Referring to the picture above, drag CFScript.txt into ComboFix.exe
This will start ComboFix again. After reboot, (in case it asks to reboot), save the contents of Combofix.txt as I'll need to see them in your next reply.
3.Make sure you can view hidden files and folders:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Click OK.
4. Go into all your drives (C:, D:, E:, F:, etc) again and delete resycled, if found. Let me know if and where you find them.
5. Find and delete the following folder...
C:\Documents and Settings\<your username>\Local Settings\Temp <-- this folder
(I can't hardly go online with any browser. It took me a while and several trys to reply to you.)
My Firefox keeps crashing when I'm downloading anything, it will work once or twice and then all the browses windows will close with a detail crash notice from Firefox that can't be copied. (seems like the Firefox program doesn't allow this details notice to be copied for some very stupid :bigggrin: reason, daaaaaaa!!!!:thumbsdow:eek3:). What ever!!! Maybe this crashes can be tracked by some of the log I'm providing?? It can happen!!Firefox is still the most stable browser but I'm still reloading pages by the kilos. Since this morning Firefox's Big Bang crash where the browser would not work at all: I'll type a link and hit enter, and the browser will stop immediately showing a page error, no matter what link or botton I push, it's wasn't even triying to go to get the page at all. I had to reset my pc. Now, I get this notice as the browser starts that reads like this:
Could not initialize the application's security component. The most likely cause is problems with files in your application's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix the problem. If you continue to use this session, you might see incorrect application behaviour when accessing security features.
The other Firefox Downloading Crash Notice could not be copied but I will have to use my pencil and copy it for you if you need it.
I didn't find any files in C:\Document and Settings\Administrator.Ezio_PC\
Local Settings\Temp but I went to C:\Document and Settings\Owner\Local Settings\Temp and found 2 files there that I could not erase since its been used by a program. The name of these files is:"etilqs_nh1OWm2surD21PczTOId" and "~DFE1FD.tmp" I left them there for now.
I didn't find any "resycled" folder or files in any of my hdd's.
ComboFix 08-12-18.01 - Owner 2009-01-05 19:00:21.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.121 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.
O16 -: Microsoft XML Parser for Java - [URL="file:///c:/windows/Java/classes/xmldso.cab"]file://c:\windows\Java\classes\xmldso.cab[/URL]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:31 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Some pages are opening and working perfectly and some are blocked depending of which browser I use. Firefox is blocking My Facebook but not Chrome. On the other hand, Chrome can't open my www.notitarde.com but Firefox does. I still think there is something there bugging my browsers. I still have to check them when downloading, I don't know yet if still crashing. I'm getting ready for reloading XP but I'll wait until you've run out of options.
Sorry for not responding sooner. I'm not sure what's causing the browser issues, but I'm still trying to find some more info. I'll reply soon and let you know if I have some more instructions.
I still can't sing in on my Facebook using Firefox but if I go to Chrome it works ok. YouTube is working allot better but something is still blocking the small windows where all other vedios are, if you know what I mean. The www.notitarde.com won't open on Chrome but it does on Firefox. It's a big mess. The way the browser are working now it's more eficient but there is still something bugging my browsers. I won't reload XP until you tell me to do so.
I did Disabled the Norton antivirus program this time before running the ComboFix program.
ComboFix 08-12-18.01 - Owner 2009-01-13 18:31:57.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.127 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:30 PM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Well, it seems like after disabling the Norton Antivirus and running Combofix as you explained this entry is still there. I'm going to run the Combofix again and see if it gets cleaned, if it doesn't I'll just sit tight and wait for your next reply.
I was a bit busy and couldn't reply sooner. This is the last ComboFix report as requested.
ComboFix 09-01-17.04 - Owner 2009-01-18 15:36:30.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.110 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.
Trogan, that malware probably came from a Spartan. Thank you and this forum for all the help. I guess we can win some times but we can't win all of the time. I have a dream that one day we'll live browsing on the net free of virus, spyware and all the malwares that live in cyberspace; that day guys like you will spend more time creating better-wares instead practicing cyberlaundry. It can happen! Watch out. Good luck and keep the good spirit. We'll meet again some time before the war is over. Thanks again.
Trogan, that malware probably came from a Spartan. Thank you and this forum for all the help. I guess we can win some times but we can't win all of the time. I have a dream that one day we'll live browsing on the net free of virus, spyware and all the malwares that live in cyberspace; that day guys like you will spend more time creating better-wares instead practicing cyberlaundry. It can happen! Watch out. Good luck and keep the good spirit. We'll meet again some time before the war is over. Thanks again.
my dear,simply u have to do is this that u go for system tools and then for restore point, restore it in early date and it is all u r fixed.why r u wasting ur time to fixing things u dont know.i m up set because of these hackers that how can i destroy them but no one tells me, though i could c their ip addresses but i dont know what to do . well try to do this if its ok then keep helping people.
good luck
Comments
We need to do similar steps as last time...
1. Run Flash_Disinfector
2. Open Notepad and copy/paste the text in the Quote Box below into it:
Save this as CFScript.txt to your Desktop
Referring to the picture above, drag CFScript.txt into ComboFix.exe
This will start ComboFix again. After reboot, (in case it asks to reboot), save the contents of Combofix.txt as I'll need to see them in your next reply.
3. Make sure you can view hidden files and folders:
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Click OK.
4. Go into all your drives (C:, D:, E:, F:, etc) again and delete resycled, if found. Let me know if and where you find them.5. Find and delete the following folder...
C:\Documents and Settings\<your username>\Local Settings\Temp <-- this folder
6. Please do the following...
ComobFix log
New HijackThis log
My Firefox keeps crashing when I'm downloading anything, it will work once or twice and then all the browses windows will close with a detail crash notice from Firefox that can't be copied. (seems like the Firefox program doesn't allow this details notice to be copied for some very stupid :bigggrin: reason, daaaaaaa!!!!
Could not initialize the application's security component. The most likely cause is problems with files in your application's profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix the problem. If you continue to use this session, you might see incorrect application behaviour when accessing security features.
The other Firefox Downloading Crash Notice could not be copied but I will have to use my pencil and copy it for you if you need it.
I didn't find any files in C:\Document and Settings\Administrator.Ezio_PC\
Local Settings\Temp but I went to C:\Document and Settings\Owner\Local Settings\Temp and found 2 files there that I could not erase since its been used by a program. The name of these files is:"etilqs_nh1OWm2surD21PczTOId" and "~DFE1FD.tmp" I left them there for now.
I didn't find any "resycled" folder or files in any of my hdd's.
ComboFix 08-12-18.01 - Owner 2009-01-05 19:00:21.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.121 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.
2009-01-02 20:31 . 2009-01-03 09:51 2,339 --a--c--- c:\windows\system32\SHORTCUT.INI
2009-01-02 19:15 . 2009-01-04 21:16 128 --a--c--- c:\windows\system32\REMOTEDEVICE.INI
2009-01-02 19:13 . 2009-01-05 18:05 4,756 --a--c--- c:\windows\system32\LOCALSERVICE.INI
2009-01-02 19:12 . 2009-01-05 18:05 99 --a--c--- c:\windows\system32\LOCALDEVICE.INI
2009-01-02 19:05 . 2009-01-02 19:05 0 --a--c--- c:\windows\system32\BSPRINT.INI
2009-01-01 11:26 . 2008-04-14 05:42 151,552 --a--c--- c:\windows\system32\irftp.exe
2009-01-01 11:26 . 2008-04-14 05:42 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2009-01-01 11:26 . 2008-04-14 05:41 28,160 --a--c--- c:\windows\system32\irmon.dll
2009-01-01 11:26 . 2008-04-14 05:41 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2009-01-01 11:26 . 2008-04-14 05:42 8,192 --a--c--- c:\windows\system32\wshirda.dll
2009-01-01 11:26 . 2008-04-14 05:42 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-01-01 10:50 . 2009-01-01 15:19 423 --a--c--- c:\windows\BsMobileModel.ini
2009-01-01 10:49 . 2009-01-01 10:49 <DIR> d----c--- c:\windows\system32\ivtMobCache
2008-12-30 18:41 . 2009-01-01 12:02 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Bluetooth
2008-12-30 18:25 . 2008-12-30 18:25 <DIR> d----c--- c:\program files\IVT Corporation
2008-12-30 18:24 . 2009-01-02 19:05 32 --a--c--- c:\windows\0
2008-12-30 18:24 . 2008-12-30 18:24 0 --a--c--- c:\windows\system32\0
2008-12-28 02:59 . 2008-12-28 02:59 <DIR> d----c--- c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-28 02:57 . 2008-12-28 21:11 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-26 00:09 . 2008-12-26 00:38 <DIR> d----c--- c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-18 03:04 . 2008-12-18 03:04 <DIR> d----c--- c:\windows\ie8updates
2008-12-13 02:00 . 2008-12-13 02:03 <DIR> d----c--- C:\rsit
2008-12-07 21:08 . 2008-12-07 21:08 <DIR> d----c--- c:\program files\Malwarebytes' Anti-Malware
2008-12-07 21:08 . 2008-12-03 19:59 38,496 --a--c--- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-07 21:08 . 2008-12-03 19:59 15,504 --a--c--- c:\windows\system32\drivers\mbam.sys
2008-12-07 12:44 . 2008-12-07 12:44 30,088 --a--c--- c:\windows\system32\drivers\btnetBus.sys
2008-12-05 00:49 . 2008-12-05 00:49 <DIR> d----c--- c:\program files\xp-AntiSpy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 06:56
dc----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-05 01:00
dc----w c:\program files\Java
2008-12-31 21:42
dc----w c:\documents and settings\Owner\Application Data\Skype
2008-12-31 13:15
dc----w c:\program files\Common Files\Symantec Shared
2008-12-30 04:59
dc----w c:\program files\RapidTyping
2008-12-29 02:51
dc----w c:\program files\KaraFun
2008-12-29 01:12
dc----w c:\program files\Yahoo!
2008-12-26 04:38
dc----w c:\documents and settings\Owner\Application Data\Uniblue
2008-12-24 22:23
dc----w c:\program files\Spybot - Search & Destroy
2008-12-24 00:30
dc----w c:\program files\XoftSpySE
2008-12-05 01:50
dc----w c:\program files\Trend Micro
2008-12-02 22:26
dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 14:21
dc----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-28 07:09
dc----w c:\program files\Norton AntiVirus
2008-11-28 06:36 805 -c--a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-11-28 06:36 123,952 -c--a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-28 06:36 10,671 -c--a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-28 06:36
dc----w c:\program files\Symantec
2008-11-26 22:57
dc----w c:\program files\Windows Sidebar
2008-11-26 05:34 51,168 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-11-18 05:06
dc----w c:\program files\SUPERAntiSpyware
2008-11-18 05:06
dc----w c:\program files\Common Files\Wise Installation Wizard
2008-11-18 05:06
dc----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-11-17 22:34
dc----w c:\documents and settings\Administrator.EZIO_PC\Application Data\Malwarebytes
2008-11-17 22:33
dc----w c:\program files\Jewel Quest 2
2008-11-17 22:32
dc----w c:\program files\Eusing Free Registry Cleaner
2008-11-17 22:29
dc----w c:\documents and settings\Administrator.EZIO_PC\Application Data\Hypercosm
2008-11-11 22:48
dc----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-11 22:46
dc----w c:\program files\Lavasoft
2008-11-11 22:15
dc----w c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-11 17:37
dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-11 15:28
dc----w c:\program files\iPrep 101
2008-11-11 15:12
dc----w c:\program files\Winamp Remote
2008-11-09 05:56
dc----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-07 17:10
dc----w c:\program files\Common Files\Adobe
2008-11-05 01:08
dc----w c:\program files\Syncrosoft
2008-05-06 01:25 774,144 -c--a-w c:\program files\RngInterstitial.dll
2007-12-26 21:38 2,293,848 -c--a-w c:\program files\FLV PlayerFCSetup.exe
2007-12-26 21:19 2,893,824 -c--a-w c:\program files\FLV PlayerRCATSetup.exe
2007-12-26 21:11 411,248 -c--a-w c:\program files\FLV PlayerRCSetup.exe
2007-02-26 00:28 5,252 -c--a-w c:\documents and settings\Owner\Application Data\ViewerApp.dat
2008-09-21 16:00 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.
((((((((((((((((((((((((((((( snapshot_2008-12-18_23.15.57.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-05 00:16:46 1,887,080 -c--a-w c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2009-01-02 23:05:13 3,638 -c--a-r c:\windows\Installer\{6A06C623-D85C-41B3-AC6A-A9FA4AF61729}\ARPPRODUCTICON.exe
+ 2008-06-04 22:28:50 520,307 -c--a-w c:\windows\system32\BlueSoleilCSps.dll
+ 2008-06-04 22:27:44 98,403 -c--a-w c:\windows\system32\Bs2Res.dll
+ 2008-06-04 22:29:34 540,758 -c--a-w c:\windows\system32\Bscdlg.dll
+ 2008-06-04 22:28:58 143,450 -c--a-w c:\windows\system32\BsCommon.dll
+ 2008-06-04 22:28:52 94,314 -c--a-w c:\windows\system32\BsHelpCSps.dll
+ 2008-03-07 17:54:22 17,907,824 -c--a-w c:\windows\system32\BsLangInDepRes.dll
+ 2008-06-04 22:27:02 28,672 -c--a-w c:\windows\system32\BsMobileCSps.dll
+ 2008-06-04 22:27:10 118,880 -c--a-w c:\windows\system32\BsMobileSDK.dll
+ 2008-06-04 22:30:52 18,432 -c--a-w c:\windows\system32\BsMonSvr.dll
+ 2008-06-04 22:30:56 9,728 -c--a-w c:\windows\system32\BsMonUI.dll
+ 2008-06-04 22:29:24 114,788 -c--a-w c:\windows\system32\BsProfileFunc.dll
+ 2008-06-10 19:00:30 225,364 -c--a-w c:\windows\system32\BsSDK.dll
+ 2008-06-04 22:29:48 622,693 -c--a-w c:\windows\system32\BSShell.dll
+ 2008-06-04 22:26:52 28,760 -c--a-w c:\windows\system32\BsTrace.dll
+ 2008-06-04 22:30:44 405,589 -c--a-w c:\windows\system32\BsUI.dll
+ 2007-03-19 14:59:18 65,536 -c--a-w c:\windows\system32\BsVistaCommon.dll
+ 2008-06-04 22:30:30 57,430 -c--a-w c:\windows\system32\btfunc.dll
+ 2008-03-06 21:04:08 15,368 -c--a-w c:\windows\system32\btinstall.dll
+ 2008-04-14 04:15:16 60,160 -c--a-w c:\windows\system32\dllcache\drmk.sys
+ 2008-04-14 04:46:38 141,056 -c--a-w c:\windows\system32\dllcache\ks.sys
+ 2008-04-14 04:46:38 141,056 -c--a-w c:\windows\system32\dllcache\ks.sys.tmp
+ 2008-04-14 04:49:42 146,048 -c--a-w c:\windows\system32\dllcache\portcls.sys
+ 2008-04-14 04:49:42 146,048 -c--a-w c:\windows\system32\dllcache\portcls.sys.tmp
+ 2008-04-14 04:15:16 49,408 -c--a-w c:\windows\system32\dllcache\stream.sys
+ 2007-03-19 14:59:16 148,830 -c--a-w c:\windows\system32\drivers\bcbthub.sys
+ 2008-03-06 21:05:04 33,800 -c--a-w c:\windows\system32\drivers\blueletaudio.sys
+ 2008-03-06 21:05:08 27,528 -c--a-w c:\windows\system32\drivers\BlueletSCOAudio.sys
+ 2008-03-06 21:04:04 38,920 -c--a-w c:\windows\system32\drivers\btcusb.sys
+ 2008-01-21 23:28:04 21,512 -c--a-w c:\windows\system32\drivers\BtHidBus.sys
+ 2008-01-21 23:28:12 14,600 -c--a-w c:\windows\system32\drivers\btnetdrv.sys
+ 2006-11-22 17:41:18 22,416 -c--a-w c:\windows\system32\drivers\BTNetFilter.sys
+ 2007-03-19 14:59:18 116,021 -c--a-w c:\windows\system32\drivers\fw203x.sys
+ 2008-01-21 23:28:08 26,248 -c--a-w c:\windows\system32\drivers\IvtBtBus.sys
+ 2008-01-21 23:27:50 14,856 -c--a-w c:\windows\system32\drivers\VComm.sys
+ 2008-01-21 23:27:56 29,960 -c--a-w c:\windows\system32\drivers\VcommMgr.sys
+ 2008-01-21 23:28:00 17,416 -c--a-w c:\windows\system32\drivers\VHIDMini.sys
+ 2008-06-04 22:30:04 53,248 -c--a-w c:\windows\system32\HtmPrintHelper.dll
- 2008-12-15 17:59:39 84,661 -c--a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-01-05 00:54:02 84,661 -c--a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-06-04 22:30:22 278,647 -c--a-w c:\windows\system32\outlookAddin.dll
- 2008-09-21 16:06:05 71,512 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-01 15:42:53 71,512 ----a-w c:\windows\system32\perfc009.dat
- 2008-09-21 16:06:05 441,954 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-01 15:42:53 441,954 ----a-w c:\windows\system32\perfh009.dat
+ 2008-06-04 22:27:48 28,766 -c--a-w c:\windows\system32\PlayerCtrl.dll
+ 2008-12-15 17:29:14 39,304 -c--a-w c:\windows\system32\ReinstallBackups\0010\DriverFiles\btcusb.sys
+ 2007-08-27 17:37:02 1,717,848 -c--a-w c:\windows\system32\skype4com.dll
+ 2007-09-03 19:49:12 41,049 -c--a-w c:\windows\system32\skypeagent.dll
+ 2008-06-04 22:29:58 114,774 -c--a-w c:\windows\system32\versit.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2005-08-31 1658592]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ares"="c:\program files\Ares\Ares.exe" [2008-02-20 963072]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-04 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-02 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"PP5300usb"="c:\paprport\FBDirect.exe" [1999-03-26 228864]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-24 714608]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-06-18 227840]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-24 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= vpnt.dll
"midi3"= usbmn1x1.dll
"midi1"= usbmn1x1.dll
"midi4"= usbmn1x1.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"lsass"=nwiz.exe /install
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"GWMDMpi"=c:\windows\GWMDMpi.exe
"GWMDMMSG"=GWMDMMSG.exe
"CTHelper"=CTHELPER.EXE
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"avast!"=c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
"Creative WebCam Tray"=c:\program files\Creative\Shared Files\CAMTRAY.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\Jane's Combat Simulations\\USAF\\USAF.icd"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gateway\\HPA\\GWMenu.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Temp FTP\\FLASH FXP full\\FlashFXP.exe"=
"c:\\Program Files\\FLASH FXP\\FlashFXP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\VoipRaider.com\\VoipRaider\\VoipRaider.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\rundll32.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\Drivers\BtHidBus.sys [2008-07-31 21512]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-10-05 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-17 99376]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-07-02 26248]
R3 USBMM1X1;USB Midi 1x1 Driver;c:\windows\system32\drivers\usbmm1x1.sys [2008-07-05 32476]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\Drivers\btnetBus.sys [2008-12-07 30088]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2008-07-27 17920]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-06-22 23888]
S3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\DRIVERS\P1130Vid.sys [2008-11-22 90229]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5074846-b8d2-11dd-8f98-0007e9bf763b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - resycled\boot.com f:
.
Contents of the 'Scheduled Tasks' folder
2009-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1757981266-1801674531-1003.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 13:38]
2009-01-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-10-05 22:11]
2008-12-31 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 13:19]
2009-01-02 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Nss.exe []
2009-01-01 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2007-11-18 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2009-01-05 c:\windows\Tasks\User_Feed_Synchronization-{BE360C57-0C39-4598-9CC0-EAC1B09649C9}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 03:05]
.
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.eluniversal.com/index.shtml/
mStart Page = hxxp://www.eluniversal.com/index.shtml
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
c:\windows\Downloaded Program Files\InstallerControl.dll - O16 -: CabBuilder
hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
c:\windows\Downloaded Program Files\OSDED4D.OSD
O16 -: DirectAnimation Java Classes - [URL="file:///c:/windows/Java/classes/dajava.cab"]file://c:\windows\Java\classes\dajava.cab[/URL]
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - [URL="file:///c:/windows/Java/classes/xmldso.cab"]file://c:\windows\Java\classes\xmldso.cab[/URL]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\system32\wininet.dll - c:\windows\system32\sensapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\COMDLG32.OCX
c:\windows\system32\msstkprp.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\DoMoreRunExe.ocx
O16 -: {0F04992B-E661-4DB9-B223-903AB628225D}
[URL]file:///C:/Program%20Files/Gateway/Do%20More/DoMoreRunExe.CAB[/URL]
c:\windows\Downloaded Program Files\DoMoreRunExe.INF
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w4vvv16z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.eluniversal.com/index.shtml
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w4vvv16z.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 19:03:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2009-01-05 19:07:36
ComboFix-quarantined-files.txt 2009-01-05 23:06:16
ComboFix2.txt 2008-12-28 21:41:23
ComboFix3.txt 2008-12-19 03:17:14
ComboFix4.txt 2008-11-22 18:07:14
Pre-Run: 118,553,853,952 bytes free
Post-Run: 118,630,019,072 bytes free
326 --- E O F --- 2009-01-05 07:01:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:31 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PAPRPORT\FBDirect.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eluniversal.com/index.shtml/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eluniversal.com/index.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PP5300usb] C:\PAPRPORT\FBDirect.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - [URL]file:///C:/Program%20Files/Gateway/Do%20More/DoMoreRunExe.CAB[/URL]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://giovanna742.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159940043390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159942914140
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://kikinowak.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - (no file)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 12216 bytes
When you run ComboFix, did you close/disable your anti-virus and anti-spyware programs?
I did Disabled the Norton antivirus program this time before running the ComboFix program.
ComboFix 08-12-18.01 - Owner 2009-01-13 18:31:57.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.127 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.
2009-01-06 18:27 . 2009-01-06 18:27 <DIR> d----c--- c:\documents and settings\Owner\Application Data\LaCie
2009-01-06 18:26 . 2009-01-06 18:26 <DIR> d----c--- c:\documents and settings\All Users\Application Data\InstallShield
2009-01-02 20:31 . 2009-01-03 09:51 2,339 --a--c--- c:\windows\system32\SHORTCUT.INI
2009-01-02 19:15 . 2009-01-10 22:39 128 --a--c--- c:\windows\system32\REMOTEDEVICE.INI
2009-01-02 19:13 . 2009-01-10 22:07 4,756 --a--c--- c:\windows\system32\LOCALSERVICE.INI
2009-01-02 19:12 . 2009-01-10 22:07 99 --a--c--- c:\windows\system32\LOCALDEVICE.INI
2009-01-02 19:05 . 2009-01-02 19:05 0 --a--c--- c:\windows\system32\BSPRINT.INI
2009-01-01 11:26 . 2008-04-14 05:42 151,552 --a--c--- c:\windows\system32\irftp.exe
2009-01-01 11:26 . 2008-04-14 05:42 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2009-01-01 11:26 . 2008-04-14 05:41 28,160 --a--c--- c:\windows\system32\irmon.dll
2009-01-01 11:26 . 2008-04-14 05:41 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2009-01-01 11:26 . 2008-04-14 05:42 8,192 --a--c--- c:\windows\system32\wshirda.dll
2009-01-01 11:26 . 2008-04-14 05:42 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-01-01 10:50 . 2009-01-01 15:19 423 --a--c--- c:\windows\BsMobileModel.ini
2009-01-01 10:49 . 2009-01-01 10:49 <DIR> d----c--- c:\windows\system32\ivtMobCache
2008-12-30 18:41 . 2009-01-01 12:02 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Bluetooth
2008-12-30 18:25 . 2008-12-30 18:25 <DIR> d----c--- c:\program files\IVT Corporation
2008-12-30 18:24 . 2009-01-02 19:05 32 --a--c--- c:\windows\0
2008-12-30 18:24 . 2008-12-30 18:24 0 --a--c--- c:\windows\system32\0
2008-12-28 02:59 . 2008-12-28 02:59 <DIR> d----c--- c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-28 02:57 . 2008-12-28 21:11 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-26 00:09 . 2008-12-26 00:38 <DIR> d----c--- c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-18 03:04 . 2008-12-18 03:04 <DIR> d----c--- c:\windows\ie8updates
2008-12-13 02:00 . 2008-12-13 02:03 <DIR> d----c--- C:\rsit
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 22:37
dc----w c:\documents and settings\Owner\Application Data\Skype
2009-01-13 14:58
dc----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-11 06:14
dc----w c:\program files\FLASH FXP
2009-01-11 03:10
dc----w c:\program files\Common Files\Symantec Shared
2009-01-09 03:52 806 -c--a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 03:52 124,464 -c--a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 03:52 10,635 -c--a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 03:52
dc----w c:\program files\Symantec
2009-01-06 22:26
dc----w c:\program files\Common Files\InstallShield
2009-01-05 01:00
dc----w c:\program files\Java
2008-12-30 04:59
dc----w c:\program files\RapidTyping
2008-12-29 02:51
dc----w c:\program files\KaraFun
2008-12-29 01:12
dc----w c:\program files\Yahoo!
2008-12-26 04:38
dc----w c:\documents and settings\Owner\Application Data\Uniblue
2008-12-24 22:23
dc----w c:\program files\Spybot - Search & Destroy
2008-12-24 00:30
dc----w c:\program files\XoftSpySE
2008-12-08 01:08
dc----w c:\program files\Malwarebytes' Anti-Malware
2008-12-07 16:44 30,088 -c--a-w c:\windows\system32\drivers\btnetBus.sys
2008-12-05 04:49
dc----w c:\program files\xp-AntiSpy
2008-12-05 01:50
dc----w c:\program files\Trend Micro
2008-12-03 23:59 38,496 -c--a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 23:59 15,504 -c--a-w c:\windows\system32\drivers\mbam.sys
2008-12-02 22:26
dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 14:21
dc----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-28 07:09
dc----w c:\program files\Norton AntiVirus
2008-11-26 22:57
dc----w c:\program files\Windows Sidebar
2008-11-26 05:34 51,168 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-11-18 05:06
dc----w c:\program files\SUPERAntiSpyware
2008-11-18 05:06
dc----w c:\program files\Common Files\Wise Installation Wizard
2008-11-18 05:06
dc----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-11-17 22:34
dc----w c:\documents and settings\Administrator.EZIO_PC\Application Data\Malwarebytes
2008-11-17 22:33
dc----w c:\program files\Jewel Quest 2
2008-11-17 22:32
dc----w c:\program files\Eusing Free Registry Cleaner
2008-11-17 22:29
dc----w c:\documents and settings\Administrator.EZIO_PC\Application Data\Hypercosm
2008-05-06 01:25 774,144 -c--a-w c:\program files\RngInterstitial.dll
2007-12-26 21:38 2,293,848 -c--a-w c:\program files\FLV PlayerFCSetup.exe
2007-12-26 21:19 2,893,824 -c--a-w c:\program files\FLV PlayerRCATSetup.exe
2007-12-26 21:11 411,248 -c--a-w c:\program files\FLV PlayerRCSetup.exe
2007-02-26 00:28 5,252 -c--a-w c:\documents and settings\Owner\Application Data\ViewerApp.dat
2008-09-21 16:00 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.
((((((((((((((((((((((((((((( snapshot_2009-01-05_19.04.56.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-07-25 22:13:18 24,576 -c--a-w c:\windows\Downloaded Program Files\dwusplay.dll
+ 2002-07-25 22:13:12 196,608 -c--a-w c:\windows\Downloaded Program Files\dwusplay.exe
+ 2004-06-14 21:17:16 323,584 -c--a-w c:\windows\Downloaded Program Files\isusweb.dll
- 2008-11-28 06:36:35 60,800 -c--a-w c:\windows\system32\S32EVNT1.DLL
+ 2009-01-09 03:52:51 60,808 -c--a-w c:\windows\system32\S32EVNT1.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2005-08-31 1658592]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ares"="c:\program files\Ares\Ares.exe" [2008-02-20 963072]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-04 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-02 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"PP5300usb"="c:\paprport\FBDirect.exe" [1999-03-26 228864]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-24 714608]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-06-18 227840]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-14 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-24 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= vpnt.dll
"midi3"= usbmn1x1.dll
"midi1"= usbmn1x1.dll
"midi4"= usbmn1x1.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"lsass"=nwiz.exe /install
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"GWMDMpi"=c:\windows\GWMDMpi.exe
"GWMDMMSG"=GWMDMMSG.exe
"CTHelper"=CTHELPER.EXE
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"avast!"=c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
"Creative WebCam Tray"=c:\program files\Creative\Shared Files\CAMTRAY.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\Jane's Combat Simulations\\USAF\\USAF.icd"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gateway\\HPA\\GWMenu.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Temp FTP\\FLASH FXP full\\FlashFXP.exe"=
"c:\\Program Files\\FLASH FXP\\FlashFXP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\VoipRaider.com\\VoipRaider\\VoipRaider.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\rundll32.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\Drivers\BtHidBus.sys [2008-07-31 21512]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-10-05 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-17 99376]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-07-02 26248]
R3 USBMM1X1;USB Midi 1x1 Driver;c:\windows\system32\drivers\usbmm1x1.sys [2008-07-05 32476]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\Drivers\btnetBus.sys [2008-12-07 30088]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2008-07-27 17920]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-06-22 23888]
S3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\DRIVERS\P1130Vid.sys [2008-11-22 90229]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5074846-b8d2-11dd-8f98-0007e9bf763b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - resycled\boot.com f:
*Newly Created Service* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder
2009-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1757981266-1801674531-1003.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 13:38]
2009-01-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-10-05 22:11]
2009-01-07 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 13:19]
2009-01-09 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Nss.exe []
2009-01-11 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2007-11-18 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2009-01-13 c:\windows\Tasks\User_Feed_Synchronization-{BE360C57-0C39-4598-9CC0-EAC1B09649C9}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 03:05]
.
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.eluniversal.com/index.shtml/
mStart Page = hxxp://www.eluniversal.com/index.shtml
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
c:\windows\Downloaded Program Files\InstallerControl.dll - O16 -: CabBuilder
hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
c:\windows\Downloaded Program Files\OSDED4D.OSD
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\system32\wininet.dll - c:\windows\system32\sensapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\COMDLG32.OCX
c:\windows\system32\msstkprp.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\DoMoreRunExe.ocx
O16 -: {0F04992B-E661-4DB9-B223-903AB628225D}
file:///C:/Program%20Files/Gateway/Do%20More/DoMoreRunExe.CAB
c:\windows\Downloaded Program Files\DoMoreRunExe.INF
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w4vvv16z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.eluniversal.com/index.shtml
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w4vvv16z.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 18:37:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-13 18:40:11
ComboFix-quarantined-files.txt 2009-01-13 22:39:24
ComboFix2.txt 2009-01-06 03:31:39
ComboFix3.txt 2009-01-05 23:07:39
ComboFix4.txt 2008-12-28 21:41:23
ComboFix5.txt 2009-01-13 22:30:07
Pre-Run: 117,999,034,368 bytes free
Post-Run: 118,034,124,800 bytes free
278 --- E O F --- 2009-01-13 10:11:27
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:30 PM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\divxsm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eluniversal.com/index.shtml/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eluniversal.com/index.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PP5300usb] C:\PAPRPORT\FBDirect.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file:///C:/Program%20Files/Gateway/Do%20More/DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://giovanna742.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159940043390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159942914140
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://kikinowak.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - (no file)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 12567 bytes
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{a5074846-b8d2-11dd-8f98-0007e9bf763b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - resycled\boot.com f:
Well, it seems like after disabling the Norton Antivirus and running Combofix as you explained this entry is still there. I'm going to run the Combofix again and see if it gets cleaned, if it doesn't I'll just sit tight and wait for your next reply.
Delete your version of ComobFix; then download and run the new version of ComboFix.
Post the log back here.
ComboFix 09-01-17.04 - Owner 2009-01-18 15:36:30.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.110 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.
2009-01-06 18:27 . 2009-01-06 18:27 <DIR> d----c--- c:\documents and settings\Owner\Application Data\LaCie
2009-01-06 18:26 . 2009-01-06 18:26 <DIR> d----c--- c:\documents and settings\All Users\Application Data\InstallShield
2009-01-02 20:31 . 2009-01-03 09:51 2,339 --a--c--- c:\windows\system32\SHORTCUT.INI
2009-01-02 19:15 . 2009-01-10 22:39 128 --a--c--- c:\windows\system32\REMOTEDEVICE.INI
2009-01-02 19:13 . 2009-01-17 13:28 4,756 --a--c--- c:\windows\system32\LOCALSERVICE.INI
2009-01-02 19:12 . 2009-01-17 13:28 99 --a--c--- c:\windows\system32\LOCALDEVICE.INI
2009-01-02 19:05 . 2009-01-02 19:05 0 --a--c--- c:\windows\system32\BSPRINT.INI
2009-01-01 11:26 . 2008-04-14 05:42 151,552 --a--c--- c:\windows\system32\irftp.exe
2009-01-01 11:26 . 2008-04-14 05:42 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2009-01-01 11:26 . 2008-04-14 05:41 28,160 --a--c--- c:\windows\system32\irmon.dll
2009-01-01 11:26 . 2008-04-14 05:41 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2009-01-01 11:26 . 2008-04-14 05:42 8,192 --a--c--- c:\windows\system32\wshirda.dll
2009-01-01 11:26 . 2008-04-14 05:42 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-01-01 10:50 . 2009-01-01 15:19 423 --a--c--- c:\windows\BsMobileModel.ini
2009-01-01 10:49 . 2009-01-01 10:49 <DIR> d----c--- c:\windows\system32\ivtMobCache
2008-12-30 18:41 . 2009-01-01 12:02 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Bluetooth
2008-12-30 18:25 . 2008-12-30 18:25 <DIR> d----c--- c:\program files\IVT Corporation
2008-12-30 18:24 . 2009-01-02 19:05 32 --a--c--- c:\windows\0
2008-12-30 18:24 . 2008-12-30 18:24 0 --a--c--- c:\windows\system32\0
2008-12-28 02:59 . 2008-12-28 02:59 <DIR> d----c--- c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-28 02:57 . 2008-12-28 21:11 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-26 00:09 . 2008-12-26 00:38 <DIR> d----c--- c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-18 03:04 . 2008-12-18 03:04 <DIR> d----c--- c:\windows\ie8updates
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 19:27
dc----w c:\documents and settings\Owner\Application Data\Skype
2009-01-17 19:44
dc----w c:\program files\RapidTyping
2009-01-17 18:59
dc----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-15 15:47
dc----w c:\program files\Common Files\Symantec Shared
2009-01-15 02:47
dc----w c:\program files\DivX
2009-01-11 06:14
dc----w c:\program files\FLASH FXP
2009-01-09 03:52 806 -c--a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 03:52 60,808 -c--a-w c:\windows\system32\S32EVNT1.DLL
2009-01-09 03:52 124,464 -c--a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 03:52 10,635 -c--a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 03:52
dc----w c:\program files\Symantec
2009-01-06 22:26
dc----w c:\program files\Common Files\InstallShield
2009-01-05 01:00
dc----w c:\program files\Java
2008-12-29 02:51
dc----w c:\program files\KaraFun
2008-12-29 01:12
dc----w c:\program files\Yahoo!
2008-12-26 04:38
dc----w c:\documents and settings\Owner\Application Data\Uniblue
2008-12-24 22:23
dc----w c:\program files\Spybot - Search & Destroy
2008-12-24 00:30
dc----w c:\program files\XoftSpySE
2008-12-11 10:57 333,952 -c--a-w c:\windows\system32\drivers\srv.sys
2008-12-11 00:33 86,016 -c--a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 -c--a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 -c--a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 -c--a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 -c--a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 -c--a-w c:\windows\system32\dpu11.dll
2008-12-08 01:08
dc----w c:\program files\Malwarebytes' Anti-Malware
2008-12-07 16:44 30,088 -c--a-w c:\windows\system32\drivers\btnetBus.sys
2008-12-05 04:49
dc----w c:\program files\xp-AntiSpy
2008-12-05 01:50
dc----w c:\program files\Trend Micro
2008-12-03 23:59 38,496 -c--a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 23:59 15,504 -c--a-w c:\windows\system32\drivers\mbam.sys
2008-12-02 22:26
dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 14:21
dc----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-28 07:09
dc----w c:\program files\Norton AntiVirus
2008-11-26 22:57
dc----w c:\program files\Windows Sidebar
2008-11-26 05:34 51,168 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-11-18 05:06
dc----w c:\program files\SUPERAntiSpyware
2008-11-18 05:06
dc----w c:\program files\Common Files\Wise Installation Wizard
2008-11-18 05:06
dc----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-11-10 09:43 410,984 -c--a-w c:\windows\system32\deploytk.dll
2008-11-06 16:37 524,288 -c--a-w c:\windows\system32\DivXsm.exe
2008-11-06 16:37 3,596,288 -c--a-w c:\windows\system32\qt-dx331.dll
2008-11-06 16:35 200,704 -c--a-w c:\windows\system32\ssldivx.dll
2008-11-06 16:35 1,044,480 -c--a-w c:\windows\system32\libdivx.dll
2008-11-06 16:33 823,296 -c--a-w c:\windows\system32\divx_xx0c.dll
2008-11-06 16:33 823,296 -c--a-w c:\windows\system32\divx_xx07.dll
2008-11-06 16:33 815,104 -c--a-w c:\windows\system32\divx_xx0a.dll
2008-11-06 16:33 802,816 -c--a-w c:\windows\system32\divx_xx11.dll
2008-11-06 16:33 684,032 -c--a-w c:\windows\system32\DivX.dll
2008-11-06 16:33 12,288 -c--a-w c:\windows\system32\DivXWMPExtType.dll
2008-10-23 12:36 286,720 -c--a-w c:\windows\system32\gdi32.dll
2008-05-06 01:25 774,144 -c--a-w c:\program files\RngInterstitial.dll
2007-12-26 21:38 2,293,848 -c--a-w c:\program files\FLV PlayerFCSetup.exe
2007-12-26 21:19 2,893,824 -c--a-w c:\program files\FLV PlayerRCATSetup.exe
2007-12-26 21:11 411,248 -c--a-w c:\program files\FLV PlayerRCSetup.exe
2007-02-26 00:28 5,252 -c--a-w c:\documents and settings\Owner\Application Data\ViewerApp.dat
2008-09-21 16:00 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2005-08-31 1658592]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ares"="c:\program files\Ares\Ares.exe" [2008-02-20 963072]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-04 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-02 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"PP5300usb"="c:\paprport\FBDirect.exe" [1999-03-26 228864]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-24 714608]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-06-18 227840]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-14 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-24 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= vpnt.dll
"midi3"= usbmn1x1.dll
"midi1"= usbmn1x1.dll
"midi4"= usbmn1x1.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"lsass"=nwiz.exe /install
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"GWMDMpi"=c:\windows\GWMDMpi.exe
"GWMDMMSG"=GWMDMMSG.exe
"CTHelper"=CTHELPER.EXE
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"avast!"=c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
"Creative WebCam Tray"=c:\program files\Creative\Shared Files\CAMTRAY.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\Jane's Combat Simulations\\USAF\\USAF.icd"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gateway\\HPA\\GWMenu.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Temp FTP\\FLASH FXP full\\FlashFXP.exe"=
"c:\\Program Files\\FLASH FXP\\FlashFXP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\VoipRaider.com\\VoipRaider\\VoipRaider.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-07-31 21512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-17 99376]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-07-02 26248]
R3 USBMM1X1;USB Midi 1x1 Driver;c:\windows\system32\drivers\usbmm1x1.sys [2008-07-05 32476]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-24 149352]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-10-05 13592]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-07 30088]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2008-07-27 17920]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-06-22 23888]
S3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\drivers\P1130Vid.sys [2008-11-22 90229]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys --> c:\windows\system32\drivers\SynasUSB.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - NMSCFG
*Deregistered* - ppsio2
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5074846-b8d2-11dd-8f98-0007e9bf763b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - resycled\boot.com f:
.
Contents of the 'Scheduled Tasks' folder
2009-01-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1757981266-1801674531-1003.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 13:38]
2009-01-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-10-05 22:11]
2009-01-14 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 13:19]
2009-01-16 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Nss.exe []
2009-01-11 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2007-11-18 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
2009-01-18 c:\windows\Tasks\User_Feed_Synchronization-{BE360C57-0C39-4598-9CC0-EAC1B09649C9}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 03:05]
.
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.eluniversal.com/index.shtml/
mStart Page = hxxp://www.eluniversal.com/index.shtml
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
c:\windows\Downloaded Program Files\InstallerControl.dll - O16 -: CabBuilder
hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
c:\windows\Downloaded Program Files\OSDED4D.OSD
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\system32\wininet.dll - c:\windows\system32\sensapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\COMDLG32.OCX
c:\windows\system32\msstkprp.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\DoMoreRunExe.ocx
O16 -: {0F04992B-E661-4DB9-B223-903AB628225D}
file:///C:/Program%20Files/Gateway/Do%20More/DoMoreRunExe.CAB
c:\windows\Downloaded Program Files\DoMoreRunExe.INF
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w4vvv16z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.eluniversal.com/index.shtml
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\w4vvv16z.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 15:42:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-1275210071-1757981266-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B2E2F633-462C-1269-02D3-31968A256B07}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abhclogfjbohgeookihndoibkonghdgial"=hex:61,61,00,00
"bbhclogfjbohgeookimnoppmelghfkmcpmod"=hex:61,61,00,00
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,e7,7a,01,51,99,
22,1d,7f,2e,e8,e1,00,eb,16,2b,de,a8,04,3a,53,77,14,42,2b,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,dc,17,1a,d8,a1,
fd,30,15,46,47,15,b0,92,4b,c7,ef,4f,45,68,be,ff,20,a3,15,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,56,67,b0,0e,33,
40,d7,b6,7a,45,05,fd,91,e8,6f,31,f6,2b,6b,ad,8b,8d,c9,b3,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,03,08,64,38,05,
dc,f2,0c,6b,65,49,6a,7e,99,74,f7,57,55,2d,aa,0a,ab,78,5f,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,7d,30,4b,92,d4,
fd,48,15,e9,02,6c,fa,fb,1d,47,57,6f,9a,e6,da,e4,d9,82,65,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,be,28,ba,e5,51,
a6,67,38,50,93,e5,ab,ec,6a,4e,ab,75,cf,95,23,1a,70,2a,28,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,7e,7e,41,8d,fd,
f3,5b,44,97,20,4e,9a,c7,f1,35,ee,9b,a3,ff,87,03,59,1b,cb,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,c4,5c,17,ef,53,
45,36,47,aa,52,c6,00,84,3c,26,64,7e,30,5f,13,ba,2b,46,2b,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,d9,40,8b,53,24,
49,ab,50,b2,46,9a,e2,1b,fe,1b,94,c9,1c,bd,dd,5f,b9,c0,90,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,51,67,ac,96,40,
1c,e9,b4,37,a4,aa,c3,a6,15,56,0a,d5,56,1c,6d,7e,f5,e0,54,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,18,d6,7b,44,86,
6c,9f,53,f8,31,0f,a9,5f,a0,ec,fb,e6,a0,8c,00,5f,45,97,4e,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,3c,92,c4,38,a9,
18,51,14,05,73,21,dd,54,d8,4a,c5,f2,1b,35,6e,aa,59,1b,84,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-01-18 15:48:40
ComboFix-quarantined-files.txt 2009-01-18 19:47:55
ComboFix2.txt 2009-01-18 18:16:24
ComboFix3.txt 2009-01-14 01:23:57
ComboFix4.txt 2009-01-13 22:40:12
ComboFix5.txt 2009-01-18 19:35:05
Pre-Run: 117,624,070,144 bytes free
Post-Run: 117,618,536,448 bytes free
346 --- E O F --- 2009-01-18 07:02:20
I haven't received a reply back and I'm not sure why those entries are not going. I'm not sure what else to try at this stage, unfortunately.
good luck
It's important that we remove ComboFix now it is not needed.
Click Start > Run > type: combofix /u > Press OK. This will uninstall ComboFix.