Karl`s PC Help Forums Last active: Never
Not logged in [Login ]
Go To Bottom

In memory of Karl Davis, founder of this board, who made his final journey 12th June 2007

Printable Version | Subscribe | Add to Favourites   Post new thread Poll:
Author: Subject: XPshields_malicious_codes
blue11
New User
*


Avatar


Posts: 35
Registered: 20-7-2008
Location: Phila
Theme: Ice Blue
Member Is Offline

Mood: No MOod

[*] Post 342895 posted on 21-7-2008 at 00:07 Reply With Quote
XPshields_malicious_codes



Hi, I would like to have a post for help with computers w/ related probelms-- it seems invisible or crypted files are being hidden from lavasoft ad-aware, and spyhunter, and personal
anti-spy scan operations. I have saved a notepad doc.
reporting problems that hijackthis detected.
HOPE you can help
---L
---HJT--->
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:04 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\SPA\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\SPA\snac.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Symantec\SPA\SmcGui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66008
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66008
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66008
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070824
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [e052f4a8] rundll32.exe "C:\WINDOWS\system32\eokligmf.dll",b
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx (file missing)
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx (file missing)
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Protection Agent 5.1 (SmcService) - Symantec Corporation - C:\Program Files\Symantec\SPA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:\Program Files\Symantec\SPA\snac.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/dell/E-Center/images/dell_logo.gif
O24 - Desktop Component 1: (no name) - file:///C:/dell/E-Center/images/header_bg.gif
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/LEEPAY~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

--
End of file - 9867 bytes
View User's Profile View All Posts By User
Pancake
Custom User Title
*******


Avatar


Posts: 537
Registered: 17-4-2006
Location: Victoria Australia
Theme: KF Blue (Default)
Member Is Offline

Mood: No Mood

[*] Post 342897 posted on 21-7-2008 at 00:18 Reply With Quote


Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> http://www.bleepingcomputer.com/combofix/how-to-use-combofix A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
View User's Profile View All Posts By User
blue11
New User
*


Avatar


Posts: 35
Registered: 20-7-2008
Location: Phila
Theme: Ice Blue
Member Is Offline

Mood: No MOod

[*] Post 342898 posted on 21-7-2008 at 00:41 Reply With Quote


ComboFix 08-07-20.5 - Lee Payton 2008-07-20 20:28:28.1 - NTFSx86
Running from: C:\Documents and Settings\Lee Payton\Desktop\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMe361c734.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\awtsQJYO.dll
C:\WINDOWS\system32\efcDSJCU.dll
C:\WINDOWS\system32\ejbwoi.dll
C:\WINDOWS\system32\ejqukdst.dll
C:\WINDOWS\system32\fccYRhGy.dll
C:\WINDOWS\system32\fmgilkoe.ini
C:\WINDOWS\system32\gfeoueio.ini
C:\WINDOWS\system32\iifeeDsr.dll
C:\WINDOWS\system32\jtvbxpqi.dll
C:\WINDOWS\system32\ljJDVoMg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mwusfwxl.dll
C:\WINDOWS\system32\opnkjJay.dll
C:\WINDOWS\system32\OYJQstwa.ini
C:\WINDOWS\system32\OYJQstwa.ini2
C:\WINDOWS\system32\qsdqry.dll
C:\WINDOWS\system32\tuvWnMdd.dll
C:\WINDOWS\system32\urqOhEwx.dll
C:\WINDOWS\system32\wrmawvpq.ini
C:\WINDOWS\system32\xxywULEu.dll
C:\WINDOWS\system32\yFNoqtwa.ini
C:\WINDOWS\system32\yFNoqtwa.ini2
C:\WINDOWS\system32\yxoislqp.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-14 04:48 . 2008-07-14 07:27 877,719,320 --a------ C:\Program Files\after_effectsCS3.exe
2008-07-14 03:31 . 2008-07-14 03:31 <DIR> d-------- C:\Documents and Settings\Lee Payton\Application Data\Thinstall
2008-07-08 14:49 . 2008-07-08 14:49 <DIR> d-------- C:\Documents and Settings\Lee Payton\Application Data\Media Player Classic
2008-07-08 14:47 . 2008-07-08 14:47 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-07-08 14:47 . 2008-03-21 16:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-07-08 14:25 . 2008-07-08 14:35 <DIR> d-------- C:\Program Files\JockerSoft
2008-07-08 14:23 . 2008-07-08 14:24 456,044 --a------ C:\Documents and Settings\Lee Payton\Application Data\setup_CodecInstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 00:33 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-21 00:32 --------- d-----w C:\Program Files\Dl_cats
2008-07-14 17:13 --------- d-----w C:\Documents and Settings\Lee Payton\Application Data\Download Manager
2008-07-10 09:10 --------- d-----w C:\Documents and Settings\Lee Payton\Application Data\Vso
2008-07-07 04:56 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-19 21:24 28,544 ----a-w C:\WINDOWS\system32\drivers\pavboot.sys
2008-06-16 21:36 --------- d-----w C:\Program Files\VSO
2008-06-16 21:06 --------- d-----w C:\Program Files\Google
2008-06-16 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-06-16 18:20 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-16 17:57 --------- d-----w C:\Documents and Settings\Lee Payton\Application Data\CyberLink
2008-06-16 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-05 19:17 --------- d-----w C:\Documents and Settings\Lee Payton\Application Data\ppstream
2008-06-05 19:12 1,290,685 ----a-w C:\Documents and Settings\Lee Payton\pipilib.zip
2008-06-05 17:35 --------- d-----w C:\Program Files\KuGou
2008-06-05 17:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Storm
2008-06-05 17:30 --------- d-----w C:\Program Files\Common Files\Real
2008-06-05 17:30 --------- d-----w C:\Documents and Settings\Lee Payton\Application Data\Application Data
2008-06-04 00:06 --------- d-----w C:\Program Files\uTorrent
2008-06-03 17:41 --------- d-----w C:\Program Files\Zune
2008-06-03 17:32 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-06-03 17:32 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-29 23:56 61,856 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2008-04-29 23:56 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-04-29 23:39 70,144 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll
2008-04-29 23:39 62,464 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll
2008-04-29 23:39 35,328 ----a-w C:\WINDOWS\system32\ZuneUsbCOnnection.dll
2008-04-29 23:39 145,408 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll
2008-04-24 02:16 3,864,576 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2006-07-20 05:42 19,153,264 ----a-w C:\Documents and Settings\Lee Payton\Application Data\aaw2008.exe
.

------- Sigcheck -------

2006-01-09 14:02 662016 dde9597a3311748c1519444e2bc147bd C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\wininet.dll
2007-02-20 05:52 665600 b258c922d22deec880b60720531d7627 C:\WINDOWS\$hf_mig$\KB931768\SP2QFE\wininet.dll
2007-06-26 10:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS\$hf_mig$\KB937143\SP2QFE\wininet.dll
2007-08-22 08:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\wininet.dll
2007-10-11 01:57 666112 80d660a49e0d118144423099b2a9f5da C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\wininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 22:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 09:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-22 23:35 827392 41546b396a526918da7995a02ea04e51 C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2007-02-20 05:48 658944 30d1c47e40efbb792ff8d3c3b51ce507 C:\WINDOWS\$NtUninstallKB937143$\wininet.dll
2007-06-26 10:09 658944 184e47c8f7b331025e6dc92740db188f C:\WINDOWS\$NtUninstallKB939653$\wininet.dll
2007-08-22 09:12 658944 1901ad51da8be9f8b38d5d526e5d1788 C:\WINDOWS\$NtUninstallKB942615$\wininet.dll
2007-10-10 19:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
2007-10-10 19:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
md5deep: C:\WINDOWS\SoftwareDistribution\Download\f4bbe93413da6448b38093eb5244141e\SP2GDR\wininet.dll: No such file or directory
md5deep: C:\WINDOWS\SoftwareDistribution\Download\f4bbe93413da6448b38093eb5244141e\SP2QFE\wininet.dll: No such file or directory
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:\WINDOWS\system32\wininet.dll
2008-04-23 00:16 817152 f82dc979e1f334df0c893b3bfdeb404e C:\WINDOWS\system32\dllcache\wininet.dll

2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 06:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 06:23 975360 9784e0719124e4a23989aef9e7ca02d6 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC628875-53FE-4DE3-9CA8-E61652820398}]
2006-07-20 00:19 299008 --a------ C:\Documents and Settings\Lee Payton\Application Data\WinRAR\nifodos.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 01:31 106496]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15 600896]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-03-06 14:56 61440]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-06-19 16:48 851968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nifodos]
2006-07-20 00:19 299008 C:\Documents and Settings\Lee Payton\Application Data\WinRAR\nifodos.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-03-24 18:14 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 02:00 45056 C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcxmon.exe]
--a------ 2007-01-12 12:57 292336 C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2006-11-03 18:09 312200 C:\Program Files\Dell PC Fax\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2007-03-21 14:00 174872 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
--a------ 2006-11-03 18:04 304008 C:\Program Files\Dell Photo AIO Printer 926\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-21 11:12 7204864 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2006-10-20 18:23 118784 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 10:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-01 23:02 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
--------- 2005-10-14 12:01 122880 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2006-06-15 02:40 124656 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-04-29 19:56 158624 c:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2005-11-08 06:30 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-03-01 22:00 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"gusvc"=3 (0x3)
"wuauserv"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\dlcxcoms.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"46675:TCP"= 46675:TCP:utorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 ASFIPmon;Broadcom ASF IP Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 18:25]
R2 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe [2006-11-03 18:07]
R2 WGX;Extend WG Protocol Driver;C:\WINDOWS\system32\Drivers\WGX.sys [2007-08-06 15:29]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-02-15 00:40]
S4 SysGuard;SysGuard;C:\WINDOWS\system32\Drivers\Sysguard.sys
S4 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
S4 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0538cd9a-9cad-11dc-8d99-001aa03438fe}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - PAVBOOT
.
- - - - ORPHANS REMOVED - - - -

BHO-{DB055111-4F4F-4730-ADC5-C40EBBFF6E67} - C:\WINDOWS\system32\iefltr.dll
HKLM-Run-AudioDrvEmulator - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
HKLM-Run-e052f4a8 - C:\WINDOWS\system32\eokligmf.dll
MSConfigStartUp-Corel Photo Downloader - C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-jfproc - C:\Program Files\pipi\jfCacheMgr.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{B2D951DA-6CA3-4F54-9131-ADECA2422C35}: NameServer = 71.242.0.12,71.250.0.12
O18 -: Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -
O18 -: Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 20:32:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Documents and Settings\Lee Payton\Application Data\WinRAR\nifodos.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\SPA\Smc.exe
C:\Program Files\Symantec\SPA\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Symantec\SPA\SmcGui.exe
.
**************************************************************************
.
Completion time: 2008-07-20 20:37:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 00:37:13

Pre-Run: 211,673,710,592 bytes free
Post-Run: 212,296,888,320 bytes free

309 --- E O F --- 2008-06-12 07:02:00
View User's Profile View All Posts By User
Post new thread Poll:

Guest Notice
You are a guest, as a guest you can only see a maximum of 3 posts per thread.

If you want to see the rest, please click here to register.