Hi Shaba....logs as requested.
ComboFix 08-08-12.01 - Mike & Sharon 2008-08-13 16:40:14.7 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.809 [GMT -3:00]
Running from: C:\Documents and Settings\Mike & Sharon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike & Sharon\Desktop\WinXP_EN_HOM_BF.EXE
.
Error: Cfiles.dat
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\Mike & Sharon\Application Data\macromedia\Flash Player\#SharedObjects\C6RWT3BH\interclick.com
C:\Documents and Settings\Mike & Sharon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NetworkService\Application Data\wsnpoem
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\system32\blphc1b8j0erf1.scr
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\cmprop.dll
C:\WINDOWS\system32\cmsetac.dll
C:\WINDOWS\system32\lphc1b8j0erf1.exe
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\phc1b8j0erf1.bmp
C:\WINDOWS\system32\pphc1b8j0erf1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.
2008-08-13 15:37 . 2008-08-13 15:37 577,024 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-08-13 15:33 . 2008-08-13 15:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-13 11:47 . 2008-08-13 16:29 <DIR> d-------- C:\SDFix
2008-08-13 09:48 . 2008-08-13 09:48 <DIR> d-------- C:\Program Files\Avira
2008-08-13 09:48 . 2008-08-13 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-12 12:46 . 2008-08-12 12:46 <DIR> d-------- C:\Program Files\ednppsf
2008-08-12 12:46 . 2008-08-12 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dgdutafs
2008-08-12 12:45 . 2008-08-12 12:45 45,056 --a------ C:\WINDOWS\services.exe
2008-08-10 16:29 . 2008-08-10 16:29 <DIR> d-------- C:\Program Files\Flux
2008-08-02 21:06 . 2008-08-02 21:18 716 --a------ C:\scope
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 18:19 25,472 ----a-w C:\WINDOWS\system32\drivers\Chl83.sys
2008-08-07 00:09 --------- d-----w C:\Program Files\Plextor
2008-06-25 18:18 --------- d-----w C:\Program Files\EPSON Print CD
2008-06-17 15:40 --------- d-----w C:\Program Files\iZotope
2008-04-20 00:25 101,192 ----a-w C:\Documents and Settings\Mike & Sharon\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StrDb"="C:\WINDOWS\system32\rgnybank.exe" [2008-08-12 12:46 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-02 12:40 155648]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 00:43 56320]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"EW Message Server"="msg32.exe" [2003-02-26 20:03 45056 C:\WINDOWS\SYSTEM32\Msg32.exe]
"DeltTray"="DeltTray.exe" [2004-08-27 00:43 56320 C:\WINDOWS\SYSTEM32\DeltTray.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"GenActMsg"= {2EF26493-ECFD-4DD1-ABDF-03A50288E9C3} - C:\Program Files\ednppsf\GenActMsg.dll [2008-08-12 12:46 126976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= NUVision.ax
"vidc.dvsd"= dvc.dll
"msacm.dvacm"= dvacm.acm
"VIDC.YMPG"= ympgcdc.dll
"msacm.ympgacm"= ympgacm.acm
"Midi1"= gmidi.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mike & Sharon^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Mike & Sharon\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-10-12 18:13 7086080 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-02 12:40 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svchost"=2 (0x2)
"runbatch"=2 (0x2)
"ntsysvers"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 BTMgr;Bluelet Device Manager Service;C:\WINDOWS\system32\Drivers\BTMgr.sys [2002-06-12 14:43]
R2 JamLabInstallerService;JamLab Installer;C:\Program Files\M-Audio\JamLab\JamLabInst.exe [2006-01-09 17:39]
R3 EWAVE;EWAVE;C:\WINDOWS\system32\drivers\ew.sys [2003-02-26 20:04]
R3 FILESPY;FILESPY;C:\WINDOWS\system32\drivers\FILESPY.sys [2003-02-26 20:13]
R3 GBGSIF;FX-MAX virtual GSIF driver;C:\WINDOWS\system32\Drivers\GBGSIF.sys [2005-03-07 00:21]
R3 hypaudio;hypaudio;C:\WINDOWS\system32\DRIVERS\hypaudio.sys [2006-05-30 16:20]
R3 hypkern;hypkern;C:\WINDOWS\system32\drivers\hypkern.sys [2006-05-30 16:20]
R3 MAWGSIF;MOTU PCI GSIF Driver;C:\WINDOWS\system32\drivers\MAWGSIF.sys [2004-07-21 16:05]
R3 MotuAW;MotuAW;C:\WINDOWS\system32\drivers\MotuAW.sys [2004-07-21 16:03]
R3 NSTATION;NSTATION;C:\WINDOWS\system32\drivers\nstation.sys [2003-02-26 20:06]
R3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2002-11-25 03:46]
S3 82827bba-7380-4b11-bfe5-ff053dc5ed6c;82827bba-7380-4b11-bfe5-ff053dc5ed6c;D:\CDS300\cds300.dll []
S3 Btusb;Bluetooth USB;C:\WINDOWS\system32\Drivers\Btusb.sys [2001-12-10 15:16]
S3 FILEMON;FILEMON;C:\Documents and Settings\Mike & Sharon\Desktop\sammon\FILEMON.SYS []
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 16:18]
S3 gsif324;GSIF Driver for MOTU 324;C:\WINDOWS\system32\drivers\gsif324.sys []
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;C:\MAGIX\Samplitude_V8_professional\mxasio.sys [2002-04-16 12:10]
S3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);C:\WINDOWS\system32\DRIVERS\mausbjl.sys [2006-02-01 10:25]
S3 MAWWAVE;MOTU PCI Wave Driver;C:\WINDOWS\system32\drivers\MAWWAVE.sys []
S3 NUVision;NUVision Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-09-20 07:58]
S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys []
S3 w324drvr;w324drvr;C:\WINDOWS\system32\drivers\w324drvr.sys []
S4 ntsysvers;FireDaemon Service: ntsysvers;c:\windows\system32\dllcache\FireDaemon.EXE []
S4 runbatch;FireDaemon Service: runbatch;c:\windows\system32\dllcache\FireDaemon.EXE []
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - FILESPY
*Newly Created Service* - NSTATION
*Newly Created Service* - SSMDRV
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
rundll32 sxmg4.dll,InitModule
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page =
hxxp://www.google.ca/R1 -: HKCU-Internet Connection Wizard,ShellNext =
hxxp://www.dellnet.com/O16 -: DirectAnimation Java Classes -
file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java -
file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-13 16:45:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-13 16:53:17 - machine was rebooted [Mike & Sharon]
ComboFix-quarantined-files.txt 2008-08-13 19:53:12
Pre-Run: 7,144,902,656 bytes free
Post-Run: 7,505,133,568 bytes free
WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
192
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:16 PM, on 13/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\M-Audio\JamLab\JamLabInst.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msg32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rgnybank.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dellnet.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Fire-Trust SiteHound - {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [StrDb] C:\WINDOWS\system32\rgnybank.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: GenActMsg - {2EF26493-ECFD-4DD1-ABDF-03A50288E9C3} - C:\Program Files\ednppsf\GenActMsg.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - M-Audio - C:\Program Files\M-Audio\JamLab\JamLabInst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 4787 bytes