Karl`s PC Help Forums

XPshields_malicious_codes
blue11 - 21-7-2008 at 00:07

Hi, I would like to have a post for help with computers w/ related probelms-- it seems invisible or crypted files are being hidden from lavasoft ad-aware, and spyhunter, and personal
anti-spy scan operations. I have saved a notepad doc.
reporting problems that hijackthis detected.
HOPE you can help
---L
---HJT--->
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:04 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecSPAsmc.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecSPAsnac.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesBroadcomASFIPMonAsfIpMon.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:WINDOWSsystem32dlcxcoms.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:Program FilesMicrosoft IntelliPointipoint.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:Program FilesSymantecSPASmcGui.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32alg.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:WINDOWSsystem32wbemwmiprvse.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66008
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll
O4 - HKLM..Run: [AudioDrvEmulator] "C:Program FilesCreativeShared FilesModule LoaderDLLML.exe" -1 AudioDrvEmulator "C:Program FilesCreativeShared FilesModule LoaderAudio EmulatorAudDrvEm.dll"
O4 - HKLM..Run: [DLCXCATS] rundll32 C:WINDOWSSystem32spoolDRIVERSW32X863DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM..Run: [IntelliPoint] "C:Program FilesMicrosoft IntelliPointipoint.exe"
O4 - HKLM..Run: [Adobe Photo Downloader] "C:Program FilesAdobeAdobe Photoshop Lightroom 1.4apdproxy.exe"
O4 - HKLM..Run: [e052f4a8] rundll32.exe "C:WINDOWSsystem32eokligmf.dll",b
O4 - HKLM..Run: [SpyHunter Security Suite] C:Program FilesEnigma Software GroupSpyHunterSpyHunter3.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeReader 8.0Readerreader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:Program FilesAdobeReader 8.0ReaderAdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O17 - HKLMSystemCCSServicesTcpip..{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:WINDOWSsystem32KuGoo3DownXControl.ocx (file missing)
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:WINDOWSsystem32KuGoo3DownXControl.ocx (file missing)
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:Program FilesBroadcomASFIPMonAsfIpMon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: dlcx_device - - C:WINDOWSsystem32dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:Program FilesSymantecSPAsmc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:Program FilesSymantecSPAsnac.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/dell/E-Center/images/dell_logo.gif
O24 - Desktop Component 1: (no name) - file:///C:/dell/E-Center/images/header_bg.gif
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/LEEPAY~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

--
End of file - 9867 bytes


Pancake - 21-7-2008 at 00:18

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> http://www.bleepingcomputer.com/combofix/how-to-use-combofix A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:ComboFix.txt
New HijackThis log.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


blue11 - 21-7-2008 at 00:41

ComboFix 08-07-20.5 - Lee Payton 2008-07-20 20:28:28.1 - NTFSx86
Running from: C:Documents and SettingsLee PaytonDesktopComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:WINDOWSBMe361c734.txt
C:WINDOWScookies.ini
C:WINDOWSpskt.ini
C:WINDOWSsmdat32a.sys
C:WINDOWSsmdat32m.sys
C:WINDOWSsystem32awtsQJYO.dll
C:WINDOWSsystem32efcDSJCU.dll
C:WINDOWSsystem32ejbwoi.dll
C:WINDOWSsystem32ejqukdst.dll
C:WINDOWSsystem32fccYRhGy.dll
C:WINDOWSsystem32fmgilkoe.ini
C:WINDOWSsystem32gfeoueio.ini
C:WINDOWSsystem32iifeeDsr.dll
C:WINDOWSsystem32jtvbxpqi.dll
C:WINDOWSsystem32ljJDVoMg.dll
C:WINDOWSsystem32mcrh.tmp
C:WINDOWSsystem32mwusfwxl.dll
C:WINDOWSsystem32opnkjJay.dll
C:WINDOWSsystem32OYJQstwa.ini
C:WINDOWSsystem32OYJQstwa.ini2
C:WINDOWSsystem32qsdqry.dll
C:WINDOWSsystem32tuvWnMdd.dll
C:WINDOWSsystem32urqOhEwx.dll
C:WINDOWSsystem32wrmawvpq.ini
C:WINDOWSsystem32xxywULEu.dll
C:WINDOWSsystem32yFNoqtwa.ini
C:WINDOWSsystem32yFNoqtwa.ini2
C:WINDOWSsystem32yxoislqp.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-14 04:48 . 2008-07-14 07:27 877,719,320 --a------ C:Program Filesafter_effectsCS3.exe
2008-07-14 03:31 . 2008-07-14 03:31 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataThinstall
2008-07-08 14:49 . 2008-07-08 14:49 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataMedia Player Classic
2008-07-08 14:47 . 2008-07-08 14:47 <DIR> d-------- C:Program FilesK-Lite Codec Pack
2008-07-08 14:47 . 2008-03-21 16:30 3,596,288 --a------ C:WINDOWSsystem32qt-dx331.dll
2008-07-08 14:25 . 2008-07-08 14:35 <DIR> d-------- C:Program FilesJockerSoft
2008-07-08 14:23 . 2008-07-08 14:24 456,044 --a------ C:Documents and SettingsLee PaytonApplication Datasetup_CodecInstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 00:33 --------- d-----w C:Program FilesSymantec AntiVirus
2008-07-21 00:32 --------- d-----w C:Program FilesDl_cats
2008-07-14 17:13 --------- d-----w C:Documents and SettingsLee PaytonApplication DataDownload Manager
2008-07-10 09:10 --------- d-----w C:Documents and SettingsLee PaytonApplication DataVso
2008-07-07 04:56 5,852 --sha-w C:WINDOWSsystem32KGyGaAvL.sys
2008-06-19 21:24 28,544 ----a-w C:WINDOWSsystem32driverspavboot.sys
2008-06-16 21:36 --------- d-----w C:Program FilesVSO
2008-06-16 21:06 --------- d-----w C:Program FilesGoogle
2008-06-16 18:53 --------- d-----w C:Documents and SettingsAll UsersApplication Datavsosdk
2008-06-16 18:20 47,360 ----a-w C:WINDOWSsystem32driverspcouffin.sys
2008-06-16 17:57 --------- d-----w C:Documents and SettingsLee PaytonApplication DataCyberLink
2008-06-16 17:57 --------- d-----w C:Documents and SettingsAll UsersApplication DataCyberLink
2008-06-05 19:17 --------- d-----w C:Documents and SettingsLee PaytonApplication Datappstream
2008-06-05 19:12 1,290,685 ----a-w C:Documents and SettingsLee Paytonpipilib.zip
2008-06-05 17:35 --------- d-----w C:Program FilesKuGou
2008-06-05 17:31 --------- d-----w C:Documents and SettingsAll UsersApplication DataStorm
2008-06-05 17:30 --------- d-----w C:Program FilesCommon FilesReal
2008-06-05 17:30 --------- d-----w C:Documents and SettingsLee PaytonApplication DataApplication Data
2008-06-04 00:06 --------- d-----w C:Program FilesuTorrent
2008-06-03 17:41 --------- d-----w C:Program FilesZune
2008-06-03 17:32 0 ---ha-w C:WINDOWSsystem32driversMsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-06-03 17:32 0 ---ha-w C:WINDOWSsystem32driversMsft_Kernel_zumbus_01007.Wdf
2008-05-16 15:58 12,632 ----a-w C:WINDOWSsystem32lsdelete.exe
2008-05-08 12:28 202,752 ------w C:WINDOWSsystem32dllcachermcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:WINDOWSsystem32quartz.dll
2008-05-07 05:18 1,287,680 ------w C:WINDOWSsystem32dllcachequartz.dll
2008-04-29 23:56 61,856 ----a-w C:WINDOWSsystem32ZuneBusEnum.exe
2008-04-29 23:56 245,664 ----a-w C:WINDOWSsystem32ZuneWlanCfgSvc.exe
2008-04-29 23:39 70,144 ----a-w C:WINDOWSsystem32ZuneIpTransport.dll
2008-04-29 23:39 62,464 ----a-w C:WINDOWSsystem32ZuneUsbTransport.dll
2008-04-29 23:39 35,328 ----a-w C:WINDOWSsystem32ZuneUsbCOnnection.dll
2008-04-29 23:39 145,408 ----a-w C:WINDOWSsystem32ZuneMTPZ.dll
2008-04-24 02:16 3,864,576 ----a-w C:WINDOWSsystem32dllcachemshtml.dll
2008-04-22 07:40 625,664 ------w C:WINDOWSsystem32dllcacheiexplore.exe
2008-04-22 07:39 70,656 ------w C:WINDOWSsystem32dllcacheie4uinit.exe
2008-04-22 07:39 13,824 ------w C:WINDOWSsystem32dllcacheieudinit.exe
2006-07-20 05:42 19,153,264 ----a-w C:Documents and SettingsLee PaytonApplication Dataaaw2008.exe
.

------- Sigcheck -------

2006-01-09 14:02 662016 dde9597a3311748c1519444e2bc147bd C:WINDOWS$hf_mig$KB912945SP2QFEwininet.dll
2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:WINDOWS$hf_mig$KB931768SP2QFEwininet.dll
2007-06-26 10:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:WINDOWS$hf_mig$KB937143SP2QFEwininet.dll
2007-08-22 08:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:WINDOWS$hf_mig$KB939653SP2QFEwininet.dll
2007-10-11 01:57 666112 80d660a49e0d118144423099b2a9f5da C:WINDOWS$hf_mig$KB942615SP2QFEwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWS$hf_mig$KB942615-IE7SP2QFEwininet.dll
2007-12-06 22:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:WINDOWS$hf_mig$KB944533-IE7SP2QFEwininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:WINDOWS$hf_mig$KB947864-IE7SP2QFEwininet.dll
2008-04-22 23:35 827392 41546b396a526918da7995a02ea04e51 C:WINDOWS$hf_mig$KB950759-IE7SP2QFEwininet.dll
2007-02-20 05:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 C:WINDOWS$NtUninstallKB937143$wininet.dll
2007-06-26 10:09 658944 184e47c8f7b331025e6dc92740db188f C:WINDOWS$NtUninstallKB939653$wininet.dll
2007-08-22 09:12 658944 1901ad51da8be9f8b38d5d526e5d1788 C:WINDOWS$NtUninstallKB942615$wininet.dll
2007-10-10 19:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2GDRwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2QFEwininet.dll
md5deep: C:WINDOWSSoftwareDistributionDownloadf4bbe93413da6448b38093eb5244141eSP2GDRwininet.dll: No such file or directory
md5deep: C:WINDOWSSoftwareDistributionDownloadf4bbe93413da6448b38093eb5244141eSP2QFEwininet.dll: No such file or directory
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32wininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32dllcachewininet.dll

2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSexplorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:WINDOWS$hf_mig$KB938828SP2QFEexplorer.exe
2004-08-04 06:00 1032192 a0732187050030ae399b241436565e64 C:WINDOWS$NtUninstallKB938828$explorer.exe
2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSsystem32dllcacheexplorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~Browser Helper Objects{CC628875-53FE-4DE3-9CA8-E61652820398}]
2006-07-20 00:19 299008 --a------ C:Documents and SettingsLee PaytonApplication DataWinRARnifodos.dll

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"DLCXCATS"="C:WINDOWSSystem32spoolDRIVERSW32X863DLCXtime.dll" [2006-10-16 01:31 106496]
"IntelliPoint"="C:Program FilesMicrosoft IntelliPointipoint.exe" [2006-07-07 19:15 600896]
"Adobe Photo Downloader"="C:Program FilesAdobeAdobe Photoshop Lightroom 1.4apdproxy.exe" [2008-03-06 14:56 61440]
"SpyHunter Security Suite"="C:Program FilesEnigma Software GroupSpyHunterSpyHunter3.exe" [2008-06-19 16:48 851968]

C:Documents and SettingsAll UsersStart MenuProgramsStartup
Adobe Reader Speed Launch.lnk - C:Program FilesAdobeReader 8.0Readerreader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:Program FilesAdobeReader 8.0ReaderAdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifynifodos]
2006-07-20 00:19 299008 C:Documents and SettingsLee PaytonApplication DataWinRARnifodos.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAcrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 C:Program FilesAdobeAcrobat 8.0Acrobatacrotray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregccApp]
--a------ 2006-03-24 18:14 53408 C:Program FilesCommon FilesSymantec SharedccApp.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTDVDDET]
--------- 2003-06-18 02:00 45056 C:Program FilesCreativeSound Blaster X-FiDVDAudioCTDVDDET.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:WINDOWSsystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregdlcxmon.exe]
--a------ 2007-01-12 12:57 292336 C:Program FilesDell Photo AIO Printer 926dlcxmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregFaxCenterServer]
--a------ 2006-11-03 18:09 312200 C:Program FilesDell PC Faxfm3032.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregIAAnotif]
--a------ 2007-03-21 14:00 174872 C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMemoryCardManager]
--a------ 2006-11-03 18:04 304008 C:Program FilesDell Photo AIO Printer 926memcard.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
--a------ 2006-03-21 11:12 7204864 C:WINDOWSsystem32nvcpl.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPDVDDXSrv]
--------- 2006-10-20 18:23 118784 C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 C:Program FilesRoxioDrag-to-DiscDrgToDsc.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregswg]
--a------ 2007-09-01 23:02 68856 C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregUpdReg]
--------- 2000-05-11 02:00 90112 C:WINDOWSUpdreg.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVolPanel]
--------- 2005-10-14 12:01 122880 C:Program FilesCreativeSound Blaster X-FiVolume PanelVolPanel.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregvptray]
--a------ 2006-06-15 02:40 124656 C:PROGRA~1SYMANT~1VPTray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregZune Launcher]
--a------ 2008-04-29 19:56 158624 c:Program FilesZuneZuneLauncher.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTHelper]
--a------ 2005-11-08 06:30 16384 C:WINDOWSCTHELPER.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTxfiHlp]
--a------ 2006-03-01 22:00 18944 C:WINDOWSsystem32CTXFIHLP.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"gusvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
"C:\WINDOWS\system32\dlcxcoms.exe"=
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"C:\Program Files\Bonjour\mDNSResponder.exe"=
"C:\Program Files\uTorrent\uTorrent.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"46675:TCP"= 46675:TCP:utorrent

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;C:WINDOWSsystem32driverspavboot.sys [2008-06-19 17:24]
R1 DLARTL_M;DLARTL_M;C:WINDOWSsystem32DriversDLARTL_M.SYS [2006-08-11 11:35]
R2 ASFIPmon;Broadcom ASF IP Monitor;C:Program FilesBroadcomASFIPMonAsfIpMon.exe [2006-03-17 18:25]
R2 dlcx_device;dlcx_device;C:WINDOWSsystem32dlcxcoms.exe [2006-11-03 18:07]
R2 WGX;Extend WG Protocol Driver;C:WINDOWSsystem32DriversWGX.sys [2007-08-06 15:29]
R2 zumbus;Zune Bus Enumerator Driver;C:WINDOWSsystem32DRIVERSzumbus.sys [2008-04-29 19:39]
R3 ha20x2k;Creative 20X HAL Driver;C:WINDOWSsystem32driversha20x2k.sys [2006-02-15 00:40]
S4 SysGuard;SysGuard;C:WINDOWSsystem32DriversSysguard.sys
S4 ZuneBusEnum;Zune Bus Enumerator;c:WINDOWSsystem32ZuneBusEnum.exe [2008-04-29 19:56]
S4 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:WINDOWSsystem32ZuneWlanCfgSvc.exe [2008-04-29 19:56]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{0538cd9a-9cad-11dc-8d99-001aa03438fe}]
ShellAutoRuncommand - F:setupSNK.exe

*Newly Created Service* - PAVBOOT
.
- - - - ORPHANS REMOVED - - - -

BHO-{DB055111-4F4F-4730-ADC5-C40EBBFF6E67} - C:WINDOWSsystem32iefltr.dll
HKLM-Run-AudioDrvEmulator - C:Program FilesCreativeShared FilesModule LoaderDLLML.exe
HKLM-Run-e052f4a8 - C:WINDOWSsystem32eokligmf.dll
MSConfigStartUp-Corel Photo Downloader - C:Program FilesCorelCorel Photo Album 6MediaDetect.exe
MSConfigStartUp-Google Desktop Search - C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
MSConfigStartUp-jfproc - C:Program FilespipijfCacheMgr.exe
MSConfigStartUp-SunJavaUpdateSched - C:Program FilesJavajre1.5.0_06binjusched.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Append to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O17 -: HKLMCCSInterface{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O18 -: Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
O18 -: Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 20:32:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINESystemControlSet001Servicesvsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:WINDOWSsystem32winlogon.exe
-> C:Documents and SettingsLee PaytonApplication DataWinRARnifodos.dll
.
------------------------ Other Running Processes ------------------------
.
C:Program FilesSymantecSPASmc.exe
C:Program FilesSymantecSPASNAC.EXE
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAANTmon.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:Program FilesSymantecSPASmcGui.exe
.
**************************************************************************
.
Completion time: 2008-07-20 20:37:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 00:37:13

Pre-Run: 211,673,710,592 bytes free
Post-Run: 212,296,888,320 bytes free

309 --- E O F --- 2008-06-12 07:02:00


Pancake - 21-7-2008 at 00:52

When you do your reply will you check that you BBCode is set to off .You will find it at the bottom of the reply box.



Before we can carry on with your cleanup we need to install your Recovery Console.
Go to Microsoft's website => [url]http://support.microsoft.com/kb/310994[/url]
Select the download that's appropriate for your Operating System

[IMG]http://i266.photobucket.com/albums/ii277/sUBs_/KB310994.gif[/IMG]


Download the file & save it as it's originally named, next to ComboFix.exe.



[IMG]http://i266.photobucket.com/albums/ii277/sUBs_/rc1.gif[/IMG]


[b]Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running ofComboFix.[/b]
[list][*]Drag the setup package onto ComboFix.exe and drop it.

[*]Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

[*]At the next prompt, click 'Yes' to run the full ComboFix scan.

[IMG]http://img.photobucket.com/albums/v706/ried7/RC_whatnext.gif[/IMG]

[*]When the tool is finished, it will produce a report for you.[/list]
Please post the [b]C:ComboFix.txt [/b]along with a [b]new HijackThis log[/b] for further review.


blue11 - 21-7-2008 at 01:24

Sorry about bb before here ya go...

ComboFix 08-07-20.5 - Lee Payton 2008-07-20 21:19:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1450 [GMT -4:00]
Running from: C:Documents and SettingsLee PaytonDesktopComboFix.exe
Command switches used :: C:Documents and SettingsLee PaytonDesktopWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:WINDOWSBMe361c734.xml

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-14 04:48 . 2008-07-14 07:27 877,719,320 --a------ C:Program Filesafter_effectsCS3.exe
2008-07-14 03:31 . 2008-07-14 03:31 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataThinstall
2008-07-08 14:49 . 2008-07-08 14:49 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataMedia Player Classic
2008-07-08 14:47 . 2008-07-08 14:47 <DIR> d-------- C:Program FilesK-Lite Codec Pack
2008-07-08 14:25 . 2008-07-08 14:35 <DIR> d-------- C:Program FilesJockerSoft
2008-07-08 14:23 . 2008-07-08 14:24 456,044 --a------ C:Documents and SettingsLee PaytonApplication Datasetup_CodecInstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 00:33 --------- d-----w C:Program FilesSymantec AntiVirus
2008-07-21 00:32 --------- d-----w C:Program FilesDl_cats
2008-07-14 17:13 --------- d-----w C:Documents and SettingsLee PaytonApplication DataDownload Manager
2008-07-10 09:10 --------- d-----w C:Documents and SettingsLee PaytonApplication DataVso
2008-07-07 04:56 5,852 --sha-w C:WINDOWSsystem32KGyGaAvL.sys
2008-06-19 21:24 28,544 ----a-w C:WINDOWSsystem32driverspavboot.sys
2008-06-16 21:36 --------- d-----w C:Program FilesVSO
2008-06-16 21:06 --------- d-----w C:Program FilesGoogle
2008-06-16 18:53 --------- d-----w C:Documents and SettingsAll UsersApplication Datavsosdk
2008-06-16 18:20 47,360 ----a-w C:WINDOWSsystem32driverspcouffin.sys
2008-06-16 17:57 --------- d-----w C:Documents and SettingsLee PaytonApplication DataCyberLink
2008-06-16 17:57 --------- d-----w C:Documents and SettingsAll UsersApplication DataCyberLink
2008-06-05 19:17 --------- d-----w C:Documents and SettingsLee PaytonApplication Datappstream
2008-06-05 19:12 1,290,685 ----a-w C:Documents and SettingsLee Paytonpipilib.zip
2008-06-05 17:35 --------- d-----w C:Program FilesKuGou
2008-06-05 17:31 --------- d-----w C:Documents and SettingsAll UsersApplication DataStorm
2008-06-05 17:30 --------- d-----w C:Program FilesCommon FilesReal
2008-06-05 17:30 --------- d-----w C:Documents and SettingsLee PaytonApplication DataApplication Data
2008-06-04 00:06 --------- d-----w C:Program FilesuTorrent
2008-06-03 17:41 --------- d-----w C:Program FilesZune
2008-06-03 17:32 0 ---ha-w C:WINDOWSsystem32driversMsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-06-03 17:32 0 ---ha-w C:WINDOWSsystem32driversMsft_Kernel_zumbus_01007.Wdf
2008-05-16 15:58 12,632 ----a-w C:WINDOWSsystem32lsdelete.exe
2008-05-08 12:28 202,752 ------w C:WINDOWSsystem32dllcachermcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:WINDOWSsystem32quartz.dll
2008-05-07 05:18 1,287,680 ------w C:WINDOWSsystem32dllcachequartz.dll
2008-04-29 23:56 61,856 ----a-w C:WINDOWSsystem32ZuneBusEnum.exe
2008-04-29 23:56 245,664 ----a-w C:WINDOWSsystem32ZuneWlanCfgSvc.exe
2008-04-29 23:39 70,144 ----a-w C:WINDOWSsystem32ZuneIpTransport.dll
2008-04-29 23:39 62,464 ----a-w C:WINDOWSsystem32ZuneUsbTransport.dll
2008-04-29 23:39 35,328 ----a-w C:WINDOWSsystem32ZuneUsbCOnnection.dll
2008-04-29 23:39 145,408 ----a-w C:WINDOWSsystem32ZuneMTPZ.dll
2008-04-24 02:16 3,864,576 ----a-w C:WINDOWSsystem32dllcachemshtml.dll
2008-04-22 07:40 625,664 ------w C:WINDOWSsystem32dllcacheiexplore.exe
2008-04-22 07:39 70,656 ------w C:WINDOWSsystem32dllcacheie4uinit.exe
2008-04-22 07:39 13,824 ------w C:WINDOWSsystem32dllcacheieudinit.exe
2006-07-20 05:42 19,153,264 ----a-w C:Documents and SettingsLee PaytonApplication Dataaaw2008.exe
.

------- Sigcheck -------

2006-01-09 14:02 662016 dde9597a3311748c1519444e2bc147bd C:WINDOWS$hf_mig$KB912945SP2QFEwininet.dll
2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:WINDOWS$hf_mig$KB931768SP2QFEwininet.dll
2007-06-26 10:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:WINDOWS$hf_mig$KB937143SP2QFEwininet.dll
2007-08-22 08:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:WINDOWS$hf_mig$KB939653SP2QFEwininet.dll
2007-10-11 01:57 666112 80d660a49e0d118144423099b2a9f5da C:WINDOWS$hf_mig$KB942615SP2QFEwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWS$hf_mig$KB942615-IE7SP2QFEwininet.dll
2007-12-06 22:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:WINDOWS$hf_mig$KB944533-IE7SP2QFEwininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:WINDOWS$hf_mig$KB947864-IE7SP2QFEwininet.dll
2008-04-22 23:35 827392 41546b396a526918da7995a02ea04e51 C:WINDOWS$hf_mig$KB950759-IE7SP2QFEwininet.dll
2007-02-20 05:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 C:WINDOWS$NtUninstallKB937143$wininet.dll
2007-06-26 10:09 658944 184e47c8f7b331025e6dc92740db188f C:WINDOWS$NtUninstallKB939653$wininet.dll
2007-08-22 09:12 658944 1901ad51da8be9f8b38d5d526e5d1788 C:WINDOWS$NtUninstallKB942615$wininet.dll
2007-10-10 19:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2GDRwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2QFEwininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32wininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32dllcachewininet.dll

2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSexplorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:WINDOWS$hf_mig$KB938828SP2QFEexplorer.exe
2004-08-04 06:00 1032192 a0732187050030ae399b241436565e64 C:WINDOWS$NtUninstallKB938828$explorer.exe
2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSsystem32dllcacheexplorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-20_20.36.58.39 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~Browser Helper Objects{CC628875-53FE-4DE3-9CA8-E61652820398}]
2006-07-20 00:19 299008 --a------ C:Documents and SettingsLee PaytonApplication DataWinRARnifodos.dll

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 06:00 15360]
"AdobeUpdater"="C:Program FilesCommon FilesAdobeUpdater5AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"DLCXCATS"="C:WINDOWSSystem32spoolDRIVERSW32X863DLCXtime.dll" [2006-10-16 01:31 106496]
"IntelliPoint"="C:Program FilesMicrosoft IntelliPointipoint.exe" [2006-07-07 19:15 600896]
"Adobe Photo Downloader"="C:Program FilesAdobeAdobe Photoshop Lightroom 1.4apdproxy.exe" [2008-03-06 14:56 61440]
"SpyHunter Security Suite"="C:Program FilesEnigma Software GroupSpyHunterSpyHunter3.exe" [2008-06-19 16:48 851968]

C:Documents and SettingsAll UsersStart MenuProgramsStartup
Adobe Reader Speed Launch.lnk - C:Program FilesAdobeReader 8.0Readerreader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:Program FilesAdobeReader 8.0ReaderAdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifynifodos]
2006-07-20 00:19 299008 C:Documents and SettingsLee PaytonApplication DataWinRARnifodos.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAcrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 C:Program FilesAdobeAcrobat 8.0Acrobatacrotray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregccApp]
--a------ 2006-03-24 18:14 53408 C:Program FilesCommon FilesSymantec SharedccApp.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTDVDDET]
--------- 2003-06-18 02:00 45056 C:Program FilesCreativeSound Blaster X-FiDVDAudioCTDVDDET.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:WINDOWSsystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregdlcxmon.exe]
--a------ 2007-01-12 12:57 292336 C:Program FilesDell Photo AIO Printer 926dlcxmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregFaxCenterServer]
--a------ 2006-11-03 18:09 312200 C:Program FilesDell PC Faxfm3032.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregIAAnotif]
--a------ 2007-03-21 14:00 174872 C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMemoryCardManager]
--a------ 2006-11-03 18:04 304008 C:Program FilesDell Photo AIO Printer 926memcard.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
--a------ 2006-03-21 11:12 7204864 C:WINDOWSsystem32nvcpl.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPDVDDXSrv]
--------- 2006-10-20 18:23 118784 C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 C:Program FilesRoxioDrag-to-DiscDrgToDsc.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregswg]
--a------ 2007-09-01 23:02 68856 C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregUpdReg]
--------- 2000-05-11 02:00 90112 C:WINDOWSUpdreg.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVolPanel]
--------- 2005-10-14 12:01 122880 C:Program FilesCreativeSound Blaster X-FiVolume PanelVolPanel.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregvptray]
--a------ 2006-06-15 02:40 124656 C:PROGRA~1SYMANT~1VPTray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregZune Launcher]
--a------ 2008-04-29 19:56 158624 c:Program FilesZuneZuneLauncher.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTHelper]
--a------ 2005-11-08 06:30 16384 C:WINDOWSCTHELPER.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTxfiHlp]
--a------ 2006-03-01 22:00 18944 C:WINDOWSsystem32CTXFIHLP.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"gusvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
"C:\WINDOWS\system32\dlcxcoms.exe"=
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"C:\Program Files\Bonjour\mDNSResponder.exe"=
"C:\Program Files\uTorrent\uTorrent.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"46675:TCP"= 46675:TCP:utorrent

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;C:WINDOWSsystem32driverspavboot.sys [2008-06-19 17:24]
R1 DLARTL_M;DLARTL_M;C:WINDOWSsystem32DriversDLARTL_M.SYS [2006-08-11 11:35]
R2 ASFIPmon;Broadcom ASF IP Monitor;C:Program FilesBroadcomASFIPMonAsfIpMon.exe [2006-03-17 18:25]
R2 dlcx_device;dlcx_device;C:WINDOWSsystem32dlcxcoms.exe [2006-11-03 18:07]
R2 WGX;Extend WG Protocol Driver;C:WINDOWSsystem32DriversWGX.sys [2007-08-06 15:29]
R2 zumbus;Zune Bus Enumerator Driver;C:WINDOWSsystem32DRIVERSzumbus.sys [2008-04-29 19:39]
R3 ha20x2k;Creative 20X HAL Driver;C:WINDOWSsystem32driversha20x2k.sys [2006-02-15 00:40]
S4 SysGuard;SysGuard;C:WINDOWSsystem32DriversSysguard.sys []
S4 ZuneBusEnum;Zune Bus Enumerator;c:WINDOWSsystem32ZuneBusEnum.exe [2008-04-29 19:56]
S4 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:WINDOWSsystem32ZuneWlanCfgSvc.exe [2008-04-29 19:56]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{0538cd9a-9cad-11dc-8d99-001aa03438fe}]
ShellAutoRuncommand - F:setupSNK.exe

*Newly Created Service* - PAVBOOT
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Append to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O17 -: HKLMCCSInterface{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O18 -: Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
O18 -: Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 21:20:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINEsystemControlSet001Servicesvsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:WINDOWSsystem32winlogon.exe
-> C:Documents and SettingsLee PaytonApplication DataWinRARnifodos.dll
.
Completion time: 2008-07-20 21:21:34
ComboFix-quarantined-files.txt 2008-07-21 01:21:26
ComboFix2.txt 2008-07-21 00:37:47

Pre-Run: 212,239,745,024 bytes free
Post-Run: 212,212,396,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:CMDCONSBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

264 --- E O F --- 2008-06-12 07:02:00


blue11 - 21-7-2008 at 01:25

new HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:14 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecSPAsmc.exe
C:Program FilesSymantecSPAsnac.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesBroadcomASFIPMonAsfIpMon.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:WINDOWSsystem32dlcxcoms.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:Program FilesMicrosoft IntelliPointipoint.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSymantecSPASmcGui.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSexplorer.exe
C:Program Filesinternet exploreriexplore.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll
O4 - HKLM..Run: [DLCXCATS] rundll32 C:WINDOWSSystem32spoolDRIVERSW32X863DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM..Run: [IntelliPoint] "C:Program FilesMicrosoft IntelliPointipoint.exe"
O4 - HKLM..Run: [Adobe Photo Downloader] "C:Program FilesAdobeAdobe Photoshop Lightroom 1.4apdproxy.exe"
O4 - HKLM..Run: [SpyHunter Security Suite] C:Program FilesEnigma Software GroupSpyHunterSpyHunter3.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [AdobeUpdater] C:Program FilesCommon FilesAdobeUpdater5AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeReader 8.0Readerreader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:Program FilesAdobeReader 8.0ReaderAdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O17 - HKLMSystemCCSServicesTcpip..{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:WINDOWSsystem32KuGoo3DownXControl.ocx (file missing)
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:WINDOWSsystem32KuGoo3DownXControl.ocx (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:Program FilesBroadcomASFIPMonAsfIpMon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: dlcx_device - - C:WINDOWSsystem32dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:Program FilesSymantecSPAsmc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:Program FilesSymantecSPAsnac.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/dell/E-Center/images/dell_logo.gif
O24 - Desktop Component 1: (no name) - file:///C:/dell/E-Center/images/header_bg.gif
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/LEEPAY~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

--
End of file - 9029 bytes


Pancake - 21-7-2008 at 01:53

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:WINDOWSsystem32KuGoo3DownXControl.ocx (file missing)
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:WINDOWSsystem32KuGoo3DownXControl.ocx (file missing)

Reboot.................

================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:




File::
C:Documents and SettingsLee PaytonApplication DataWinRARnifodos.dll

Registry::
[-HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifynifodos]
[-HKEY_LOCAL_MACHINE~Browser Helper Objects{CC628875-53FE-4DE3-9CA8-E61652820398}]





Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


[bad img]http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif[/bad img]

Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


==================

Have you put these images in ?

O24 - Desktop Component 0: (no name) - file:///C:/dell/E-Center/images/dell_logo.gif
O24 - Desktop Component 1: (no name) - file:///C:/dell/E-Center/images/header_bg.gif
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/LEEPAY~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg


blue11 - 21-7-2008 at 02:00

No, those images were not uploaded by me...


blue11 - 21-7-2008 at 02:26

ComboFix 08-07-20.5 - Lee Payton 2008-07-20 22:12:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1484 [GMT -4:00]
Running from: C:Documents and SettingsLee PaytonDesktopComboFix.exe
Command switches used :: C:Documents and SettingsLee PaytonDesktopCFScript.txt
* Created a new restore point

FILE ::
C:Documents and SettingsLee PaytonApplication DataWinRARnifodos.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:Documents and SettingsLee PaytonApplication DataWinRARnifodos.dll
C:Documents and SettingsLee PaytonLocal SettingsApplication DataMicrosoftWindows Media10.0WMSDKNSD.XML

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 21:55 . 2008-07-20 21:55 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataPrevx
2008-07-20 21:54 . 2008-07-20 22:18 <DIR> d-------- C:Program FilesPrevx2
2008-07-20 21:54 . 2008-07-20 21:54 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataPrevx
2008-07-14 04:48 . 2008-07-14 07:27 877,719,320 --a------ C:Program Filesafter_effectsCS3.exe
2008-07-14 03:31 . 2008-07-14 03:31 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataThinstall
2008-07-08 14:49 . 2008-07-08 14:49 <DIR> d-------- C:Documents and SettingsLee PaytonApplication DataMedia Player Classic
2008-07-08 14:47 . 2008-07-08 14:47 <DIR> d-------- C:Program FilesK-Lite Codec Pack
2008-07-08 14:25 . 2008-07-08 14:35 <DIR> d-------- C:Program FilesJockerSoft
2008-07-08 14:23 . 2008-07-08 14:24 456,044 --a------ C:Documents and SettingsLee PaytonApplication Datasetup_CodecInstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 02:18 --------- d-----w C:Program FilesDl_cats
2008-07-21 02:17 --------- d-----w C:Program FilesSymantec AntiVirus
2008-07-14 17:13 --------- d-----w C:Documents and SettingsLee PaytonApplication DataDownload Manager
2008-07-10 09:10 --------- d-----w C:Documents and SettingsLee PaytonApplication DataVso
2008-07-07 04:56 5,852 --sha-w C:WINDOWSsystem32KGyGaAvL.sys
2008-06-19 21:24 28,544 ----a-w C:WINDOWSsystem32driverspavboot.sys
2008-06-16 21:36 --------- d-----w C:Program FilesVSO
2008-06-16 21:06 --------- d-----w C:Program FilesGoogle
2008-06-16 18:53 --------- d-----w C:Documents and SettingsAll UsersApplication Datavsosdk
2008-06-16 18:20 47,360 ----a-w C:WINDOWSsystem32driverspcouffin.sys
2008-06-16 17:57 --------- d-----w C:Documents and SettingsLee PaytonApplication DataCyberLink
2008-06-16 17:57 --------- d-----w C:Documents and SettingsAll UsersApplication DataCyberLink
2008-06-05 19:17 --------- d-----w C:Documents and SettingsLee PaytonApplication Datappstream
2008-06-05 19:12 1,290,685 ----a-w C:Documents and SettingsLee Paytonpipilib.zip
2008-06-05 17:35 --------- d-----w C:Program FilesKuGou
2008-06-05 17:31 --------- d-----w C:Documents and SettingsAll UsersApplication DataStorm
2008-06-05 17:30 --------- d-----w C:Program FilesCommon FilesReal
2008-06-05 17:30 --------- d-----w C:Documents and SettingsLee PaytonApplication DataApplication Data
2008-06-04 00:06 --------- d-----w C:Program FilesuTorrent
2008-06-03 17:41 --------- d-----w C:Program FilesZune
2008-06-03 17:32 0 ---ha-w C:WINDOWSsystem32driversMsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-06-03 17:32 0 ---ha-w C:WINDOWSsystem32driversMsft_Kernel_zumbus_01007.Wdf
2008-05-16 15:58 12,632 ----a-w C:WINDOWSsystem32lsdelete.exe
2008-05-07 05:18 1,287,680 ----a-w C:WINDOWSsystem32quartz.dll
2008-04-29 23:56 61,856 ----a-w C:WINDOWSsystem32ZuneBusEnum.exe
2008-04-29 23:56 245,664 ----a-w C:WINDOWSsystem32ZuneWlanCfgSvc.exe
2008-04-29 23:39 70,144 ----a-w C:WINDOWSsystem32ZuneIpTransport.dll
2008-04-29 23:39 62,464 ----a-w C:WINDOWSsystem32ZuneUsbTransport.dll
2008-04-29 23:39 35,328 ----a-w C:WINDOWSsystem32ZuneUsbCOnnection.dll
2008-04-29 23:39 145,408 ----a-w C:WINDOWSsystem32ZuneMTPZ.dll
2008-04-23 04:16 817,152 ----a-w C:WINDOWSsystem32wininet.dll
2006-07-20 05:42 19,153,264 ----a-w C:Documents and SettingsLee PaytonApplication Dataaaw2008.exe
.

------- Sigcheck -------

2006-01-09 14:02 662016 dde9597a3311748c1519444e2bc147bd C:WINDOWS$hf_mig$KB912945SP2QFEwininet.dll
2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:WINDOWS$hf_mig$KB931768SP2QFEwininet.dll
2007-06-26 10:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:WINDOWS$hf_mig$KB937143SP2QFEwininet.dll
2007-08-22 08:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:WINDOWS$hf_mig$KB939653SP2QFEwininet.dll
2007-10-11 01:57 666112 80d660a49e0d118144423099b2a9f5da C:WINDOWS$hf_mig$KB942615SP2QFEwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWS$hf_mig$KB942615-IE7SP2QFEwininet.dll
2007-12-06 22:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:WINDOWS$hf_mig$KB944533-IE7SP2QFEwininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:WINDOWS$hf_mig$KB947864-IE7SP2QFEwininet.dll
2008-04-22 23:35 827392 41546b396a526918da7995a02ea04e51 C:WINDOWS$hf_mig$KB950759-IE7SP2QFEwininet.dll
2007-02-20 05:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 C:WINDOWS$NtUninstallKB937143$wininet.dll
2007-06-26 10:09 658944 184e47c8f7b331025e6dc92740db188f C:WINDOWS$NtUninstallKB939653$wininet.dll
2007-08-22 09:12 658944 1901ad51da8be9f8b38d5d526e5d1788 C:WINDOWS$NtUninstallKB942615$wininet.dll
2007-10-10 19:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2GDRwininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:WINDOWSSoftwareDistributionDownloade3709fbfd9557a7d083f543d51d38612SP2QFEwininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32wininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:WINDOWSsystem32dllcachewininet.dll

2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSexplorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:WINDOWS$hf_mig$KB938828SP2QFEexplorer.exe
2004-08-04 06:00 1032192 a0732187050030ae399b241436565e64 C:WINDOWS$NtUninstallKB938828$explorer.exe
2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:WINDOWSsystem32dllcacheexplorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-20_20.36.58.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-21 01:55:02 401,408 ----a-r C:WINDOWSInstaller{3DEBCFB2-389E-419C-842E-15501ACC8C93}IconF61D3384.exe
+ 2007-12-26 23:07:54 14,856 ----a-w C:WINDOWSsystem32driverspxcom.sys
+ 2007-12-26 23:09:38 107,912 ----a-w C:WINDOWSsystem32driversPxEmu.sys
+ 2007-12-26 23:08:38 302,600 ----a-w C:WINDOWSsystem32driverspxfsf.sys
+ 2007-12-26 23:07:52 23,048 ----a-w C:WINDOWSsystem32driversPxRD.sys
+ 2007-12-26 23:09:26 28,040 ----a-w C:WINDOWSsystem32driverspxtdi.sys
+ 2007-12-26 23:09:28 11,264 ----a-w C:WINDOWSsystem32pxinst.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"DLCXCATS"="C:WINDOWSSystem32spoolDRIVERSW32X863DLCXtime.dll" [2006-10-16 01:31 106496]
"IntelliPoint"="C:Program FilesMicrosoft IntelliPointipoint.exe" [2006-07-07 19:15 600896]
"Adobe Photo Downloader"="C:Program FilesAdobeAdobe Photoshop Lightroom 1.4apdproxy.exe" [2008-03-06 14:56 61440]
"SpyHunter Security Suite"="C:Program FilesEnigma Software GroupSpyHunterSpyHunter3.exe" [2008-06-19 16:48 851968]
"PrevxOne"="C:Program FilesPrevx2PXConsole.exe" [2008-01-23 12:32 1997880]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [2006-03-21 11:12 7204864]

C:Documents and SettingsAll UsersStart MenuProgramsStartup
Adobe Reader Speed Launch.lnk - C:Program FilesAdobeReader 8.0Readerreader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:Program FilesAdobeReader 8.0ReaderAdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAcrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 C:Program FilesAdobeAcrobat 8.0Acrobatacrotray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregccApp]
--a------ 2006-03-24 18:14 53408 C:Program FilesCommon FilesSymantec SharedccApp.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTDVDDET]
--------- 2003-06-18 02:00 45056 C:Program FilesCreativeSound Blaster X-FiDVDAudioCTDVDDET.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:WINDOWSsystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregdlcxmon.exe]
--a------ 2007-01-12 12:57 292336 C:Program FilesDell Photo AIO Printer 926dlcxmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregFaxCenterServer]
--a------ 2006-11-03 18:09 312200 C:Program FilesDell PC Faxfm3032.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregIAAnotif]
--a------ 2007-03-21 14:00 174872 C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMemoryCardManager]
--a------ 2006-11-03 18:04 304008 C:Program FilesDell Photo AIO Printer 926memcard.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
--a------ 2006-03-21 11:12 7204864 C:WINDOWSsystem32nvcpl.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPDVDDXSrv]
--------- 2006-10-20 18:23 118784 C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 C:Program FilesRoxioDrag-to-DiscDrgToDsc.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregswg]
--a------ 2007-09-01 23:02 68856 C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregUpdReg]
--------- 2000-05-11 02:00 90112 C:WINDOWSUpdreg.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVolPanel]
--------- 2005-10-14 12:01 122880 C:Program FilesCreativeSound Blaster X-FiVolume PanelVolPanel.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregvptray]
--a------ 2006-06-15 02:40 124656 C:PROGRA~1SYMANT~1VPTray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregZune Launcher]
--a------ 2008-04-29 19:56 158624 c:Program FilesZuneZuneLauncher.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTHelper]
--a------ 2005-11-08 06:30 16384 C:WINDOWSCTHELPER.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTxfiHlp]
--a------ 2006-03-01 22:00 18944 C:WINDOWSsystem32CTXFIHLP.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"gusvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%\system32\sessmgr.exe"=
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
"C:\WINDOWS\system32\dlcxcoms.exe"=
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"C:\Program Files\Bonjour\mDNSResponder.exe"=
"C:\Program Files\uTorrent\uTorrent.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"46675:TCP"= 46675:TCP:utorrent

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;C:WINDOWSsystem32driverspavboot.sys [2008-06-19 17:24]
R1 DLARTL_M;DLARTL_M;C:WINDOWSsystem32DriversDLARTL_M.SYS [2006-08-11 11:35]
R2 ASFIPmon;Broadcom ASF IP Monitor;C:Program FilesBroadcomASFIPMonAsfIpMon.exe [2006-03-17 18:25]
R2 dlcx_device;dlcx_device;C:WINDOWSsystem32dlcxcoms.exe [2006-11-03 18:07]
R2 WGX;Extend WG Protocol Driver;C:WINDOWSsystem32DriversWGX.sys [2007-08-06 15:29]
R2 zumbus;Zune Bus Enumerator Driver;C:WINDOWSsystem32DRIVERSzumbus.sys [2008-04-29 19:39]
R3 ha20x2k;Creative 20X HAL Driver;C:WINDOWSsystem32driversha20x2k.sys [2006-02-15 00:40]
S4 SysGuard;SysGuard;C:WINDOWSsystem32DriversSysguard.sys []
S4 ZuneBusEnum;Zune Bus Enumerator;c:WINDOWSsystem32ZuneBusEnum.exe [2008-04-29 19:56]
S4 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:WINDOWSsystem32ZuneWlanCfgSvc.exe [2008-04-29 19:56]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{0538cd9a-9cad-11dc-8d99-001aa03438fe}]
ShellAutoRuncommand - F:setupSNK.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 22:18:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINESystemControlSet001Servicesvsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:Program FilesSymantecSPASmc.exe
C:Program FilesSymantecSPASNAC.EXE
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAANTmon.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:Program FilesSymantecSPASmcGui.exe
.
**************************************************************************
.
Completion time: 2008-07-20 22:22:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 02:22:13
ComboFix2.txt 2008-07-21 01:21:35
ComboFix3.txt 2008-07-21 00:37:47

Pre-Run: 212,131,823,616 bytes free
Post-Run: 212,133,842,944 bytes free

258 --- E O F --- 2008-06-12 07:02:00


blue11 - 21-7-2008 at 02:27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:03 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecSPAsmc.exe
C:Program FilesSymantecSPAsnac.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesBroadcomASFIPMonAsfIpMon.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:WINDOWSsystem32dlcxcoms.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:Program FilesSymantec AntiVirusSavRoam.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWUSB54GC.exe
C:Program FilesSymantecSPASmcGui.exe
C:Program FilesMicrosoft IntelliPointipoint.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSexplorer.exe
C:Program Filesinternet exploreriexplore.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:Documents and SettingsAll UsersApplication DataPrevxpxbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier3.0.1225.9868swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll
O4 - HKLM..Run: [DLCXCATS] rundll32 C:WINDOWSSystem32spoolDRIVERSW32X863DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM..Run: [IntelliPoint] "C:Program FilesMicrosoft IntelliPointipoint.exe"
O4 - HKLM..Run: [Adobe Photo Downloader] "C:Program FilesAdobeAdobe Photoshop Lightroom 1.4apdproxy.exe"
O4 - HKLM..Run: [SpyHunter Security Suite] C:Program FilesEnigma Software GroupSpyHunterSpyHunter3.exe
O4 - HKLM..Run: [PrevxOne] "C:Program FilesPrevx2PXConsole.exe"
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeReader 8.0Readerreader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:Program FilesAdobeReader 8.0ReaderAdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O17 - HKLMSystemCCSServicesTcpip..{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:Program FilesBroadcomASFIPMonAsfIpMon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: dlcx_device - - C:WINDOWSsystem32dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: PREVXAgent - Prevx - C:Program FilesPrevx2PXAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:Program FilesSymantecSPAsmc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:Program FilesSymantecSPAsnac.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:Program FilesCompact Wireless-G USB Adapter Wireless Network MonitorWLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/dell/E-Center/images/dell_logo.gif
O24 - Desktop Component 1: (no name) - file:///C:/dell/E-Center/images/header_bg.gif
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/LEEPAY~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

--
End of file - 9299 bytes


Pancake - 21-7-2008 at 03:44

Download OTMoveIt2 http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

Go to the location where you saved OTMoveIT2 and double click it. (If you're using Vista, right click on it and choose Run as Administrator).
Copy all the information found below. Highlight all of it, right click it and choose Copy.

C:/dell/E-Center/images/dell_logo.gif
C:/dell/E-Center/images/header_bg.gif
C:/DOCUME~1/LEEPAY~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg


Next, return to OTMoveIt2 and right click in the "Paste List of Files/Patterns to Search For and Move" window.
Important: Paste only into the bottom input panel (under the yellow bar). The top panel will not help you. Then just right click and choose Paste.
Now, click the red MoveIt button and wait several minutes. When it's finished, look in the large right hand panel that says Results. You should see that at least the principal infector files were deleted and whichever applicable registry changes were made. (They may not all apply in your case). Close OTMoveIt2 when it has finished.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot your computer to finish the move process. If you're asked to reboot, simply choose Yes.
Now, double click and open OTMoveIt2 again. Click the green Clean Up! button at the top. (Note: It will need to access the Internet to download a small script file, so please allow your firewall to do so).
When it finishes, it will have deleted all of its quarantines, as well as, the OTMoveIt2 program and all the folders it created. Then just reboot your computer to finish up.



==========================

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


O24 - Desktop Component 0: (no name) - file:///C:/dell/E-Center/images/dell_logo.gif
O24 - Desktop Component 1: (no name) - file:///C:/dell/E-Center/images/header_bg.gif
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/LEEPAY~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

Reboot....

===============================

Should you have any problems with your desktop display after this then Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.


blue11 - 21-7-2008 at 08:27

Thank you for everything ill keep ya updated

late pancake


Pancake - 21-7-2008 at 10:21

Ok...


John Barnes - 21-7-2008 at 10:45

WOW. I don't think I could do all that convoluted downloading and interpretation of results, I would just have saved everything I could to disk then blatted the system and reformatted and reinstalled, I take my hat off to Pancake, hand on heart how many on this forum could execute those instruction and fully understand the interpretation, few and far between I consider. is there any course where a person could be taught these procedures ,I don't know of anywhere .
keep up the good work Pancake. I would love to have your expertise or have it taught from some where. jmb


blue11 - 21-7-2008 at 21:10

His expertise is without question; however im sure this is an analytical device that can interpret huge sums of information like that. Possibly it is software based--?

L


Pancake - 21-7-2008 at 22:33

Some of the malware schools are full but you could aways try and ask the teachers/mods at these schools.


http://malwareremoval.com/forum/viewforum.php?f=11&sid=a90188027c31a1a076fca18483eca05b

http://malwareremoval.com/forum/viewforum.php?f=11&sid=a90188027c31a1a076fca18483eca05b

http://www.castlecops.com/f67-Trend_Micro_HijackThis_Logs.html