thank you very much. here is the danonolfix log:
DaonolFix (18.03.09) by jpshortstuff
Log created at 16:16 on 11/04/2009 by Owner
Running from C:\Documents and Settings\Owner\Desktop\DaonolFix.exe
=====Find Daonol=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="ctwdm32.dll"
"aux2"="C:\DOCUME~1\Owner\LOCALS~1\Temp\..\vxfddfg.oxj"
"midi"="wdmaud.drv"
"midi1"="wdmaud.drv"
"midimapper"="midimap.dll"
"mixer"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"msacm.ac3acm"="ac3acm.acm"
"msacm.ctmp3"="C:\WINDOWS\System32\ctmp3.acm"
"msacm.divxa32"="divxa32.acm"
"msacm.iac2"="C:\WINDOWS\system32\iac25_32.ax"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.l3acm"="C:\WINDOWS\system32\l3codeca.acm"
"msacm.lameacm"="lameACM.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msg723"="msg723.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.siren"="sirenacm.dll"
"msacm.sl_anet"="sl_anet.acm"
"msacm.trspch"="tssoft32.acm"
"msacm.vorbis"="vorbis.acm"
"msacm.voxacm160"="vct3216.acm"
"MSVideo"="vfwwdm32.dll"
"MSVideo8"="VfWWDM32.dll"
"SENTINEL"="snti386.dll"
"vidc.3ivx"="3ivxVfWCodec.dll"
"vidc.cvid"="iccvid.dll"
"VIDC.DIVX"="divx.dll"
"VIDC.FFDS"="ff_vfw.dll"
"VIDC.I420"="lvcodec2.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iv50"="ir50_32.dll"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.LEAD"="LCODCCMP.DLL"
"vidc.M261"="msh261.drv"
"vidc.M263"="msh263.drv"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"vidc.VP60"="C:\WINDOWS\system32\vp6vfw.dll"
"vidc.VP61"="C:\WINDOWS\system32\vp6vfw.dll"
"VIDC.wmv3"="wmv9vcm.dll"
"VIDC.X264"="x264vfw.dll"
"vidc.XVID"="xvidvfw.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wave"="wdmaud.drv"
"wave1"="wdmaud.drv"
"wave2"="wdmaud.drv"
"wavemapper"="msacm32.drv"
-=Daonol Files=-
(none found)
-=End Of File=-
and here is the combofix log:
ComboFix 09-04-04.01 - Owner 2009-04-11 16:39:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.231 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: Avanquest SystemSuite *On-access scanning disabled* (Updated)
.
The following files were disabled during the run:c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Favorites\Online Security Test.url
c:\program files\INSTALL.LOG
c:\program files\popcorn Terms.html
c:\windows\Downloaded Program Files\temp
c:\windows\system32\drivers\UACxttoawkv.sys
c:\windows\system32\ssms.exe
c:\windows\system32\UACdrnlgcqe.dll
c:\windows\system32\UACemnsyrdl.dll
c:\windows\system32\UACfgyguwqr.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UAConhimaru.dll
c:\windows\system32\UACtupqtaiy.log
c:\windows\system32\UACujegwrby.dat
c:\windows\system32\UACventbddg.dll
c:\windows\system32\UACvkyavbks.dll
c:\windows\system32\UACymnklxxo.log
c:\windows\system32\uninstall.exe
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://winpcdown99.comhxxp://tubeloyaln.com.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
-------\Legacy_COMCSVC
-------\Legacy_NETDDEC
-------\Service_COMCSVC
-------\Service_COMSS
-------\Service_NETDDEC
((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.
2022-05-06 10:51 . 2022-05-06 10:52 <DIR> d-------- C:\AfterEffects_6_5_Tryout
2009-04-10 07:51 . 2009-04-11 12:05 <DIR> d-------- c:\documents and settings\Joseph\Application Data\Avant Browser
2009-04-09 20:21 . 2009-04-10 10:48 <DIR> d-------- c:\documents and settings\Joseph\Application Data\Avanquest
2009-04-09 19:49 . 2002-10-28 12:21 <DIR> d-------- c:\documents and settings\Joseph\WINDOWS
2009-04-09 19:49 . 2002-10-28 11:57 <DIR> d-------- c:\documents and settings\Joseph\Application Data\VERITAS
2009-04-09 19:49 . 2002-10-28 11:50 <DIR> d-------- c:\documents and settings\Joseph\Application Data\Share-to-Web Upload Folder
2009-04-09 19:49 . 2002-10-28 12:30 <DIR> d-------- c:\documents and settings\Joseph\Application Data\SampleView
2009-04-09 19:49 . 2002-10-28 12:13 <DIR> d-------- c:\documents and settings\Joseph\Application Data\InterTrust
2009-04-09 19:49 . 2009-04-09 19:49 <DIR> d-------- c:\documents and settings\Joseph
2009-04-04 17:37 . 2009-04-04 19:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-04 04:56 . 2009-04-04 04:56 50,176 --a------ c:\windows\system32\drivers\UACgruefynadwonsoa.sys
2009-04-01 18:27 . 2009-04-01 18:27 20,832 --a------ c:\windows\system32\AAWService_2009_04_01_18_27_53.dmp
2009-04-01 18:23 . 2009-04-01 18:23 20,133 --a------ c:\windows\system32\AAWService_2009_04_01_18_23_41.dmp
2009-04-01 18:04 . 2009-04-01 18:04 22,381 --a------ c:\windows\system32\AAWService_2009_04_01_18_04_37.dmp
2009-04-01 15:20 . 2009-04-01 15:20 20,345 --a------ c:\windows\system32\AAWService_2009_04_01_15_20_36.dmp
2009-04-01 13:33 . 2009-04-01 13:33 <DIR> d-------- c:\windows\system32\Events
2009-04-01 13:33 . 2009-04-01 13:33 20,633 --a------ c:\windows\system32\AAWService_2009_04_01_13_33_26.dmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 12:13 --------- d-----w c:\documents and settings\Owner\Application Data\Avant Browser
2009-04-06 01:24 --------- d-----w c:\program files\Shareaza
2009-04-06 01:24 --------- d-----w c:\documents and settings\Owner\Application Data\Shareaza
2009-04-05 00:58 --------- d-----w c:\program files\FlashGet
2009-04-04 01:23 --------- d-----w c:\program files\Adblock Pro
2009-04-02 01:29 --------- d-----w c:\program files\Lavasoft
2009-03-08 10:10 --------- d-----w c:\program files\LRB MYB Gadgets
2009-02-28 21:49 --------- d-----w c:\program files\Common Files\Ahead
2009-02-28 21:49 --------- d-----w c:\program files\Ahead
2009-02-14 22:03 --------- d-----w c:\documents and settings\Owner\Application Data\Adblock Pro
2009-02-07 09:13 6,444 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-02-07 08:52 118,608 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-11 22:55 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051120080512\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"RCScheduleCheck"="c:\program files\VCOM\Recovery Commander\RCSCHED.EXE" [2003-10-21 151552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-22 155648]
"QUICKCARE"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-09 198800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-22 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"EPSON Stylus CX4600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-03 98304]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-03-07 753664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"nwiz"="nwiz.exe" [2004-10-29 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2004-10-29 c:\windows\system32\nvmctray.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2002-12-03 c:\windows\mididef.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"PlayCenter2"="c:\program files\Creative\SBLive\PlayCenter2\MDEntry.EXE" [2001-07-20 131072]
"SetDefaultMidi"="MIDIDEF.EXE" [2002-12-03 c:\windows\mididef.exe]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-09-07 110592]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"SENTINEL"= snti386.dll
"VIDC.X264"= x264vfw.dll
"msacm.divxa32"= divxa32.acm
"aux2"= c:\docume~1\Owner\LOCALS~1\Temp\..\vxfddfg.oxj
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Microsoft\\Internet Explorer\\Quick Launch\\slsk.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3124:UDP"= 3124:UDP:Shareaza
"3124:TCP"= 3124:TCP:Shareaza
"1206:TCP"= 1206:TCP:WindowsAutoupdate
"1853:TCP"= 1853:TCP:WindowsAutoupdate
"21:TCP"= 21:TCP:Ftp
"53:TCP"= 53:TCP:Dns
R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [2006-09-12 12384]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-11-07 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-21 202928]
R2 SBAMSvc;SystemSuite;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-11-07 68912]
R3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2001-12-16 9216]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 mrtRate;mrtRate; [x]
S3 Fdcservera;Fdcservera; [x]
S3 Lvm9141as;Lvm9141as; [x]
S3 MailScan;MailScan;\??\c:\progra~1\AVANQU~1\SYSTEM~1\MailScan.sys --> c:\progra~1\AVANQU~1\SYSTEM~1\MailScan.sys [?]
S3 MR97310_VGA_DUAL_CAMERA;Dual-Mode Digital Camera;c:\windows\system32\drivers\MR97310v.sys [2006-02-19 116126]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [2002-06-10 44544]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 Scbohvceapf;Scbohvceapf; [x]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-04-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
2009-03-17 c:\windows\Tasks\At25.job
- c:\windows\system32\477xmESh.exe []
2009-03-17 c:\windows\Tasks\At26.job
- c:\windows\system32\477xmESh.exe []
2009-03-17 c:\windows\Tasks\At27.job
- c:\windows\system32\477xmESh.exe []
2009-04-09 c:\windows\Tasks\At28.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At29.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At30.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At31.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At32.job
- c:\windows\system32\477xmESh.exe []
2009-04-11 c:\windows\Tasks\At33.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At34.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At35.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At36.job
- c:\windows\system32\477xmESh.exe []
2009-04-11 c:\windows\Tasks\At37.job
- c:\windows\system32\477xmESh.exe []
2009-04-07 c:\windows\Tasks\At38.job
- c:\windows\system32\477xmESh.exe []
2009-04-07 c:\windows\Tasks\At39.job
- c:\windows\system32\477xmESh.exe []
2009-04-01 c:\windows\Tasks\At40.job
- c:\windows\system32\477xmESh.exe []
2009-04-06 c:\windows\Tasks\At41.job
- c:\windows\system32\477xmESh.exe []
2009-04-07 c:\windows\Tasks\At42.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At43.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At44.job
- c:\windows\system32\477xmESh.exe []
2009-04-10 c:\windows\Tasks\At45.job
- c:\windows\system32\477xmESh.exe []
2009-04-09 c:\windows\Tasks\At46.job
- c:\windows\system32\477xmESh.exe []
2009-04-07 c:\windows\Tasks\At47.job
- c:\windows\system32\477xmESh.exe []
2009-03-29 c:\windows\Tasks\At48.job
- c:\windows\system32\477xmESh.exe []
2009-01-27 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16 []
2009-04-07 c:\windows\Tasks\Scheduled Checkpoint.job
- c:\program files\VCOM\Recovery Commander\RCSCHED.EXE [2003-10-21 10:20]
2009-04-11 c:\windows\Tasks\{B30109AD-93C3-47FD-8A19-D8A54D8C1DFD}_GOOD_Owner.job
- c:\windows\system32\mobsync.exe [2008-04-13 17:12]
2009-03-29 c:\windows\Tasks\{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_GOOD_Owner.job
- c:\windows\system32\mobsync.exe [2008-04-13 17:12]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Fix-It AV - c:\progra~1\VCOM\SYSTEM~1\MemCheck.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
HKLM-Run-WheelMouse - Amoumain.exe
ShellExecuteHooks-{a5780613-492e-4a2a-a7fd-549610edf6cc} - (no file)
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes -
file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cab
DPF: RaptisoftGameLoader -
hxxp://www.miniclip.com/hamsterball/rap ... loader.cabDPF: {02466323-75ED-11CF-A267-0020AF2546EA} -
hxxp://www.cutecandy.com/members/video/vvweb.cabDPF: {556DDE36-E951-11D1-A708-000000521958} -
hxxp://www.xblock.com/members/files/xcl ... _setup.cabDPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
hxxp://utu.popcap.com/games/popcaploader_v5.cabDPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} -
hxxp://www.buzme.com/ActiveX/RCAXSetup.cabFF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\on3nrohw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Avanquest\SystemSuite\Firefox\components\SearchShield.dll
FF - component: c:\program files\Avanquest\SystemSuite\Firefox3DV\components\VaultComponent.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\on3nrohw.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
---- FIREFOX POLICIES ----
// More DOM/JavaScript options
// Make sure all pop-up windows are resizable:
FF - user.js: dom.disable_window_open_feature.resizable - true
// Make sure all pop-up windows are minimizable:
FF - user.js: dom.disable_window_open_feature.minimizable - true
// Always display the menu in pop-up windows:
FF - user.js: dom.disable_window_open_feature.menubar - true
// Always display the Navigation Toolbar in pop-up windows:
FF - user.js: dom.disable_window_open_feature.location - true
// Prevent sites from disabling scrollbars:
FF - user.js: dom.disable_window_open_feature.scrollbars - true.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-11 16:49:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\progra~1\AVANQU~1\SYSTEM~1\MXTask.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\AVANQU~1\SYSTEM~1\MXTask.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-04-11 16:59:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-11 23:59:08
Pre-Run: 21,727,711,232 bytes free
Post-Run: 21,987,344,384 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
336
and here is the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:56 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Data Vault - {8373ADC0-6330-11DD-9D77-22C856D89593} - C:\Program Files\Avanquest\SystemSuite\IE_ContextMenu_Vault.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: RaptisoftGameLoader -
http://www.miniclip.com/hamsterball/rap ... loader.cabO16 - DPF: Yahoo! MahJong Solitaire -
http://download.games.yahoo.com/games/c ... jst4_x.cabO16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) -
http://www.cutecandy.com/members/video/vvweb.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cabO16 - DPF: {556DDE36-E951-11D1-A708-000000521958} -
http://www.xblock.com/members/files/xcl ... _setup.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/microsoftup ... 8679063296O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 8679006562O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/Me ... b56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/s ... wflash.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://utu.popcap.com/games/popcaploader_v5.cabO16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} (RCSetup Class) -
http://www.buzme.com/ActiveX/RCAXSetup.cabO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lvm9141as - Unknown owner - (no file)
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SystemSuite (SBAMSvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SystemSuite Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
--
End of file - 10499 bytes