 04:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"dlcc_device"=3 (0x3)
"Creative Service for CDROM Access"=3 (0x3)
"Creative Labs Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War Beta\\CoDWaWbeta.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\girls\\Application Data\\MySpace\\IM\\bin\\MySpaceIM.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\IAANTMon.exe"=
"c:\\WINDOWS\\explorer.exe"=

S3 mamotou;mamotou;c:\windows\system32\DRIVERS\mamotou.sys [2008-07-01 49377]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-07-01 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-08-11 7680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{024FD5E0-9FAD-494A-8AE5-143B6C6B09F4} - (no file)
BHO-{08F09AE6-A770-4C13-80D5-8307CD6E6CC1} - (no file)
BHO-{0E2523F3-3B32-4B36-A592-D6E4406E248B} - (no file)
BHO-{0E46A419-586E-45CB-ADF3-85D64565732A} - (no file)
BHO-{11343315-C8E0-44C8-9367-66AEB36D0B8B} - (no file)
BHO-{16DB0ED2-300D-4FE2-8703-7D2C08999434} - (no file)
BHO-{1D77037A-3965-482A-BCDA-F3749641106E} - (no file)
BHO-{1ED2B7AF-D185-405E-8692-9622351DF54A} - (no file)
BHO-{2F2979EA-6E36-4EBD-92BB-5588999BC071} - (no file)
BHO-{306846B0-5BB0-402E-A2D7-3742CFDB0BF9} - (no file)
BHO-{315CFAAF-8192-4DDB-BE67-54FC0CC6DF5F} - (no file)
BHO-{38A4EE33-C274-41F6-9FD7-6B7791DA0D1E} - (no file)
BHO-{39D1D1A2-E515-45BA-9B2B-5C4831362E42} - (no file)
BHO-{3DE490CE-732D-45C8-AFC7-8C535CBC3DA7} - (no file)
BHO-{3DF233F0-AA4D-42C8-8BEE-B0B3B126156F} - (no file)
BHO-{497A07E0-D3C3-4288-AC1B-34A420FB43BD} - (no file)
BHO-{4C13C1F5-1F24-438E-8A1F-76BEAB0451B0} - (no file)
BHO-{557F69DE-0B5A-4B78-90BD-B140C29315A6} - (no file)
BHO-{593A6A99-EE8A-41E1-9D24-A6750E32C2B7} - (no file)
BHO-{5A6B1D0E-6F63-4D2D-AC67-87A2B03F6C44} - (no file)
BHO-{5DE539E3-92B5-4100-8B5B-6FDF45E0D1C0} - (no file)
BHO-{624EF74E-EF9A-4C83-B886-DCB0A65F40B3} - (no file)
BHO-{66E88CEF-969B-4BBF-BA36-B7BF32407F6C} - (no file)
BHO-{6B6C0BC1-87DE-495C-BE78-D44B4243BABD} - (no file)
BHO-{84074F03-E62E-4FFF-9AFD-5ED73A6875D3} - (no file)
BHO-{85320ED4-EFF8-43A3-96A1-E3F94CC0E05C} - (no file)
BHO-{8AE4E598-5A24-4876-8B9B-E01F142906BE} - (no file)
BHO-{8BD5CE39-6936-419A-B7CC-E781103A0CC7} - (no file)
BHO-{8BF4FDDE-A89B-4D0D-8CA2-033FE0D29A3E} - c:\windows\system32\cbXQhHXn.dll
BHO-{8D5685F2-BA69-4544-8CE2-F86C1BF31A08} - (no file)
BHO-{8F699ECE-C813-4E7E-AB16-BC5D9F7DFECB} - (no file)
BHO-{a13aa757-7466-4742-be5c-20f8ee305174} - c:\windows\system32\xoopcv.dll
BHO-{B307638C-401F-4FF7-B3A9-BCE9C7239957} - (no file)
BHO-{BA2B7851-F4C1-4D41-8119-E1AFD885F7A8} - (no file)
BHO-{BA725BD7-305B-4C05-AAB5-353A362AB8D8} - (no file)
BHO-{BB0639DE-5490-418F-916F-FD78707F443F} - (no file)
BHO-{BE9847ED-FF4C-4F02-BA6D-D715E894A398} - (no file)
BHO-{C6DE1856-1A4C-4D50-9F64-23E36CFBBA98} - (no file)
BHO-{C727C86C-F337-449A-BFFC-F2757EBE3EED} - (no file)
BHO-{C9C193D5-3192-4FA0-B9AA-5780B2F2500F} - (no file)
BHO-{CB499AD1-AAAF-4F5B-8E66-EC782C209166} - (no file)
BHO-{CBD4B893-F06D-4272-8E34-7803E0B08405} - (no file)
BHO-{D1593092-09F3-4F7F-99BB-7B40EEE516D4} - (no file)
BHO-{D34E4BB8-8B43-4085-A3ED-296AAA9995B3} - (no file)
BHO-{DB0CECE3-381C-4749-AFF2-5BDE6E593CBA} - (no file)
BHO-{E2E6A4C1-6E3A-48B1-9FD1-0A893004354E} - (no file)
BHO-{E37CF69D-06B5-40D4-B432-8DDEC01A057E} - (no file)
BHO-{E89DD0A3-E0AC-4176-A2F0-80FEB50345A1} - (no file)
BHO-{E9E43D73-F61C-4CEF-891E-2FF09C038046} - (no file)
MSConfigStartUp-GetModule32 - c:\program files\GetModule\GetModule32.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_09\bin\jusched.exe
MSConfigStartUp-Uniblue Quick Access - c:\program files\Uniblue\ProcessLibrary\qaccess.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cadiz.mchsionline.net/community/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79}
Trusted Zone: *.doghq.net

c:\windows\system32\atl.dll - O16 -: {7F8C8173-AD80-4807-AA75-5672F22B4582}
hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
c:\windows\Downloaded Program Files\ICSScanner.inf

c:\windows\Downloaded Program Files\zylomgamesplayer.dll - O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}
hxxp://game10.zylom.com/activex/zylomgamesplayer.cab
c:\windows\Downloaded Program Files\ZylomGamesPlayer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 20:26:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\nHancer\nHancerService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-12-28 20:28:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 02:28:45

Pre-Run: 95,779,418,112 bytes free
Post-Run: 95,660,900,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

329 --- E O F --- 2008-12-18 03:51:15


---------------------------------------------

and the dds report is attached

thanks in advance for the help. let me know if any more info is needed i tried to cover most i can think of right now.


Bud.
Attached Files
File Type: zip DDS.zip (3.7 KB, 1 views)
File Type: zip Attach.zip (3.6 KB, 1 views)
BUDFAN8 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 01-02-2009, 08:32 AM   #2 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 205
OS: XP


Re: ohhh boy what a mess...
bump!!!
BUDFAN8 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-02-2009, 09:28 AM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,030
OS: WinXP and Vista


Re: ohhh boy what a mess...
Quote:
i managed to get rid of gadcom i think but the others are still there i think i got to reading alot of other peoples troubled so i tried some of the things that were recommended to them. first thing after the problem started before tring anything i ran a hijackthis log (see below). after that i ran ad aware and avg several more times finding differant stuff every time, i didnt write them all down (sorry). after reading the many problems from others i decided to run Combofix that killed the pop ups
It is never a good idea to run fixes you see in others threads--no matter how similar the symptoms and entries may appear.

We make this very clear in post #2 of the our pre-posting sticky topic found at the top of this forum:

Quote:
Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix
.

That being said as a reminder, please run a new scan with dds.com and post the contents of a fresh dds.txt

Do not attach it--copy/paste directly into the reply box.
Do not include HJT log as it is not needed.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-03-2009, 09:46 AM   #4 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 205
OS: XP


Re: ohhh boy what a mess...
heres the new dds file



DDS (Version 1.1.0) - NTFSx86
Run by Mike at 10:40:20.70 on Sat 01/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.611 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\nHancer\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Documents and Settings\Mike\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://cadiz.mchsionline.net/community/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {e6019b4f-64ce-431a-9653-e49d7e55a352} - c:\windows\system32\konazuki.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WindowsLivePhone] "c:\progra~1\msnmes~1\device~1\msgrdvmn.exe" /AutoRun
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [Itiva Media Accelerator] c:\program files\itiva\itiva media accelerator\ItivaMediaAccelerator.exe
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [WatchDog] c:\program files\mobile phonetools\WatchDog.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: doghq.net
Trusted Zone: musicmatch.com\online
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: c:\windows\system32\kesekepe.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\kesekepe.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-29 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-3 26824]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-29 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-29 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-29 76040]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2008-7-1 49377]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-7-1 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-8-11 7680]

=============== Created Last 30 ================

2008-12-29 10:23 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-29 10:04 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-29 10:04 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-29 10:04 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-29 10:04 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-29 10:04 <DIR> --d----- c:\docume~1\mike\applic~1\AVGTOOLBAR
2008-12-29 10:04 <DIR> --d----- c:\program files\AVG
2008-12-29 10:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-29 07:43 1,262,699 ---sh--- c:\windows\system32\usamosib.ini
2008-12-28 20:17 <DIR> a-dshr-- C:\cmdcons
2008-12-28 20:07 161,792 a------- c:\windows\SWREG.exe
2008-12-28 20:07 98,816 a------- c:\windows\sed.exe
2008-12-28 10:55 22,016 a------- c:\documents and settings\mike\w.exe
2008-12-11 14:37 42,320 a------- c:\windows\system32\xfcodec.dll

==================== Find3M ====================

2008-12-31 13:41 138,384 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-12-31 13:41 70,968 a------- c:\windows\system32\PnkBstrA.exe
2008-12-31 13:41 187,536 a------- c:\windows\system32\PnkBstrB.exe
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-28 16:45 22,328 ac------ c:\docume~1\mike\applic~1\PnkBstrK.sys
2008-10-28 16:45 682,280 a------- c:\windows\system32\pbsvc.exe
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-03-04 13:26 47,360 ac------ c:\docume~1\mike\applic~1\pcouffin.sys
2006-11-24 19:44 92,064 ac------ c:\documents and settings\mike\mqdmmdm.sys
2006-11-24 19:44 79,328 ac------ c:\documents and settings\mike\mqdmserd.sys
2006-11-24 19:44 66,656 ac------ c:\documents and settings\mike\mqdmbus.sys
2006-11-24 19:44 25,600 ac------ c:\documents and settings\mike\usbsermptxp.sys
2006-11-24 19:44 22,768 ac------ c:\documents and settings\mike\usbsermpt.sys
2006-11-24 19:44 9,232 ac------ c:\documents and settings\mike\mqdmmdfl.sys
2006-11-24 19:44 6,208 ac------ c:\documents and settings\mike\mqdmcmnt.sys
2006-11-24 19:44 5,936 ac------ c:\documents and settings\mike\mqdmwhnt.sys
2006-11-24 19:44 4,048 ac------ c:\documents and settings\mike\mqdmcr.sys
2006-12-22 14:07 56 ---shr-- c:\windows\system32\14CE148FAD.sys
2006-12-22 14:07 6,580 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-23 19:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat

============= FINISH: 10:40:35.15 ===============



DDS (Version 1.1.0) - NTFSx86
Run by Mike at 10:40:20.70 on Sat 01/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.611 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\nHancer\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Documents and Settings\Mike\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://cadiz.mchsionline.net/community/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {e6019b4f-64ce-431a-9653-e49d7e55a352} - c:\windows\system32\konazuki.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WindowsLivePhone] "c:\progra~1\msnmes~1\device~1\msgrdvmn.exe" /AutoRun
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [Itiva Media Accelerator] c:\program files\itiva\itiva media accelerator\ItivaMediaAccelerator.exe
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [WatchDog] c:\program files\mobile phonetools\WatchDog.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: doghq.net
Trusted Zone: musicmatch.com\online
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: c:\windows\system32\kesekepe.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\kesekepe.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-29 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-3 26824]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-29 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-29 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-29 76040]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2008-7-1 49377]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-7-1 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-8-11 7680]

=============== Created Last 30 ================

2008-12-29 10:23 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-29 10:04 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-29 10:04 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-29 10:04 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-29 10:04 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-29 10:04 <DIR> --d----- c:\docume~1\mike\applic~1\AVGTOOLBAR
2008-12-29 10:04 <DIR> --d----- c:\program files\AVG
2008-12-29 10:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-29 07:43 1,262,699 ---sh--- c:\windows\system32\usamosib.ini
2008-12-28 20:17 <DIR> a-dshr-- C:\cmdcons
2008-12-28 20:07 161,792 a------- c:\windows\SWREG.exe
2008-12-28 20:07 98,816 a------- c:\windows\sed.exe
2008-12-28 10:55 22,016 a------- c:\documents and settings\mike\w.exe
2008-12-11 14:37 42,320 a------- c:\windows\system32\xfcodec.dll

==================== Find3M ====================

2008-12-31 13:41 138,384 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-12-31 13:41 70,968 a------- c:\windows\system32\PnkBstrA.exe
2008-12-31 13:41 187,536 a------- c:\windows\system32\PnkBstrB.exe
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-28 16:45 22,328 ac------ c:\docume~1\mike\applic~1\PnkBstrK.sys
2008-10-28 16:45 682,280 a------- c:\windows\system32\pbsvc.exe
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-03-04 13:26 47,360 ac------ c:\docume~1\mike\applic~1\pcouffin.sys
2006-11-24 19:44 92,064 ac------ c:\documents and settings\mike\mqdmmdm.sys
2006-11-24 19:44 79,328 ac------ c:\documents and settings\mike\mqdmserd.sys
2006-11-24 19:44 66,656 ac------ c:\documents and settings\mike\mqdmbus.sys
2006-11-24 19:44 25,600 ac------ c:\documents and settings\mike\usbsermptxp.sys
2006-11-24 19:44 22,768 ac------ c:\documents and settings\mike\usbsermpt.sys
2006-11-24 19:44 9,232 ac------ c:\documents and settings\mike\mqdmmdfl.sys
2006-11-24 19:44 6,208 ac------ c:\documents and settings\mike\mqdmcmnt.sys
2006-11-24 19:44 5,936 ac------ c:\documents and settings\mike\mqdmwhnt.sys
2006-11-24 19:44 4,048 ac------ c:\documents and settings\mike\mqdmcr.sys
2006-12-22 14:07 56 ---shr-- c:\windows\system32\14CE148FAD.sys
2006-12-22 14:07 6,580 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-23 19:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat

============= FINISH: 10:40:35.15 ===============


hope that helps

thanks
Bud.
BUDFAN8 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-03-2009, 10:12 AM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,030
OS: WinXP and Vista


Re: ohhh boy what a mess...
Yes, thank you. I needed to see exactly where we stood since a few days have passed since you first posted.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/329268-ohhh-boy-what-mess-post1892940.html#post1892940

DDS::
IE: {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

Collect::
c:\windows\system32\konazuki.dll

File::
c:\documents and settings\mike\w.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="c:\windows\system32\avgrsstx.dll"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-04-2009, 12:32 AM   #6 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 205
OS: XP


Re: ohhh boy what a mess...
as far as system behavior it seems to be alot better than when the symptoms started but im still finding infections every time avg runs. i havent run it since doing the latest steps though. i have alot more processes running than before also. i used to have 40-45 today i had 66 at one point when i checked them. some of the things i do a end process and they just keep coming right back. at idle before cpu useage used to fluxuate between 0-4% today it was going up as high as 10%. i didnt get to see what process was doing it.


i did notice after i ran the combofix this time i thought i turned avg off but aparently i didnt so if i need to rerun the combofix let me know, heres the results.

ComboFix 09-01-02.01 - Mike 2009-01-03 23:25:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.620 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\mike\w.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\mike\w.exe
c:\windows\system32\usamosib.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2008-12-29 10:23 . 2008-12-30 13:07 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-29 10:04 . 2009-01-02 09:24 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-29 10:04 . 2008-12-29 10:04 <DIR> d-------- c:\program files\AVG
2008-12-29 10:04 . 2008-12-29 11:14 <DIR> d-------- c:\documents and settings\Mike\Application Data\AVGTOOLBAR
2008-12-29 10:04 . 2008-12-29 10:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-29 10:04 . 2008-12-29 10:04 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-29 10:04 . 2008-12-29 10:04 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-29 10:04 . 2008-12-29 10:04 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-11 14:37 . 2008-12-11 14:37 42,320 --a------ c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 01:20 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-03 15:46 --------- d-----w c:\documents and settings\Mike\Application Data\Xfire
2008-12-29 17:00 --------- d-----w c:\program files\DIGStream
2008-12-29 13:53 --------- d-----w c:\program files\RGB
2008-12-27 20:49 --------- d-----w c:\program files\Call of Duty Game of the Year Edition
2008-12-17 09:31 --------- d-s---w c:\program files\Xfire
2008-12-12 02:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 23:17 --------- d--h--w c:\documents and settings\Mike\Application Data\Move Networks
2008-12-06 17:04 --------- d-----w c:\program files\Dl_cats
2008-11-20 07:29 --------- d-----w c:\program files\Guild Wars
2008-11-08 14:32 --------- d-----w c:\documents and settings\Mike\Application Data\uTorrent
2008-11-08 03:22 --------- d-----w c:\program files\uTorrent
2008-10-28 22:45 22,328 -c--a-w c:\documents and settings\Mike\Application Data\PnkBstrK.sys
2008-03-04 19:26 47,360 -c--a-w c:\documents and settings\Mike\Application Data\pcouffin.sys
2006-11-25 01:44 92,064 -c--a-w c:\documents and settings\Mike\mqdmmdm.sys
2006-11-25 01:44 9,232 -c--a-w c:\documents and settings\Mike\mqdmmdfl.sys
2006-11-25 01:44 79,328 -c--a-w c:\documents and settings\Mike\mqdmserd.sys
2006-11-25 01:44 66,656 -c--a-w c:\documents and settings\Mike\mqdmbus.sys
2006-11-25 01:44 6,208 -c--a-w c:\documents and settings\Mike\mqdmcmnt.sys
2006-11-25 01:44 5,936 -c--a-w c:\documents and settings\Mike\mqdmwhnt.sys
2006-11-25 01:44 4,048 -c--a-w c:\documents and settings\Mike\mqdmcr.sys
2006-11-25 01:44 25,600 -c--a-w c:\documents and settings\Mike\usbsermptxp.sys
2006-11-25 01:44 22,768 -c--a-w c:\documents and settings\Mike\usbsermpt.sys
2006-12-22 20:07 56 --sh--r c:\windows\system32\14CE148FAD.sys
2006-12-22 20:07 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-24 01:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092320080924\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-28_20.28.18.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-03 16:48:18 26,952 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-12-29 16:04:51 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
- 2008-11-02 14:19:32 65,044 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-30 01:24:13 65,044 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-02 14:19:32 410,574 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-30 01:24:13 410,574 ----a-w c:\windows\system32\perfh009.dat
- 2008-10-28 22:45:18 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
+ 2008-12-31 19:41:40 70,968 ----a-w c:\windows\system32\PnkBstrA.exe
- 2008-12-21 17:08:43 202,040 ----a-w c:\windows\system32\PnkBstrB.exe
+ 2009-01-04 01:20:31 202,040 ----a-w c:\windows\system32\PnkBstrB.exe
- 2008-09-07 17:36:46 795,708 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2008-12-30 02:21:25 206,684 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2006-12-02 04:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 04:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 04:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 04:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 06:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 06:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 06:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 06:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 06:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 06:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 06:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 06:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 06:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 06:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 06:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-26 68856]
"WindowsLivePhone"="c:\progra~1\MSNMES~1\DEVICE~1\msgrdvmn.exe" [2006-12-04 709440]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2007-01-26 259440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-01 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"WatchDog"="c:\program files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-29 1261336]
"PMX Daemon"="ICO.EXE" [2006-06-09 c:\windows\system32\ico.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--------- 2005-09-15 09:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
--a------ 2005-07-22 07:03 425984 c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-06-17 07:56 139264 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 15:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 15:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Itiva Media Accelerator]
--a------ 2008-06-04 17:09 4994288 c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
--a------ 2007-01-26 13:31 259440 c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-09-08 19:20 8192 c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\progra~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-07-08 23:57 7110656 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-02-01 08:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-26 21:20 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
--------- 2005-09-19 07:42 1159168 c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--------- 2004-08-14 03:42 36864 c:\program files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsLivePhone]
--a------ 2006-12-04 09:33 709440 c:\progra~1\MSNMES~1\DEVICE~1\msgrdvmn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
--a------ 2005-05-19 11:54 1345520 c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
--a------ 2006-06-09 12:47 47104 c:\windows\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2004-12-22 19:40 24576 c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 04:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"dlcc_device"=3 (0x3)
"Creative Service for CDROM Access"=3 (0x3)
"Creative Labs Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War Beta\\CoDWaWbeta.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\girls\\Application Data\\MySpace\\IM\\bin\\MySpaceIM.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\IAANTMon.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-29 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-29 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-29 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-29 76040]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2008-07-01 49377]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-07-01 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-08-11 7680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{e6019b4f-64ce-431a-9653-e49d7e55a352} - c:\windows\system32\konazuki.dll
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_09\bin\jusched.exe
MSConfigStartUp-gokebiwazi - c:\windows\system32\hakurevi.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cadiz.mchsionline.net/community/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79}
Trusted Zone: *.doghq.net
Trusted Zone: online.musicmatch.com

c:\windows\system32\atl.dll - O16 -: {7F8C8173-AD80-4807-AA75-5672F22B4582}
hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
c:\windows\Downloaded Program Files\ICSScanner.inf

c:\windows\Downloaded Program Files\zylomgamesplayer.dll - O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}
hxxp://game10.zylom.com/activex/zylomgamesplayer.cab
c:\windows\Downloaded Program Files\ZylomGamesPlayer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 23:33:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1201178194-1903250476-2578488386-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,96,00,00,00,00,00,01,\
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,96,00,00,00,00,00,00,00,30,00,\
00,00,fd,df,df,fd,0f,00,05,00,24,00,10,00,2e,00,42,00,00,00,00,00,01,00,00,\
00,02,00,00,00,03,00,00,00,04,00,00,00,b4,00,60,00,78,00,78,00,78,00,00,00,\
00,00,01,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00

[HKEY_USERS\S-1-5-21-1201178194-1903250476-2578488386-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\1]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,02,00,00,00,9c,00,00,00,00,00,01,\
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,9c,00,00,00,00,00,00,00,30,00,\
00,00,fd,df,df,fd,0f,00,06,00,28,00,10,00,34,00,48,00,00,00,00,00,01,00,00,\
00,02,00,00,00,03,00,00,00,04,00,00,00,05,00,00,00,b4,00,60,00,78,00,78,00,\
b4,00,b4,00,00,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1201178194-1903250476-2578488386-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\2]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,64,00,00,00,00,00,01,\
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,64,00,00,00,00,00,00,00,30,00,\
00,00,fd,df,df,fd,0f,00,00,00,00,00,00,00,00,00,10,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00

[HKEY_USERS\S-1-5-21-1201178194-1903250476-2578488386-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\3]
@DACL=(02 0000)
@SACL=
"ViewView2"=hex:1c,00,00,00,06,00,00,00,00,00,00,00,00,00,90,00,00,00,00,00,01,\
00,00,00,ff,ff,ff,ff,f0,f0,f0,f0,14,00,03,00,90,00,00,00,00,00,00,00,30,00,\
00,00,fd,df,df,fd,0f,00,04,00,20,00,10,00,28,00,3c,00,00,00,00,00,01,00,00,\
00,02,00,00,00,03,00,00,00,b4,00,60,00,78,00,78,00,00,00,00,00,01,00,00,00,\
02,00,00,00,03,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_USERS\S-1-5-21-1201178194-1903250476-2578488386-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop]
@DACL=(02 0000)
@SACL=
"Toolbars"=hex:11,00,00,00,00,00,00,00
"TaskbarWinXP"=hex:0c,00,00,00,08,00,00,00,01,00,00,00,00,00,00,00,aa,4f,28,68,\
48,6a,d0,11,8c,78,00,c0,4f,d9,18,b4,eb,02,00,00,e0,0c,00,00,00,00,00,00,1e,\
00,00,00,00,00,00,00,00,00,00,00,1e,00,00,00,00,00,00,00,01,00,00,00
"Upgrade"=dword:00000001

[HKEY_USERS\S-1-5-21-1201178194-1903250476-2578488386-1005\Software\Microsoft\Windows\Shell\Bags\1]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\PROSetWired\NCS\PROSet\SupportTabKey]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\PROSetWired\NCS\SyncLayer\8023Adapters]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\PROSetWired\NCS\WMI]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\Start Page]
@DACL=(02 0000)
"Home_Page"="http://www.dell.com"
"Help_Page"="http://support.dell.com"

[HKEY_LOCAL_MACHINE\software\Microsoft\Java VM\System Properties]
@DACL=(02 0000)
"http.agent"="Java 1.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Player\Schemes]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\services]
@DACL=(02 0000)
@SACL=
"NoServices"=dword:00000000
"ServiceExtra"="Partner=Dell&MachineID=BKSTC91\00\00????i\00Ÿ'?\06\00'??\1d\00?'\00'\00\00?\06??\06??K\00?\06??\00'??\00'?'\00\00\00\00\00\00? \00???Ÿ'\00'\00\00\00'?\06???\06?\01\04\00?\06???\06??????????\00'\00\00??????\06\00'??\03\00?'\00'??\06???\06??????????????\0e\00???\06?\06\00\00?????'\00'??\06?\06?\06??\08\00??????Ÿ'???????????Ÿ'??????\06\00'Ÿ'?\06\01\00???'?\06???'????'???K"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Subscriptions]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{EC9B8ACF-09C1-4C7B-A6BA-F5CBC478CA71}]
@DACL=(02 0000)
"FriendlyName"="res://MMRadioWMPPlugin.dll/RT_STRING/#102"
"Description"="res://MMRadioWMPPlugin.dll/RT_STRING/#103"
"Capabilities"=dword:c2000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}]
@DACL=(02 0000)
@SACL=
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{077ACEC7-979C-40AB-9835-435BA1511E0D}"
"Version"=dword:000a0000
"Sub-Version"=dword:000010ec
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{077ACEC7-979C-40AB-9835-435BA1511E0D}\\MPPRE10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{077ACEC7-979C-40AB-9835-435BA1511E0D}\\mppre10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}]
@DACL=(02 0000)
@SACL=
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{30C7234B-6482-4A55-A11D-ECD9030313F2}"
"Version"=dword:000a0000
"Sub-Version"=dword:000010ec
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{30C7234B-6482-4A55-A11D-ECD9030313F2}\\WMDM10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{30C7234B-6482-4A55-A11D-ECD9030313F2}\\wmdm10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{60204BB3-7078-4F70-8F69-68297621941C}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{60204BB3-7078-4F70-8F69-68297621941C}\\MPSTUB10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{60204BB3-7078-4F70-8F69-68297621941C}\\mpstub10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}]
@DACL=(02 0000)
@SACL=
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{981FB688-E76B-4246-987B-92083185B90A}"
"Version"=dword:000a0000
"Sub-Version"=dword:0000108c
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{981FB688-E76B-4246-987B-92083185B90A}\\WPD10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{981FB688-E76B-4246-987B-92083185B90A}\\wpd10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}]
@DACL=(02 0000)
@SACL=
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{A47B3654-48EE-48A5-B629-97D70175E58F}"
"Version"=dword:000a0000
"Sub-Version"=dword:000010ec
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{A47B3654-48EE-48A5-B629-97D70175E58F}\\codecs10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{A47B3654-48EE-48A5-B629-97D70175E58F}\\codecs10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}]
@DACL=(02 0000)
@SACL=
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}"
"Version"=dword:000a0000
"Sub-Version"=dword:000010ec
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\\WMFSDK10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\\wmfsdk10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}]
@DACL=(02 0000)
@SACL=
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}"
"Version"=dword:000a0000
"Sub-Version"=dword:000010ec
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\\DRM10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\\drm10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\\MPCD10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\\mpcd10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Sonic\CineMaster DS DVD\2.5\AdvAudioDecoder\Dell DMX]
@DACL=(02 0000)
"OutputMode"=dword:00000002
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Sonic\CineMaster DS DVD\2.5\AdvAudioDecoder\DolbyHph]
@DACL=(02 0000)
"RoomMod"=dword:00000000
"Enabled"=dword:00000000
"EnableLFE"=dword:00000000
"srcFourChan"=dword:00000000
"srcSixChan"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Sonic\CineMaster DS DVD\2.5\AdvAudioDecoder\FourSpeaker]
@DACL=(02 0000)
"CompressionMode"=dword:00000000
"EnableLFE"=dword:00000000
"HDR"=dword:00000000
"LDR"=dword:00000000
"DialogNorm"=dword:00000000
"SurroundCompat"=dword:00000000
"channMAP"=dword:00000000
"LPCMcomprMode"=dword:00000000
"MPEGcomprMode"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Sonic\CineMaster DS DVD\2.5\AdvAudioDecoder\SixSpeaker]
@DACL=(02 0000)
"CompressionMode"=dword:00000000
"EnableLFE"=dword:00000000
"HDR"=dword:00000000
"LDR"=dword:00000000
"DialogNorm"=dword:00000000
"SurroundCompat"=dword:00000000
"channMAP"=dword:00000000
"LPCMcomprMode"=dword:00000000
"MPEGcomprMode"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Sonic\CineMaster DS DVD\2.5\AdvAudioDecoder\Tweaks]
@DACL=(02 0000)
"dwControl A"=dword:00000000
"dwControl B"=dword:00000000
"dwControl C"=dword:00000000
"dwControl D"=dword:00000000
"bControl E"=dword:00000130

[HKEY_LOCAL_MACHINE\software\Sonic\CineMaster DS DVD\2.5\AdvAudioDecoder\TwoSpeaker]
@DACL=(02 0000)
"CompressionMode"=dword:00000000
"EnableLFE"=dword:00000000
"HDR"=dword:00000000
"LDR"=dword:00000000
"DialogNorm"=dword:00000000
"SurroundCompat"=dword:00000000
"channMAP"=dword:00000000
"LPCMcomprMode"=dword:00000000
"MPEGcomprMode"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Sonic\CineMaster DS DVD\2.5\AdvAudioDecoder\Windows Media Player]
@DACL=(02 0000)
"OutputMode"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Sonic\CineMaster DS DVD\2.5\AdvAudioDecoder\Windows XP MCE]
@DACL=(02 0000)
"OutputMode"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Symantec\CCPD-LC]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Symantec\InstalledApps]
@DACL=(02 0000)
"AVENGEDEFS"="c:\\PROGRA~1\\COMMON~1\\SYMANT~1\\VIRUSD~1"

[HKEY_LOCAL_MACHINE\software\Symantec\Shared Technology]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Symantec\SharedDefs]
@DACL=(02 0000)
"QuarantineItem"="c:\\PROGRA~1\\COMMON~1\\SYMANT~1\\VIRUSD~1\\20060410.007"

[HKEY_LOCAL_MACHINE\software\Symantec\SharedUsage]
@DACL=(02 0000)
"LiveUpdate"="c:\\Program Files\\Symantec\\LiveUpdate"
"LiveUpdate1"="c:\\Program Files\\Symantec\\LiveUpdate"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\nHancer\nHancerService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-01-03 23:35:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 05:35:26
ComboFix2.txt 2008-12-29 02:28:49

Pre-Run: 95,953,088,512 bytes free
Post-Run: 96,124,211,200 bytes free

515 --- E O F --- 2008-12-18 03:51:15

----------------------------------------------------------------------------
heres the results of the kaspersky


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 04, 2009 04:15:25
Records in database: 1557120
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 68450
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:30:13


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14EC0E88.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.av 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25A33596.exe Infected: not-a-virus:FraudTool.Win32.WinAnti 1
C:\Documents and Settings\Mike\Desktop\Unused Desktop Shortcuts\mirc631.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Qoobox\Quarantine\C\Documents and Settings\Mike\w.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.cvk 1

The selected area was scanned.



thanks for the on going help let me know what you need next

thanks again

Bud.
BUDFAN8 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-04-2009, 04:20 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,030
OS: WinXP and Vista


Re: ohhh boy what a mess...
Hello Bud.


Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00

REGLOCK::
[HKEY_USERS\S-1-5-21-1201178194-1903250476-2578488386-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams]
[HKEY_USERS\S-1-5-21-1201178194-1903250476-2578488386-1005\Software\Microsoft\Windows\Shell\Bags\1]
[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings]
[HKEY_LOCAL_MACHINE\software\INTEL\PROSetWired\NCS]
[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\Start Page]
[HKEY_LOCAL_MACHINE\software\Microsoft\Java VM\System Properties]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup]
[HKEY_LOCAL_MACHINE\software\Sonic\CineMaster DS DVD\2.5\AdvAudioDecoder]
[HKEY_LOCAL_MACHINE\software\Symantec]
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


Post the log in your next reply, along with an update on system behavior.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-04-2009, 08:17 PM   #8 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 205
OS: XP


Re: ohhh boy what a mess...
task manager looks good now processes in the 40s comp acting normal for now ill let you know if there are any changes.




latest combo fix report..

ComboFix 09-01-02.01 - Mike 2009-01-04 21:04:59.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.663 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2008-12-29 10:23 . 2008-12-30 13:07 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-29 10:04 . 2009-01-04 17:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-29 10:04 . 2008-12-29 10:04 <DIR> d-------- c:\program files\AVG
2008-12-29 10:04 . 2008-12-29 11:14 <DIR> d-------- c:\documents and settings\Mike\Application Data\AVGTOOLBAR
2008-12-29 10:04 . 2008-12-29 10:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-29 10:04 . 2008-12-29 10:04 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-29 10:04 . 2008-12-29 10:04 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-29 10:04 . 2008-12-29 10:04 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-11 14:37 . 2008-12-11 14:37 42,320 --a------ c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 18:11 --------- d-----w c:\documents and settings\Mike\Application Data\Xfire
2009-01-04 01:20 202,040 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-04 01:20 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-31 19:41 70,968 ----a-w c:\windows\system32\PnkBstrA.exe
2008-12-29 17:00 --------- d-----w c:\program files\DIGStream
2008-12-29 13:53 --------- d-----w c:\program files\RGB
2008-12-27 20:49 --------- d-----w c:\program files\Call of Duty Game of the Year Edition
2008-12-17 09:31 --------- d-s---w c:\program files\Xfire
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 02:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 23:17 --------- d--h--w c:\documents and settings\Mike\Application Data\Move Networks
2008-12-06 17:04 --------- d-----w c:\program files\Dl_cats
2008-11-20 07:29 --------- d-----w c:\program files\Guild Wars
2008-11-08 14:32 --------- d-----w c:\documents and settings\Mike\Application Data\uTorrent
2008-11-08 03:22 --------- d-----w c:\program files\uTorrent
2008-10-28 22:45 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-10-28 22:45 22,328 -c--a-w c:\documents and settings\Mike\Application Data\PnkBstrK.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-03-04 19:26 47,360 -c--a-w c:\documents and settings\Mike\Application Data\pcouffin.sys
2006-11-25 01:44 92,064 -c--a-w c:\documents and settings\Mike\mqdmmdm.sys
2006-11-25 01:44 9,232 -c--a-w c:\documents and settings\Mike\mqdmmdfl.sys
2006-11-25 01:44 79,328 -c--a-w c:\documents and settings\Mike\mqdmserd.sys
2006-11-25 01:44 66,656 -c--a-w c:\documents and settings\Mike\mqdmbus.sys
2006-11-25 01:44 6,208 -c--a-w c:\documents and settings\Mike\mqdmcmnt.sys
2006-11-25 01:44 5,936 -c--a-w c:\documents and settings\Mike\mqdmwhnt.sys
2006-11-25 01:44 4,048 -c--a-w c:\documents and settings\Mike\mqdmcr.sys
2006-11-25 01:44 25,600 -c--a-w c:\documents and settings\Mike\usbsermptxp.sys
2006-11-25 01:44 22,768 -c--a-w c:\documents and settings\Mike\usbsermpt.sys
2006-12-22 20:07 56 --sh--r c:\windows\system32\14CE148FAD.sys
2006-12-22 20:07 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-24 01:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092320080924\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-26 68856]
"WindowsLivePhone"="c:\progra~1\MSNMES~1\DEVICE~1\msgrdvmn.exe" [2006-12-04 709440]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2007-01-26 259440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-01 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"WatchDog"="c:\program files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-29 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [BU]
"PMX Daemon"="ICO.EXE" [2006-06-09 c:\windows\system32\ico.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--------- 2005-09-15 09:47 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlccmon.exe]
--a------ 2005-07-22 07:03 425984 c:\program files\Dell Photo AIO Printer 924\dlccmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-06-17 07:56 139264 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 15:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 15:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Itiva Media Accelerator]
--a------ 2008-06-04 17:09 4994288 c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
--a------ 2007-01-26 13:31 259440 c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-09-08 19:20 8192 c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\progra~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-07-08 23:57 7110656 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-02-01 08:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-26 21:20 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
--------- 2005-09-19 07:42 1159168 c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--------- 2004-08-14 03:42 36864 c:\program files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsLivePhone]
--a------ 2006-12-04 09:33 709440 c:\progra~1\MSNMES~1\DEVICE~1\msgrdvmn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
--a------ 2005-05-19 11:54 1345520 c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
--a------ 2006-06-09 12:47 47104 c:\windows\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
--a------ 2004-12-22 19:40 24576 c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 04:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"dlcc_device"=3 (0x3)
"Creative Service for CDROM Access"=3 (0x3)
"Creative Labs Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War Beta\\CoDWaWbeta.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\girls\\Application Data\\MySpace\\IM\\bin\\MySpaceIM.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\IAANTMon.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-29 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-29 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-29 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-29 76040]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2008-07-01 49377]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-07-01 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-08-11 7680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cadiz.mchsionline.net/community/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79}
Trusted Zone: *.doghq.net
Trusted Zone: online.musicmatch.com

c:\windows\system32\atl.dll - O16 -: {7F8C8173-AD80-4807-AA75-5672F22B4582}
hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
c:\windows\Downloaded Program Files\ICSScanner.inf

c:\windows\Downloaded Program Files\zylomgamesplayer.dll - O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}
hxxp://game10.zylom.com/activex/zylomgamesplayer.cab
c:\windows\Downloaded Program Files\ZylomGamesPlayer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 21:05:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-04 2146
ComboFix-quarantined-files.txt 2009-01-05 0318
ComboFix2.txt 2009-01-05 03:00:49
ComboFix3.txt 2009-01-04 05:35:32
ComboFix4.txt 2008-12-29 02:28:49

Pre-Run: 96,070,729,728 bytes free
Post-Run: 96,053,911,552 bytes free

252 --- E O F --- 2008-12-18 03:51:15


dont know what that stuff says let me know if there are any other things i need to do

you have been alot of help i do apprecieate it alot. thanks


Bud.
BUDFAN8 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-04-2009, 09:37 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,030
OS: WinXP and Vista


Re: ohhh boy what a mess...
Everything looks good now. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2009, 10:15 AM   #10 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 205
OS: XP


Re: ohhh boy what a mess...
i have done 2 avg scans both produceing nothing more than tracking cookies. thanks alot for the help and i will look into the programs in the above post.

computer is working great i think this one can be marked resolved.


thanks again

Bud.
BUDFAN8 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2009, 03:36 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,030
OS: WinXP and Vista


Re: ohhh boy what a mess...
That's good to hear.

Take care and surf safely, Bud.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:50 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85