========== PROCESSES ==========
========== FILES ==========
C:\Program Files\Java\jre1.5.0_06\lib\zi\Pacific moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Indian moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Europe moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Etc moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Australia moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Atlantic moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Asia moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Antarctica moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America\North_Dakota moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America\Kentucky moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America\Indiana moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America\Argentina moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Africa moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\security moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\management moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\javaws moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\images\cursors moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\images moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\im moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\i386 moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\fonts moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\ext moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\cmm moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\audio moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\applet moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib moved successfully.
C:\Program Files\Java\jre1.5.0_06\bin\client moved successfully.
C:\Program Files\Java\jre1.5.0_06\bin moved successfully.
C:\Program Files\Java\jre1.5.0_06 moved successfully.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_223324
Should I run Cleanup on OTMoveIt3 again or just delete the executable?
The only other thing I would like to know is can you characterize the type of problem I had here? Nothing super detailed, just a basic description. Trogen, worm, rootkit or perhaps another term.
All seems to be working very well. Thank you again so much. It is a wonderful thing you do here!!!
You can run the cleanup again, it removes the backups.
Trogen, worm, rootkit or perhaps another term.
Technically you had all three, with a bit of advertising dross thrown in
The problem is that malware these days can fall in to more than one category.
Trojan:-
Generally means a file that you are quite happy to download because you think it does something you want when in actual fact it is an infection. (Trojan Horse)
Worm:-
A type of infection that can self propagate. ie it can jump from computer to computer by itself without you downloading it.
Rootkit:-
Not actually dangerous by itself, all it does is hide files.
What it hides is usually the nasty part.
A few years ago it was only very nasty infections that used Rootkit technology, unfortunately these days even simple adware dross can use it.
That's my fault I'm afraid, I didn't spot it in your last couple of logs.
Download and Run ComboFix Please delete the copy of ComboFix that you have and download an updated copy from one of the links below ComboFix.exe 1 ComboFix.exe 2 ComboFix.exe 3
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
1) I ran Malwarebytes Anti-M and when it found that Ysomaciwiquloya & omiriheh.dll.
2) then I posted to you on this forum
3) Malwarebytes Anti-M requested a restart, I did so. Those two things were in the quarantine tab....then I deleted all the things in the Malwarebytes Anti-M quarantine tab.
4) Then I searched for C:\WINDOWS\omiriheh.dll and I didn't find it.
5) then I ran a new Malwarebytes Anti-M scan and it came up negative.
I will run it...I just wondered if it would cause a problem if the things were not present any longer.
It is strange that this showed up, because I had 2 clean Malwarebytes Anti-M scans before getting this notification. Could it be that it was a brand new definition or something..
Also, when you gave me instructions on how to stay clean, I tried some of the online scanners. I think active scan said that a .scr file I had was suspicious so I deleted it. I just looked in the registry and saw this entry when I searched for "Ysomaciwiquloya"
I will run it...I just wondered if it would cause a problem if the things were not present any longer.
Could it be that it was a brand new definition or something..
It won't cause any problems, please download the new combofix and run the script.
It is a brand new definition, MBAM gets updated 2-3 times a day.
[*]Double click RegQuery.exe to run the program
[*]Paste the text you have copied using CRTL and V, into the textbox
[*]Click the Query button
[*]A Notepad file will open. Please paste the contents in your next reply
[*]You may now close the RegQuery program
Here is the ComboFix Log and the REGQuery Log after it. Upon inspecting that REGQuery Log
I censored one item that is an e-mail address that I use. I replaced the name with (xxx@gmail.com) so that this email address would not be found in this thread. I changed nothing else.
ComboFix 09-01-06.02 - Nebulagirl 2009-01-13 18:03:05.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1359 [GMT -5:00]
Running from: c:\documents and settings\Nebulagirl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nebulagirl\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled*
(Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
* Created a new restore point
FILE ::
c:\windows\omiriheh.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 18:43
d
w c:\program files\TextAloud
2009-01-13 15:13
d
w c:\program files\psp
2009-01-13 04:15
d---a-w c:\documents and settings\All
Users\Application Data\TEMP
2009-01-12 19:45
d
w c:\documents and
settings\Nebulagirl\Application Data\CoreFTP
2009-01-12 19:18
d
w c:\program files\PageBreeze
2009-01-12 04:39
d
w c:\program files\MySpace
2009-01-12 04:35
d
w c:\program files\NCH Swift Sound
2009-01-12 04:35
d
w c:\program files\NCH Software
2009-01-12 04:35
d
w c:\documents and
settings\Nebulagirl\Application Data\NCH Swift Sound
2009-01-12 03:33
d
w c:\program files\Java
2009-01-12 02:03
d
w c:\program files\VideoLAN
2009-01-11 17:19
d
w c:\program files\Winamp
2009-01-11 17:09 7,168 --sha-w c:\program files\Thumbs.db
2009-01-11 17:09
d
w c:\program files\The Wonderful End of the
World Trial
2009-01-11 16:23
d
w c:\program files\7 Angels
2009-01-11 02:18
d
w c:\documents and
settings\Nebulagirl\Application Data\Skype
2009-01-10 23:19
d--h--r c:\documents and
settings\Nebulagirl\Application Data\yahoo!
2009-01-10 23:18
d
w c:\documents and settings\All
Users\Application Data\yahoo!
2009-01-10 23:10
d
w c:\program files\Lavasoft
2009-01-10 23:10
d
w c:\program files\Common Files\Wise
Installation Wizard
2009-01-10 22:49
d
w c:\documents and settings\All
Users\Application Data\Apple Computer
2009-01-10 22:48
d
w c:\program files\Apple Software Update
2009-01-10 22:45
d
w c:\documents and
settings\Nebulagirl\Application Data\skypePM
2009-01-10 22:35
d
w c:\program files\Common Files\Adobe
2009-01-10 19:07
d
w c:\documents and
settings\Nebulagirl\Application Data\BitTorrent
2009-01-08 05:46
d
w c:\program files\Google
2009-01-08 05:26
d--h--w c:\program files\InstallShield
Installation Information
2009-01-08 02:08
d
w c:\documents and
settings\Nebulagirl\Application Data\DNA
2009-01-08 01:58
d
w c:\program files\DNA
2009-01-05 05:21
d
w c:\program files\AskTBar
2009-01-05 04:45
d
w c:\program files\Trend Micro
2009-01-03 02:36
d
w c:\program files\Windows Media Connect 2
2009-01-03 02:36
d
w c:\program files\Visual Sample Plan
2009-01-03 02:36
d
w c:\program files\viewsonic
2009-01-03 02:36
d
w c:\program files\Steam
2009-01-03 02:36
d
w c:\program files\SpongeBob SquarePants
Diner Dash
2009-01-03 02:36
d
w c:\program files\Photomatix
2009-01-02 20:34
d
w c:\program files\MyNetStorage FTP
2009-01-02 20:34
d
w c:\program files\Modem Helper
2009-01-02 20:34
d
w c:\program files\DivX
2009-01-02 20:34
d
w c:\program files\CamManager
2009-01-02 20:34
d
w c:\program files\bfgclient
2009-01-02 20:34
d
w c:\program files\BFG
2009-01-02 20:34
d
w c:\program files\Avimator
2009-01-02 20:34
d
w c:\program files\Amazon
2009-01-02 20:34
d
w c:\program files\ADSTech DVD Xpress DX2
2008-12-23 01:45
d
w c:\program files\BitTorrent
2008-12-10 04:13
d
w c:\documents and settings\All
Users\Application Data\Microsoft Help
2008-12-07 00:44
d
w c:\program
files\SecondLifeReleaseCandidate
2008-12-04 03:24
d
w c:\documents and
settings\Nebulagirl\Application Data\SPORE
2008-12-04 01:36
d
w c:\program files\Electronic Arts
2008-11-27 19:58
d
w c:\documents and
settings\Nebulagirl\Application Data\SPORE Creature Creator
2008-11-27 04:30
d
w c:\documents and settings\All
Comments
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1572 [GMT -5:00]
Running from: c:\documents and settings\Nebulagirl\desktop\combofix.exe
Command switches used :: /killall
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.
2009-01-11 21:04 . 2009-01-11 21:04 <DIR> d
c:\documents and settings\Nebulagirl\Application Data\vlc
2009-01-11 15:52 . 2009-01-11 15:52 <DIR> d
c:\windows\system32\scripting
2009-01-11 15:52 . 2009-01-11 15:52 <DIR> d
c:\windows\system32\en
2009-01-11 15:52 . 2009-01-11 15:52 <DIR> d
c:\windows\system32\bits
2009-01-11 15:52 . 2009-01-11 15:52 <DIR> d
c:\windows\l2schemas
2009-01-11 15:48 . 2009-01-11 15:52 <DIR> d
c:\windows\ServicePackFiles
2009-01-11 12:17 . 2009-01-11 12:17 <DIR> d
c:\program files\Winamp Remote
2009-01-11 12:17 . 2009-01-11 12:21 <DIR> d
c:\documents and settings\All Users\Application Data\OrbNetworks
2009-01-11 12:12 . 2009-01-11 12:19 <DIR> d
c:\documents and settings\Nebulagirl\Application Data\Winamp
2009-01-11 02:00 . 2009-01-11 02:00 <DIR> d
c:\documents and settings\Nebulagirl\Application Data\Caere
2009-01-10 23:56 . 2008-06-19 17:24 28,544 --a
c:\windows\system32\drivers\pavboot.sys
2009-01-10 23:55 . 2009-01-10 23:55 <DIR> d
c:\program files\Panda Security
2009-01-10 20:24 . 2009-01-10 20:24 <DIR> d
c:\program files\CCleaner
2009-01-10 18:19 . 2009-01-10 18:19 <DIR> d
c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-10 18:01 . 2009-01-10 18:01 <DIR> d
c:\program files\Common Files\Skype
2009-01-10 18:01 . 2009-01-10 18:01 56 --ah
c:\windows\system32\ezsidmv.dat
2009-01-10 17:49 . 2009-01-10 17:50 <DIR> d
c:\program files\QuickTime
2009-01-10 17:49 . 2009-01-10 17:49 <DIR> d
c:\program files\Common Files\Apple
2009-01-10 17:47 . 2009-01-10 17:47 <DIR> d
c:\documents and settings\All Users\Application Data\Apple
2009-01-10 17:18 . 2009-01-10 17:18 <DIR> d
c:\program files\BillP Studios
2009-01-10 17:18 . 2009-01-10 17:18 <DIR> d
c:\documents and settings\Nebulagirl\Application Data\WinPatrol
2009-01-08 00:38 . 2009-01-08 00:38 0 --a
c:\windows\Dvm.INI
2009-01-08 00:26 . 2009-01-08 00:26 <DIR> d
c:\program files\Thomson
2009-01-07 21:24 . 2009-01-07 21:24 134,656 --a
c:\windows\omiriheh.dll
2009-01-07 20:46 . 2008-04-13 19:12 1,737,856
c:\windows\system32\mtxparhd.dll
2009-01-07 20:44 . 2009-01-07 20:43 410,984 --a
c:\windows\system32\deploytk.dll
2009-01-07 20:44 . 2009-01-07 20:43 73,728 --a
c:\windows\system32\javacpl.cpl
2009-01-07 20:41 . 2004-07-17 22:55 129,045
c:\windows\system32\drivers\cxthsfs2.cty
2009-01-07 20:41 . 2004-07-17 11:35 67,866
c:\windows\system32\drivers\netwlan5.img
2009-01-07 20:41 . 2004-07-17 11:36 64,352
c:\windows\system32\drivers\ativmc20.cod
2009-01-06 20:25 . 2009-01-06 20:25 <DIR> d
c:\program files\Malwarebytes' Anti-Malware
2009-01-06 20:25 . 2009-01-06 20:25 <DIR> d
c:\documents and settings\Nebulagirl\Application Data\Malwarebytes
2009-01-06 20:25 . 2009-01-06 20:25 <DIR> d
c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 20:25 . 2009-01-04 18:38 38,496 --a
c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 20:25 . 2009-01-04 18:38 15,504 --a
c:\windows\system32\drivers\mbam.sys
2009-01-06 20:17 . 2009-01-06 21:58 12,288 --ahs---- c:\windows\system32\Thumbs.db
2009-01-04 23:16 . 2009-01-04 23:18 <DIR> d
c:\program files\Spybot - Search & Destroy
2009-01-04 23:16 . 2009-01-05 00:21 <DIR> d
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 20:32 . 2009-01-04 20:32 <DIR> d
c:\program files\CheckIt
2009-01-04 20:28 . 2009-01-04 20:28 <DIR> d
c:\documents and settings\Nebulagirl\Application Data\iolo
2009-01-04 20:28 . 2009-01-04 20:28 <DIR> d
c:\documents and settings\All Users\Application Data\iolo
2009-01-03 21:18 . 2009-01-05 06:26 102,400 --a
c:\windows\DUMP9809.tmp
2008-12-28 16:52 . 2008-04-13 13:45 60,032 --a
c:\windows\system32\drivers\usbaudio.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 02:03
d
w c:\program files\VideoLAN
2009-01-12 00:37
d
w c:\program files\TextAloud
2009-01-11 17:19
d
w c:\program files\Winamp
2009-01-11 17:09 7,168 --sha-w c:\program files\Thumbs.db
2009-01-11 17:09
d
w c:\program files\The Wonderful End of the World Trial
2009-01-11 16:23
d
w c:\program files\7 Angels
2009-01-11 07:07
d
w c:\program files\psp
2009-01-11 02:18
d
w c:\documents and settings\Nebulagirl\Application Data\Skype
2009-01-10 23:19
d--h--r c:\documents and settings\Nebulagirl\Application Data\yahoo!
2009-01-10 23:18
d
w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-10 23:10
d
w c:\program files\Lavasoft
2009-01-10 23:10
d
w c:\program files\Common Files\Wise Installation Wizard
2009-01-10 22:49
d
w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-10 22:48
d
w c:\program files\Apple Software Update
2009-01-10 22:45
d
w c:\documents and settings\Nebulagirl\Application Data\skypePM
2009-01-10 22:35
d
w c:\program files\Common Files\Adobe
2009-01-10 19:07
d
w c:\documents and settings\Nebulagirl\Application Data\BitTorrent
2009-01-08 05:46
d
w c:\program files\Google
2009-01-08 05:26
d--h--w c:\program files\InstallShield Installation Information
2009-01-08 02:08
d
w c:\documents and settings\Nebulagirl\Application Data\DNA
2009-01-08 01:58
d
w c:\program files\DNA
2009-01-08 01:43
d
w c:\program files\Java
2009-01-05 05:21
d
w c:\program files\AskTBar
2009-01-05 04:45
d
w c:\program files\Trend Micro
2009-01-03 02:36
d
w c:\program files\Windows Media Connect 2
2009-01-03 02:36
d
w c:\program files\Visual Sample Plan
2009-01-03 02:36
d
w c:\program files\viewsonic
2009-01-03 02:36
d
w c:\program files\Steam
2009-01-03 02:36
d
w c:\program files\SpongeBob SquarePants Diner Dash
2009-01-03 02:36
d
w c:\program files\Photomatix
2009-01-02 20:34
d
w c:\program files\MyNetStorage FTP
2009-01-02 20:34
d
w c:\program files\Modem Helper
2009-01-02 20:34
d
w c:\program files\DivX
2009-01-02 20:34
d
w c:\program files\CamManager
2009-01-02 20:34
d
w c:\program files\bfgclient
2009-01-02 20:34
d
w c:\program files\BFG
2009-01-02 20:34
d
w c:\program files\Avimator
2009-01-02 20:34
d
w c:\program files\Amazon
2009-01-02 20:34
d
w c:\program files\AhaView v4.01
2009-01-02 20:34
d
w c:\program files\ADSTech DVD Xpress DX2
2008-12-23 01:45
d
w c:\program files\BitTorrent
2008-12-10 04:13
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 17:01
d
w c:\documents and settings\Nebulagirl\Application Data\CoreFTP
2008-12-07 00:44
d
w c:\program files\SecondLifeReleaseCandidate
2008-12-04 03:24
d
w c:\documents and settings\Nebulagirl\Application Data\SPORE
2008-12-04 01:36
d
w c:\program files\Electronic Arts
2008-11-27 19:58
d
w c:\documents and settings\Nebulagirl\Application Data\SPORE Creature Creator
2008-11-27 04:30
d
w c:\documents and settings\All Users\Application Data\AOL
2008-11-20 04:41
d
w c:\program files\Photo Viewer
2008-11-12 02:02
d
w c:\program files\DVDVideoSoft
2008-11-12 02:02
d
w c:\program files\Common Files\DVDVideoSoft
2008-11-12 01:47
d
w c:\program files\PQDVD
2008-01-09 00:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-11-21 18:41 47,360 ----a-w c:\documents and settings\Nebulagirl\Application Data\pcouffin.sys
2002-09-11 14:26 63,730 ----a-w c:\program files\viewsonicinstruct_xp.pdf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 1164912]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ImgTask"="c:\windows\Imgtask.exe" [2006-12-12 20480]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]
"Ysomaciwiquloya"="c:\windows\omiriheh.dll" [2009-01-07 134656]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WD Button Manager"="WDBtnMgr.exe" [2007-04-02 c:\windows\system32\WDBtnMgr.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2006-06-29 c:\windows\system32\CTMBHA.DLL]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-08-12 c:\windows\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-01-25 528384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2005-09-06 02:44 53248 c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= vvlcodec.dll
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP50"= SP5X_32.DLL
"VIDC.SP51"= SP5X_32.DLL
"VIDC.SP52"= SP5X_32.DLL
"VIDC.SP53"= SP5X_32.DLL
"msvideo3"= STVqx3tg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170380176\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\Program Files\\MyNetStorage FTP\\MyNetStorageFtp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2919:UDP"= 2919:UDP:Windows Media Format SDK (iexplore.exe)
"2918:UDP"= 2918:UDP:Windows Media Format SDK (iexplore.exe)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-10 28544]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-01-20 30728]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-09-25 280392]
R4 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2009-01-04 3744]
R4 Cepstral License Server;Cepstral License Server;c:\program files\Cepstral\bin\CepstralLicSrv.exe [2007-03-15 57344]
R4 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2009-01-04 3904]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-09-25 36368]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2007-06-12 14848]
S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.sys [2005-09-07 151040]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2007-02-23 131776]
S3 USBCamera;Mega Camera Still Image Capture, Version 1.00;c:\windows\system32\drivers\Bulk504.sys [2007-02-08 10986]
S4 Ca504av;Mega Camera, WDM Video Capture;c:\windows\system32\drivers\CA504AV.SYS [2007-02-08 516149]
S4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-09-25 345696]
S4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-09-25 923216]
S4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-09-25 566872]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.com/
IE: {{0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - c:\program files\NaturalReaders\Natural Voice Text To Speech Software Standard\read.html
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Nebulagirl\Application Data\Mozilla\Firefox\Profiles\6kut8ja0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.secret-cinema.net/index.php
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 22:14:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-2973496205-3688401339-2174111540-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,94,af,b6,64,a1,5f,ea,52,92,b6,b0,7e,e6,50,12,db,18,a7,51,a5,48,b5,
2d,a1,a8,db,2f,c6,6a,40,99,9d,e3,d8,8f,ef,84,80,1b,39,fa,88,d1,c3,76,7b,6d,\
"??"=hex:f6,5d,71,86,c6,3a,33,75,98,25,8c,5e,45,26,b6,9f
[HKEY_USERS\S-1-5-21-2973496205-3688401339-2174111540-1006\Software\SecuROM\License information*]
"datasecu"=hex:99,8f,93,d1,99,7c,0a,7a,2d,f6,81,c1,a0,2d,cb,1e,c3,1a,58,da,7e,
2b,7d,64,80,ce,d3,af,c7,03,af,3e,0f,bf,bf,17,fd,c7,8f,86,76,74,df,0d,5d,02,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1540)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
- - - - - - - > 'lsass.exe'(1596)
c:\windows\system32\relog_ap.dll
.
Other Running Processes
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\PAStiSvc.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\docume~1\NEBULA~1\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2009-01-11 22:22:53 - machine was rebooted [Nebulagirl]
ComboFix-quarantined-files.txt 2009-01-12 03:21:35
Pre-Run: 43,182,333,952 bytes free
Post-Run: 43,286,503,424 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
309 --- E O F --- 2009-01-11 21:20:46
========== PROCESSES ==========
========== FILES ==========
C:\Program Files\Java\jre1.5.0_06\lib\zi\Pacific moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Indian moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Europe moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Etc moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Australia moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Atlantic moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Asia moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Antarctica moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America\North_Dakota moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America\Kentucky moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America\Indiana moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America\Argentina moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\America moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi\Africa moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\zi moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\security moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\management moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\javaws moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\images\cursors moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\images moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\im moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\i386 moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\fonts moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\ext moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\cmm moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\audio moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib\applet moved successfully.
C:\Program Files\Java\jre1.5.0_06\lib moved successfully.
C:\Program Files\Java\jre1.5.0_06\bin\client moved successfully.
C:\Program Files\Java\jre1.5.0_06\bin moved successfully.
C:\Program Files\Java\jre1.5.0_06 moved successfully.
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_223324
Yes.
Are there any problems left ?
The only other thing I would like to know is can you characterize the type of problem I had here? Nothing super detailed, just a basic description. Trogen, worm, rootkit or perhaps another term.
All seems to be working very well. Thank you again so much. It is a wonderful thing you do here!!!
Technically you had all three, with a bit of advertising dross thrown in
The problem is that malware these days can fall in to more than one category.
Trojan:-
Generally means a file that you are quite happy to download because you think it does something you want when in actual fact it is an infection. (Trojan Horse)
Worm:-
A type of infection that can self propagate. ie it can jump from computer to computer by itself without you downloading it.
Rootkit:-
Not actually dangerous by itself, all it does is hide files.
What it hides is usually the nasty part.
A few years ago it was only very nasty infections that used Rootkit technology, unfortunately these days even simple adware dross can use it.
Malwarebytes' Anti-Malware 1.32
Database version: 1647
Windows 5.1.2600 Service Pack 3
2009-01-12 9:19:22 PM
mbam-log-2009-01-12 (21-19-22).txt
Scan type: Full Scan (C:\|)
Objects scanned: 234079
Time elapsed: 1 hour(s), 56 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ysomaciwiquloya (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\omiriheh.dll (Trojan.Agent) -> Delete on reboot.
Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3
Custom CFScript
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
1) I ran Malwarebytes Anti-M and when it found that Ysomaciwiquloya & omiriheh.dll.
2) then I posted to you on this forum
3) Malwarebytes Anti-M requested a restart, I did so. Those two things were in the quarantine tab....then I deleted all the things in the Malwarebytes Anti-M quarantine tab.
4) Then I searched for C:\WINDOWS\omiriheh.dll and I didn't find it.
5) then I ran a new Malwarebytes Anti-M scan and it came up negative.
I will run it...I just wondered if it would cause a problem if the things were not present any longer.
It is strange that this showed up, because I had 2 clean Malwarebytes Anti-M scans before getting this notification. Could it be that it was a brand new definition or something..
Thank you
[SCREENCAPTURE of RECISTRY SEARCH]
http://i73.photobucket.com/albums/i240/nebulagirl/blog/reg.jpg
It is a brand new definition, MBAM gets updated 2-3 times a day.
please do the following also
Please download RegQuery by Noviciate to your desktop
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant]
[*]Double click RegQuery.exe to run the program
[*]Paste the text you have copied using CRTL and V, into the textbox
[*]Click the Query button
[*]A Notepad file will open. Please paste the contents in your next reply
[*]You may now close the RegQuery program
I censored one item that is an e-mail address that I use. I replaced the name with (xxx@gmail.com) so that this email address would not be found in this thread. I changed nothing else.
ComboFix 09-01-06.02 - Nebulagirl 2009-01-13 18:03:05.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1359 [GMT -5:00]
Running from: c:\documents and settings\Nebulagirl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nebulagirl\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled*
(Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
* Created a new restore point
FILE ::
c:\windows\omiriheh.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13
)))))))))))))))))))))))))))))))
.
2009-01-12 22:12 . 2009-01-12 22:13 <DIR> d
c:\program
files\SpywareBlaster
2009-01-11 21:04 . 2009-01-11 21:04 <DIR> d
c:\documents and
settings\Nebulagirl\Application Data\vlc
2009-01-11 15:52 . 2009-01-11 15:52 <DIR> d
c:\windows\system32\scripting
2009-01-11 15:52 . 2009-01-11 15:52 <DIR> d
c:\windows\system32\en
2009-01-11 15:52 . 2009-01-11 15:52 <DIR> d
c:\windows\system32\bits
2009-01-11 15:52 . 2009-01-11 15:52 <DIR> d
c:\windows\l2schemas
2009-01-11 15:48 . 2009-01-11 15:52 <DIR> d
c:\windows\ServicePackFiles
2009-01-11 12:17 . 2009-01-11 12:17 <DIR> d
c:\program files\Winamp
Remote
2009-01-11 12:17 . 2009-01-11 12:21 <DIR> d
c:\documents and
settings\All Users\Application Data\OrbNetworks
2009-01-11 12:12 . 2009-01-11 12:19 <DIR> d
c:\documents and
settings\Nebulagirl\Application Data\Winamp
2009-01-11 02:00 . 2009-01-11 02:00 <DIR> d
c:\documents and
settings\Nebulagirl\Application Data\Caere
2009-01-10 23:56 . 2008-06-19 17:24 28,544 --a
c:\windows\system32\drivers\pavboot.sys
2009-01-10 23:55 . 2009-01-10 23:55 <DIR> d
c:\program files\Panda
Security
2009-01-10 20:24 . 2009-01-10 20:24 <DIR> d
c:\program files\CCleaner
2009-01-10 18:19 . 2009-01-10 18:19 <DIR> d
c:\documents and
settings\All Users\Application Data\Yahoo! Companion
2009-01-10 18:01 . 2009-01-10 18:01 <DIR> d
c:\program files\Common
Files\Skype
2009-01-10 18:01 . 2009-01-10 18:01 56 --ah
c:\windows\system32\ezsidmv.dat
2009-01-10 17:49 . 2009-01-10 17:50 <DIR> d
c:\program
files\QuickTime
2009-01-10 17:49 . 2009-01-10 17:49 <DIR> d
c:\program files\Common
Files\Apple
2009-01-10 17:47 . 2009-01-10 17:47 <DIR> d
c:\documents and
settings\All Users\Application Data\Apple
2009-01-10 17:18 . 2009-01-10 17:18 <DIR> d
c:\program files\BillP
Studios
2009-01-10 17:18 . 2009-01-10 17:18 <DIR> d
c:\documents and
settings\Nebulagirl\Application Data\WinPatrol
2009-01-08 00:38 . 2009-01-08 00:38 0 --a
c:\windows\Dvm.INI
2009-01-08 00:26 . 2009-01-08 00:26 <DIR> d
c:\program files\Thomson
2009-01-07 20:46 . 2008-04-13 19:12 1,737,856
c:\windows\system32\mtxparhd.dll
2009-01-07 20:44 . 2009-01-07 20:43 410,984 --a
c:\windows\system32\deploytk.dll
2009-01-07 20:44 . 2009-01-07 20:43 73,728 --a
c:\windows\system32\javacpl.cpl
2009-01-07 20:41 . 2004-07-17 22:55 129,045
c:\windows\system32\drivers\cxthsfs2.cty
2009-01-07 20:41 . 2004-07-17 11:35 67,866
c:\windows\system32\drivers\netwlan5.img
2009-01-07 20:41 . 2004-07-17 11:36 64,352
c:\windows\system32\drivers\ativmc20.cod
2009-01-06 20:25 . 2009-01-06 20:25 <DIR> d
c:\program
files\Malwarebytes' Anti-Malware
2009-01-06 20:25 . 2009-01-06 20:25 <DIR> d
c:\documents and
settings\Nebulagirl\Application Data\Malwarebytes
2009-01-06 20:25 . 2009-01-06 20:25 <DIR> d
c:\documents and
settings\All Users\Application Data\Malwarebytes
2009-01-06 20:25 . 2009-01-04 18:38 38,496 --a
c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 20:25 . 2009-01-04 18:38 15,504 --a
c:\windows\system32\drivers\mbam.sys
2009-01-06 20:17 . 2009-01-06 21:58 12,288 --ahs----
c:\windows\system32\Thumbs.db
2009-01-04 23:16 . 2009-01-04 23:18 <DIR> d
c:\program files\Spybot -
Search & Destroy
2009-01-04 23:16 . 2009-01-05 00:21 <DIR> d
c:\documents and
settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 20:32 . 2009-01-04 20:32 <DIR> d
c:\program files\CheckIt
2009-01-04 20:28 . 2009-01-04 20:28 <DIR> d
c:\documents and
settings\Nebulagirl\Application Data\iolo
2009-01-04 20:28 . 2009-01-04 20:28 <DIR> d
c:\documents and
settings\All Users\Application Data\iolo
2009-01-03 21:18 . 2009-01-05 06:26 102,400 --a
c:\windows\DUMP9809.tmp
2008-12-28 16:52 . 2008-04-13 13:45 60,032 --a
c:\windows\system32\drivers\usbaudio.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 18:43
d
w c:\program files\TextAloud
2009-01-13 15:13
d
w c:\program files\psp
2009-01-13 04:15
d---a-w c:\documents and settings\All
Users\Application Data\TEMP
2009-01-12 19:45
d
w c:\documents and
settings\Nebulagirl\Application Data\CoreFTP
2009-01-12 19:18
d
w c:\program files\PageBreeze
2009-01-12 04:39
d
w c:\program files\MySpace
2009-01-12 04:35
d
w c:\program files\NCH Swift Sound
2009-01-12 04:35
d
w c:\program files\NCH Software
2009-01-12 04:35
d
w c:\documents and
settings\Nebulagirl\Application Data\NCH Swift Sound
2009-01-12 03:33
d
w c:\program files\Java
2009-01-12 02:03
d
w c:\program files\VideoLAN
2009-01-11 17:19
d
w c:\program files\Winamp
2009-01-11 17:09 7,168 --sha-w c:\program files\Thumbs.db
2009-01-11 17:09
d
w c:\program files\The Wonderful End of the
World Trial
2009-01-11 16:23
d
w c:\program files\7 Angels
2009-01-11 02:18
d
w c:\documents and
settings\Nebulagirl\Application Data\Skype
2009-01-10 23:19
d--h--r c:\documents and
settings\Nebulagirl\Application Data\yahoo!
2009-01-10 23:18
d
w c:\documents and settings\All
Users\Application Data\yahoo!
2009-01-10 23:10
d
w c:\program files\Lavasoft
2009-01-10 23:10
d
w c:\program files\Common Files\Wise
Installation Wizard
2009-01-10 22:49
d
w c:\documents and settings\All
Users\Application Data\Apple Computer
2009-01-10 22:48
d
w c:\program files\Apple Software Update
2009-01-10 22:45
d
w c:\documents and
settings\Nebulagirl\Application Data\skypePM
2009-01-10 22:35
d
w c:\program files\Common Files\Adobe
2009-01-10 19:07
d
w c:\documents and
settings\Nebulagirl\Application Data\BitTorrent
2009-01-08 05:46
d
w c:\program files\Google
2009-01-08 05:26
d--h--w c:\program files\InstallShield
Installation Information
2009-01-08 02:08
d
w c:\documents and
settings\Nebulagirl\Application Data\DNA
2009-01-08 01:58
d
w c:\program files\DNA
2009-01-05 05:21
d
w c:\program files\AskTBar
2009-01-05 04:45
d
w c:\program files\Trend Micro
2009-01-03 02:36
d
w c:\program files\Windows Media Connect 2
2009-01-03 02:36
d
w c:\program files\Visual Sample Plan
2009-01-03 02:36
d
w c:\program files\viewsonic
2009-01-03 02:36
d
w c:\program files\Steam
2009-01-03 02:36
d
w c:\program files\SpongeBob SquarePants
Diner Dash
2009-01-03 02:36
d
w c:\program files\Photomatix
2009-01-02 20:34
d
w c:\program files\MyNetStorage FTP
2009-01-02 20:34
d
w c:\program files\Modem Helper
2009-01-02 20:34
d
w c:\program files\DivX
2009-01-02 20:34
d
w c:\program files\CamManager
2009-01-02 20:34
d
w c:\program files\bfgclient
2009-01-02 20:34
d
w c:\program files\BFG
2009-01-02 20:34
d
w c:\program files\Avimator
2009-01-02 20:34
d
w c:\program files\Amazon
2009-01-02 20:34
d
w c:\program files\ADSTech DVD Xpress DX2
2008-12-23 01:45
d
w c:\program files\BitTorrent
2008-12-10 04:13
d
w c:\documents and settings\All
Users\Application Data\Microsoft Help
2008-12-07 00:44
d
w c:\program
files\SecondLifeReleaseCandidate
2008-12-04 03:24
d
w c:\documents and
settings\Nebulagirl\Application Data\SPORE
2008-12-04 01:36
d
w c:\program files\Electronic Arts
2008-11-27 19:58
d
w c:\documents and
settings\Nebulagirl\Application Data\SPORE Creature Creator
2008-11-27 04:30
d
w c:\documents and settings\All
Users\Application Data\AOL
2008-11-26 22:42 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2008-11-26 22:42 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2008-11-26 22:39 1,195,384 ----a-w c:\windows\system32\drivers\vsapint.sys
2008-11-20 04:41
d
w c:\program files\Photo Viewer
2008-01-09 00:13 32 ----a-w c:\documents and settings\All Users\Application
Data\ezsid.dat
2007-11-21 18:41 47,360 ----a-w c:\documents and settings\Nebulagirl\Application
Data\pcouffin.sys
2002-09-11 14:26 63,730 ----a-w c:\program files\viewsonicinstruct_xp.pdf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common
Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05
4347120]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe"
[2006-10-16 1164912]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28
185896]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe"
[2006-11-21 1807960]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12
155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe"
[2005-08-11 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
[2005-08-11 249856]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31
57344]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe"
[2006-10-16 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common
Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[2008-10-15 39792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe"
[2009-01-04 399504]
"WD Button Manager"="WDBtnMgr.exe" [2007-04-02 c:\windows\system32\WDBtnMgr.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2006-06-29 c:\windows\system32\CTMBHA.DLL]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-08-12 c:\windows\KHALMNPR.Exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24
622653]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-01-25
528384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2005-09-06 02:44 53248 c:\program files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= vvlcodec.dll
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP50"= SP5X_32.DLL
"VIDC.SP51"= SP5X_32.DLL
"VIDC.SP52"= SP5X_32.DLL
"VIDC.SP53"= SP5X_32.DLL
"msvideo3"= STVqx3tg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplica
tions\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170380176\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\Program Files\\MyNetStorage FTP\\MyNetStorageFtp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts
\List]
"2919:UDP"= 2919:UDP:Windows Media Format SDK (iexplore.exe)
"2918:UDP"= 2918:UDP:Windows Media Format SDK (iexplore.exe)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-10 28544]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable
(WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-01-20 30728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-01-06 15504]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys
[2006-09-25 280392]
R4 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2009-01-04 3744]
R4 Cepstral License Server;Cepstral License Server;c:\program
files\Cepstral\bin\CepstralLicSrv.exe [2007-03-15 57344]
R4 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2009-01-04 3904]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
[2009-01-06 170640]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-09-25 36368]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2007-06-12 14848]
S3 SPC610NC;SPC 610NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.sys [2005-09-07
151040]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2007-02-23
131776]
S3 USBCamera;Mega Camera Still Image Capture, Version
1.00;c:\windows\system32\drivers\Bulk504.sys [2007-02-08 10986]
S4 Ca504av;Mega Camera, WDM Video Capture;c:\windows\system32\drivers\CA504AV.SYS
[2007-02-08 516149]
S4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe
[2006-09-25 345696]
S4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe
[2006-09-25 923216]
S4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe
[2006-09-25 566872]
.
Contents of the 'Scheduled Tasks' folder
2009-01-13 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Nebulagirl.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-01-04 18:38]
2009-01-13 c:\windows\Tasks\Malwarebytes' Scheduled Update for Nebulagirl.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-01-04 18:38]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.com/
IE: {{0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - c:\program files\NaturalReaders\Natural
Voice Text To Speech Software Standard\read.html
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program
files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Nebulagirl\Application
Data\Mozilla\Firefox\Profiles\6kut8ja0.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.secret-cinema.net/index.php
FF - prefs.js: keyword.URL -
hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-01-13 18:21:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-2973496205-3688401339-2174111540-1006\Software\SecuROM\!CAUTION!
NEVER A OR CHANGE ANY KEY*NULL*]
"??"=hex:54,94,af,b6,64,a1,5f,ea,52,92,b6,b0,7e,e6,50,12,db,18,a7,51,a5,48,b5,\
2d,a1,a8,db,2f,c6,6a,40,99,9d,e3,d8,8f,ef,84,80,1b,39,fa,88,d1,c3,76,7b,6d,\
c5,af,fa,6b,53,22,42,2d,5a,d5,64,06,2a,43,2d,4c,e2,b0,dc,49,71,fa,5a,3a,cc,\
6e,02,f5,e2,13,da,6f,a3,42,6b,31,20,c1,cf,7a,7f,c4,75,d3,99,09,03,91,14,9e,\
cb,ad,f1,e9,67,9d,e9,dc,a2,ae,f1,7a,50,84,b3,dc,48,e0,57,9d,85,42,39,b5,03,\
ef,af,96,0c,23,fe,ae,d6,31,8b,40,c1,06,76,08,d7,bd,6c,2c,f0,e3,17,c4,ea,a8,\
f5,48,02,1c,0d,aa,9e,9c,93,e1,19,b1,b3,a0,6e,e7,22,bd,f0,f7,6d,b4,5d,d3,3a,\
c2,4e,62,a4,3c,ca,82,ff,dd,1b,d7,72,c2,ed,7d,b7,f4,d1,26,4e,fa,24,97,cc,96,\
0c,b5,67,38,60,66,50,51,84,64,9a,bb,38,2c,db,9c,63,81,a8,4a,72,05,32,ee,0b,\
ba,e6,2c,91,b3,74,47,46,f4,d3,9a,b4,d5,87,36,fc,65,a7,44,92,c9,de,ef,d9,8a,\
6a,22,26,00,a6,04,f0,36,5a,89,13,35,92,1f,60,26,bf,89,c3,02,50,45,e3,a0,74,\
5e,8a,e5,d3,92,f9,37,d1,a5,80,5e,cc,9d,09,b9,00,1f,48,12,19,02,d3,89,f2,fb,\
25,d3,07,ba,cf,79,d3,ab,99,f1,fd,31,df,8e,62,3e,78,84,51,7b,7c,0f,70,8c,67,\
ab,eb,07,f3,3e,a6,0e,a6,3c,58,f6,96,7f,03,36,22,e0,9b,c1,22,df,83,57,8a,15,\
70,a3,99,1a,55,17,cc,47,39,0d,70,05,da,be,f9,77,d0,66,0a,2c,ef,92,46,5b,cd,\
6d,5d,89,49,bd,eb,e2,0c,53,ad,13,fb,30,01,3f,13,d0,5c,a0,2a,06,08,49,25,b5,\
6b,05,c6,89,97,cb,cf,87,b7,dd,fe,12,cb,12,f7,68,1d,7b,dd,61,77,a3,fe,2f,9a,\
ca,30,39,cf,79,0f,72,db,98,52,58,55,2a,72,28,2d,5a,72,28,35,5a
"??"=hex:f6,5d,71,86,c6,3a,33,75,98,25,8c,5e,45,26,b6,9f
[HKEY_USERS\S-1-5-21-2973496205-3688401339-2174111540-1006\Software\SecuROM\License
information*NULL*]
"datasecu"=hex:99,8f,93,d1,99,7c,0a,7a,2d,f6,81,c1,a0,2d,cb,1e,c3,1a,58,da,7e,\
2b,7d,64,80,ce,d3,af,c7,03,af,3e,0f,bf,bf,17,fd,c7,8f,86,76,74,df,0d,5d,02,\
a9,87,79,3f,83,c8,a9,94,ce,65,a5,88,d0,4c,75,e6,85,94,2b,30,fc,4b,6d,b0,da,\
66,de,20,60,57,b5,bd,15,46,4d,31,65,ee,bc,01,75,7c,4e,c7,1b,0c,c2,7a,27,d5,\
6a,e5,45,7b,1d,92,2c,f5,c6,c0,c3,90,25,2d,41,a0,75,3b,61,ba,05,85,d2,69,36,\
62,0f,71,44,b4,3b,ed,3e,47,8f,a6,fb,15,b2,e3,5d,21,91,c4,25,70,a9,3a,57,a1,\
a7,17,fa,81,dd,11,80,b7,be,f1,1a,c3,b6,d6,56,6b,5e,5e,d8,b0,12,4c,d0,23,2b,\
a7,9b,b9,03,aa,dc,7f,4e,c4,72,cb,56,a5,6b,74,3d,5c,1d,2d,ef,fc,22,59,2e,a7,\
0d,15,fa,71,3e,ed,d8,42,85,13,ed,5e,6b,38,d8,35,51,a8,88,cf,fb,3f,9e,26,69,\
a9,1d,7c,39,3e,73,51,61,97,c6,ed,9e,9c,fb,df,17,03,94,99,d6,b4,a9,dc,d5,65,\
2a,06,54,76,ff,02,81,91,92,cc,35,57,1b,31,30,ff,e3,e3,90,57,7a,91,8c,5d,4c,\
ca,3c,62,21,b1,05,85,c3,90,ba,77,3e,48,a3,18,3d,85,de,ce,5f,0a,cd,d6,cf,eb,\
66,6c,c0,fb,3b,15,1d,a1,5e,7e,cc,5e,05,f9,72,c8,3f,ff,f3,ef,ea,c4,7f,dd,2f,\
76,c9,3d,e7,0f,b0,00,a9,63,23,77,95,29,f4,a2,d6,c6,8d,fd,ed,17,c1,7f,cd,99,\
99,2c,43,fd,58,3e,fc,a6,2c,1c,ed,a8,3b,27,71,ad,21,bd,c1,8d,2b,c5,d8,d6,61,\
24,07,60,c2,90,1e,67,83,8c,ae,15,b7,a1,70,ea,97,70,12,7a,51,b2,43,87,db,ec,\
84,9e,9c,64,8d,54,56,ff,9e,0e,01,61,57,1d,19,d9,a3,83,df,1c,f3,a0,65,92,88,\
3d,49,ad,73,7d,87,49,98,81,b4,71,d9,a2,7b,8e,76,c6,2b,7c,b9,4d,5d,b3,bf,60,\
52,53,db,a9,16,e8,62,30,14,20,44,ca,83,1b,57,ba,ef,15,4d,0b,9f,1d,5a,24,fc,\
ba,f9,2d,63,c0,b9,3f,8a,5b,db,0a,fb,d6,69,33,58,9a,d2,6e,ee,c8,90,ce,0b,b7,\
06,a4,71,6a,f7,01,95,77,0f,72,d5,68,71,21,97,fc,e9,5e,c9,dc,75,12,48,64,df,\
a3,4d,94,7d,cb,6f,e7,31,0e,c4,d8,43,ec,43,05,1e,63,e6,01,cb,16,c7,3e,8c,d5,\
f2,b8,4b,70,f0,d1,b8,21,58,ab,23,21,9d,53,a4,f0,57,12,ea,60,1e,09,6f,a9,7d,\
c8,65,a6,30,2a,00,5f,fa,72,31,4f,bd,b6,a6,bd,6e,8b,c7,c5,96,4b,11,e2,dd,e3,\
20,14,09,02,32,70,7b,55,66,2e,1c,d1,19,e9,b6,5b,67,b4,f2,d9,7d,b9,ab,d3,56,\
ab,b5,59,3f,3c,26,96,fc,77,0b,74,08,50,e2,16,7e,25,39,6d,ae,c2,ab,fb,1c,80,\
6c,b9,52,dd,21,e2,dc,82,a3,4e,ca,9c,0c,9f,c6,09,b1,5f,73,4f,fb,da,a1,fc,4e,\
b9,c6,1b,14,55,dc,05,65,4f,e1,79,4c,ad,23,0a,5d,1d,ca,90,ae,62,63,ec,87,17,\
e1,4e,56,c0,d6,7f,af,32,cf,18,7f,d5,2b,46,26,6d,76,f2,cb,3e,4c,a2,46,9c,6a,\
e5,30,c9,93,9a,60,ce,d7,87,03,19,44,51,b3,45,41,b3,0d,cd,78,52,d9,f9,27,6c,\
f7,2d,9c,31,0c,a5,48,55,59,53,4a,2f,c7,b9,7b,da,db,b0,01,97,56,29,26,b1,18,\
b0,79,08,ae,71,7f,f3,bf,b6,0d,ec,fe,50,5a,cc,19,8f,36,c1,28,49,be,90,07,cb,\
88,33,08,ba,f5,fd,2c,e7,21,dd,c3,44,7b,11,6c,f9,b7,c0,38,8d,43,c2,2c,ab,f7,\
9e,e5,36,af,ca,8b,be,a2,b1,79,c5,8a,9d,8f,92,3d,8c,1f,8f,e4,fb,4a,9d,39,1d,\
07,e9,87,db,b4,a3,8d,d3,05,73,9d,2f,66,8c,d1,6e,8d,25,34,bf,cc,d3,5f,46,f2,\
89,68,4d,35,c1,34,b3,05,6a,9f,8a,00,60,22,b6,6c,7a,66,cd,38,30,fe,e4,eb,30,\
d4,1a,ef,b5,c5,db,26,a2,2b,78,0b,55,f1,2a,e1,b1,48,c1,07,98,31,ea,e1,e9,d2,\
0e,c2,a0,2b,39,13,33,6e,55,26,67,20,30,54,07,42,33,c3,4c,ac,04,3f,09,4f,63,\
5b,e8,d1,4a,58,02,9b,95,85,2e,37,31,05,01,71,7e,56,45,b8,8c,18,7f,e3,e5,b2,\
3a,c3,5d,7d,1f,ff,b2,bc,7c,ab,80,3c,eb,53,df,c1,88,19,7c,22,2a,f9,60,d6,00,\
1e,a4,3a,0b,c7,19,dc,f0,7c,4a,e7,d0,0c,5f,70,ee,ab,ef,eb,96,ab,a5,04,fe,84,\
f5,a4,fe,8d,1b,4e,a0,29,ef,a1,9b,80,3d,b5,19,78,71,2c,98,27,c0,3a,10,2c,87,\
55,a2,46,50,b8,16,a8,53,87,62,31,c3,b5,46,bd,ce,eb,ca,17,50,4d,74,60,5d,68,\
67,9a,af,43,66,7f,14,cb,16,77,87,88,77,9d,21,16,26,ed,8b,ef,55,37,81,e0,8e,\
25,dd,3a,16,c3,62,83,5b,ae,29,15,21,9a,1c,1b,39,df,d8,6d,05,ad,07,18,f6,39,\
77,a2,ae,a7,d1,20,67,8e,d0,c0,1d,4e,d3,f0,5f,bb,96,dc,c7,40,93,ce,f5,39,34,\
e1,52,1e,d0,81,6b,f0,00,10,d2,05,35,d3,c0,4a,bd,48,62,56,e1,bb,94,57,c3,78,\
88,1c,21,d6,a6,e9,5a,c6,a0,6d,c9,56,d3,48,32,22,f9,2f,44,f6,2c,92,cd,ec,b1,\
dc,9d,60,fb,f6,58,08,a1,73,85,73,e9,0e,57,58,96,46,ae,c8,65,ee,c4,f2,c3,55,\
38,83,34,c8,5d,18,d8,3e,4e,dd,e4,c2,f0,20,c6,8b,ec,9d,15,7d,a7,62,b3,26,6d,\
84,2d,a3,97,7c,95,d2,e5,01,bd,84,f9,68,7d,c2,d8,69,1d,35,ec,11,7b,ee,98,4c,\
2e,70,14,81,7a,dc,6e,17,32,77,48,ff,fd,79,13,96,58,e1,14,5b,3e,d6,dd,4d,56,\
b7,4a,d1,0c,c7,35,a2,7a,d3,5b,60,d9,af,0b,bc,1c,e9,d2,f4,92,2e,d9,31,d0,92,\
90,e4,19,d8,cb,37,b4,e8,a8,1e,1d,3a,c8,5a,e1,24,17,f0,6d,1b,ed,69,fa,0a,45,\
0e,0c,fa,66,db,09,75,97,f5,f9,48,de,5c,36,4c,ff,05,29,5d,4b,8a,30,e4,cc,8a,\
7d,19,5c,25,cc,35,1c,02,48,a0,c5,2f,1f,47,a7,8a,52,16,8a,ec,10,4a,c7,8a,56,\
0c,fb,e8,30,92,4c,83,63,72,54,7c,18,25,c6,c9,1b,cc,e2,04,9d,41,ae,f1,6c,4d,\
e1,af,3a,2b,f1,09,34,60,1c,4e,d7,cb,55,f5,89,44,5c,da,d7,e3,2f,20,e0,1d,8c,\
f4,5f,f2,a9,f1,61,5b,bc,3b,a2,53,2c,27,e8,4f,68,07,c6,e6,60,ea,60,c6,51,80,\
50,a7,a7,4d,4a,9a,21,b9,b6,c9,8c,dd,8f,42,c2,73,93,ae,7d,ac,93,da,e4,9b,a9,\
8c,9e,2b,91,ae,af,59,68,eb,ac,3d,ff,a8,79,7f,0f,69,a9,b6,5a,c1,e9,7d,e0,65,\
42,65,c5,b0,84,d1,8b,8b,16,a0,1f,1b,67,db,f8,cd,09,6c,10,ea,92,33,73,c5,f5,\
20,b3,ae,e5,14,86,b1,40,ff,fc,b8,9f,d9,33,5b,6c,b9,1e,e5,50,2c,10,68,d8,12,\
ab,e9,c5,27,a2,5e,3e,1c,56,c6,00,39,d4,4d,b6,e1,c3,dc,f5,23,ac,08,4b,f7,d0,\
19,5d,e0,a1,8e,50,8b,f5,bd,c4,c8,45,14,9e,45,20,bd,fb,76,d7,d9,e6,d3,3f,c3,\
97,aa,25,3c,ae,ab,4c,c7,7e,52,ee,74,a3,34,cc,c2,d5,f8,93,bf,22,cd,75,b9,00,\
e5,36,3a,18,39,ac,e3,86,8c,2d,0f,c2,95,fe,a2,f6,59,28,73,fa,64,c9,b5,dd,de,\
c9,3d,96,ac,e7,26,df,89,5d,18,a3,52,95,6d,9d,21,e8,5e,fc,69,31,b2,a2,04,4c,\
cc,5b,40,37,59,82,87,5b,f0,03,dc,b1,00,71,10,b1,1d,d2,21,d7,57,f5,a7,ed,89,\
1f,6d,29,52,1c,6f,3d,2d,2c,de,44,69,b7,eb,0b,4b,b1,a2,ce,98,90,db,c3,55,4f,\
3a,84,3c,d3,a3,d0,fd,2d,e5,8e,e8,67,18,d8,06,a9,92,a4,e9,44,2a,9f,94,ba,68,\
2d,14,d9,cf,b7,8b,b4,7b,f9,f2,52,ea,4b,a0,83,a6,0d,e4,fd,cc,c0,f1,f4,af,b6,\
3b,f0,bd,f1,e4,4c,ea,77,ea,b3,d7,a9,85,81,13,5c,94,9a,bb,08,50,a6,b5,8f,a2,\
b1,8f,2f,cd,2d,d1,70,1d,06,af,36,2d,90,2c,de,84,3d,66,22,12,6c,09,33,ad,6f,\
27,6e,85,fd,cb,47,36,3e,23,cf,22,ce,a9,8c,73,89,6a,75,69,2e,c5,4b,00,76,8c,\
4f,4d,a6,b5,99,80,76,6f,f5,72,6f,03,fe,5a,5c,6b,11,cb,0c,3c,56,6e,fb,33,2c,\
5b,2a,bc,85,af,96,60,7b,1d,de,c1,ef,75,b5,fc,4c,a6,55,7f,2d,4f,e2,a0,a8,71,\
30,6c,03,8f,0d,8b,65,e9,86,be,73,95,39,35,af,e9,6e,0d,c6,37,39,9c,6f,71,c9,\
57,de,eb,62,4a,1f,bf,a3,ca,98,da,45,7e,e0,83,37,4c,e6,f9,54,11,77,a3,5b,ae,\
4b,e6,96,5d,46,d7,2b,b3,00,f0,c2,47,64,4d,ba,8a,dd,99,a2,91,0d,7e,15,53,37,\
39,0c,5d,28,51,ff,4a,b0,cf,7a,7b,b6,d7,5f,03,74,26,26,25,6f,63,a5,4e,e6,db,\
7b,9c,73,ba,26,d5,49,d5,c4,a3,99,f5,c2,35,b4,07,85,25,eb,05,4b,ee,3e,81,df,\
e0,e8,61,3f,24,f5,47,ae,eb,37,e2,5f,77,52,20,d7,3c,e5,4e,5e,a0,52,b5,79,74,\
05,be,b4,2d,5b,0b,3c,f5,52,52,8f,de,2c,88,97,50,34,02,f9,8a,79,f0,82,fb,c1,\
d2,c0,4b,30,f0,9d,bb,8b,d9,0b,74,fa,56,e7,75,6c,12,1b,a4,63,0e,74,fe,88,86,\
0a,24,4e,26,a8,bb,df,0c,62,33,34,29,94,29,9a,03,1d,44,bd,04,60,79,a0,8b,d5,\
7b,f6,b6,58,92,65,3f,11,33,fc,ca,fe,50,d5,c4,8e,ff,66,30,93,27,4b,39,99,ef,\
53,91,3e,20,13,4f,9b,66,41,bf,b7,1c,f4,9e,3a,d9,84,4c,44,7e,0c,05,f1,45,d2,\
e3,8e,7e,da,45,6b,7c,ca,8b,1b,91,56,7a,5d,9e,3e,ef,72,2a,df,43,94,23,86,32,\
01,73,dd,6f,af,7f,2d,df,de,c3,78,d1,94,35,91,67,a6,dc,69,7a,d0,fc,20,38,7e,\
f3,90,d6,ea,2f,8b,c0,eb,79,38,94,26,07,3b,28,10,0c,e7,ff,be,74,b5,9f,24,7e,\
5e,b9,cc,e9,07,37,24,ef,c7,9e,1b,af,e2,b2,27,f2,13,85,df,1d,b8,6d,90,ba,c3,\
65,30,8d,e2,9b,e1,4b,92,35,8d,73,ac,aa,bb,a0,8f,24,b2,47,15,77,79,49,10,5f,\
b7,1f,a2,31,da,36,96,d9,d1,89,80,e6,6e,03,46,08,84,5a,c0,6d,a2,e9,a0,6f,2a,\
0a,84,46,dd,31,42,bc,73,1c,b1,50,7b,8d,ea,b9,d5,97,0f,d5,41,16,90,48,25,31,\
e3,e0,1e,90,17,d0,7c,4e,f7,8f,cf,05,65,35,a6,0e,31,9f,d7,10,cf,bb,99,64,32,\
88,6d,63,ad,64,df,04,76,7b,d9,f0,aa,94,6e,9c,b2,14,9e,83,50,16,58,2f,b7,1e
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSys
tem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*NULL*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeD
ocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1516)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
- - - - - - - > 'lsass.exe'(1572)
c:\windows\system32\relog_ap.dll
.
Other Running Processes
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\PAStiSvc.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\rundll32.exe
c:\docume~1\NEBULA~1\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-13 18:28:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 23:27:06
Pre-Run: 43,239,940,096 bytes free
Post-Run: 43,242,762,240 bytes free
429 --- E O F --- 2009-01-11 21:20:46
============================================================
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant]
"InstallDir"="C:\\WINDOWS\\srchasst\\"
"Actor"="c:\\windows\\srchasst\\chars\\rover.acs"
"UsageCount"=dword:000000ff
"DefaultSearchURL"="http://home.microsoft.com/access/autosearch.asp?p="
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru]
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="Ctfmon.dll"
"001"="msrdo20.dll.vir"
"002"="omiriheh.dll"
"003"="ysomaciwiquloya"
"004"="hypnotoad.scr"
"005"="*.xls"
"006"="*TD*.xls"
"007"="bluva"
"008"="bluvafisequpal"
"009"="msosfpids32.sys"
"010"="mslaugh"
"011"="teekids"
"012"="blaster"
"013"="luvsan"
"014"="msblast"
"015"="*config*.exe"
"016"="*.sys"
"017"="*.log"
"018"="*boot*.exe"
"019"="*.exe"
"020"="casp"
"021"="bad"
"022"="forbid"
"023"="*.mp3"
"024"="event"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="msrdo20.dll"
"001"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\"
"002"="SOFTWARE"
"003"="*sys*.log"
"004"="snapshot_"
"005"="snapshot"
"006"="Aylesbury"
"007"="robin"
"008"="sleep"
"009"="flier"
"010"="*.NVC"
"011"="xxx@gmail.com"
"012"="gumb"
"013"="mouth"
"014"="jersey"
"015"="zuki"
"016"="tonemap"
"017"="*movie*.exe"
"018"="cic"
"019"="throat"
"020"="serve"
"021"="meg"
"022"="glassland"
"023"="glass"
"024"="si"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips]
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl]
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa0]
"TimesResisted"=dword:00000000
"TimesDisplayed"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa1]
"TimesResisted"=dword:00000000
"TimesDisplayed"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa2]
"TimesResisted"=dword:00000000
"TimesDisplayed"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa4]
"TimesResisted"=dword:00000000
"TimesDisplayed"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa5]
"TimesResisted"=dword:00000000
"TimesDisplayed"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa6]
"TimesResisted"=dword:00000000
"TimesDisplayed"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa8]
"TimesResisted"=dword:00000000
"TimesDisplayed"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa9]
"TimesResisted"=dword:00000000
"TimesDisplayed"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\faa]
"TimesResisted"=dword:00000000
"TimesDisplayed"=dword:00000000
You are safe to leave that as it is.
Uninstall Combofix
You are good to go now
This was an awesome experience!
Take care