Ran Combofix and every time it restarted windows Avira also restarted and avira's resident shield detected combofix as a worm. I allowed combofix to finish and here is the Log: Below this log is the new hijack this log. Thanks. (I downloaded SDfix and tried to run it once. This was before I received your email. I don't think it finished.)
ComboFix 09-01-21.04 - RSK 2009-01-27 22:55:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2494 [GMT -5:00]
Running from: c:\documents and settings\RSK\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.
ADS - svchost.exe: deleted 32256 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Microsoft Common
c:\windows\Install.txt
c:\windows\system32\303359.exe
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekayagedfua.sys
c:\windows\system32\log.exe
c:\windows\system32\senekacxwbmeey.dat
c:\windows\system32\senekadqhqohvv.dat
c:\windows\system32\senekaikvxuywx.dll
c:\windows\system32\senekaxokmyxsj.dll
c:\windows\system32\swctl.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFINDING
-------\Legacy_ICF
-------\Legacy_MACIDWE
-------\Legacy_NOBICYT
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.
2009-01-26 22:06 . 2009-01-26 22:06 <DIR> d-------- c:\windows\ERUNT
2009-01-26 22:02 . 2009-01-26 22:24 <DIR> d-------- C:\SDFix
2009-01-24 17:06 . 2009-01-24 17:06 137,216 --a------ c:\windows\aziqipuz.dll
2009-01-24 15:39 . 2009-01-24 15:39 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 14:56 . 2009-01-24 14:56 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2009-01-24 14:43 . 2009-01-24 14:43 603,904 --a------ c:\windows\system32\TUProgSt.exe
2009-01-24 14:41 . 2009-01-24 14:43 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2009-01-24 14:41 . 2009-01-24 14:41 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-01-22 12:26 . 2009-01-22 12:26 <DIR> d-------- c:\windows\3E5562ED69AB4CEC91E264E18EC5ACC6.TMP
2009-01-22 00:51 . 2009-01-22 00:51 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-22 00:51 . 2009-01-22 00:51 <DIR> d-------- c:\documents and settings\RSK\Application Data\SUPERAntiSpyware.com
2009-01-22 00:51 . 2009-01-22 00:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-21 23:39 . 2009-01-24 14:58 <DIR> d-------- c:\program files\a-squared Free
2009-01-21 23:35 . 2009-01-21 23:35 192 --a------ c:\windows\system32\ikhcore.cfg
2009-01-21 22:56 . 2009-01-21 22:56 <DIR> d-------- c:\program files\Avira
2009-01-21 22:56 . 2009-01-21 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-21 22:02 . 2009-01-21 22:02 132,096 --a------ c:\windows\eyojabow.dll
2009-01-21 20:43 . 2009-01-21 20:43 43,008 --a------ c:\windows\Bwuwutapimoxihuv.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 04:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-27 02:34 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-24 19:53 --------- d-----w c:\documents and settings\RSK\Application Data\uTorrent
2009-01-24 19:45 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-23 00:45 --------- d-----w c:\program files\Spyware Process Detector
2009-01-22 05:45 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-22 05:33 --------- d-----w c:\program files\NeoDownloader
2009-01-22 04:16 --------- d-----w c:\program files\Spyware Doctor
2009-01-22 03:05 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-19 05:06 --------- d-----w c:\program files\SpywareBlaster
2009-01-12 03:45 --------- d-----w c:\program files\Mgutil
2009-01-11 03:51 --------- d-----w c:\documents and settings\RSK\Application Data\Schoolhouse Technologies
2009-01-11 03:50 --------- d-----w c:\program files\Schoolhouse Technologies
2009-01-03 17:49 --------- d-----w c:\documents and settings\RSK\Application Data\Skype
2008-12-31 02:30 --------- d-----w c:\program files\Total Video Converter
2008-12-30 01:13 --------- d-----w c:\documents and settings\RSK\Application Data\ZoomBrowser EX
2008-12-30 01:13 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-23 22:57 --------- d-----w c:\program files\Viewpoint
2008-12-23 22:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-23 22:56 --------- d-----w c:\documents and settings\RSK\Application Data\Viewpoint
2008-12-15 03:17 --------- d-----w c:\program files\Common Files\System Shared
2008-12-15 03:17 --------- d-----w c:\documents and settings\All Users\Application Data\System
2008-12-07 03:36 --------- d-----w c:\program files\Folder Lock
2007-11-16 04:12 22,328 ----a-w c:\documents and settings\RSK\Application Data\PnkBstrK.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ResChangerXP"="c:\program files\ResChanger XP\ResChangerXP.exe" [2002-02-14 600576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-17 81920]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-17 8478720]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-13 1052672]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Ctixute"="c:\windows\Bwuwutapimoxihuv.dll" [2009-01-21 43008]
"Pfogoxuxa"="c:\windows\aziqipuz.dll" [2009-01-24 137216]
"SDFix"="c:\sdfix\RunThis.bat" [2008-11-06 964661]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-08-17 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 c:\windows\system32\narrator.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Dialer (OnStartup).lnk.disabled [2009-01-21 2463]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\
0OODBS
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1pvxx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Domino"=c:\windows\Domino.EXE
"VMSnap5"=c:\windows\VMSnap5.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"Ctixute"=rundll32.exe "c:\windows\Bwuwutapimoxihuv.dll",e
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\RSK\\Local Settings\\Apps\\2.0\\5R8MCH7E.EHA\\88MXNN29.BVL\\radw...app_f5571d98f50637a6_0001.0000_d8e505453d7bca4e\\Commissure.Render.exe"=
"c:\\Documents and Settings\\RSK\\Local Settings\\Apps\\2.0\\5R8MCH7E.EHA\\88MXNN29.BVL\\radw...app_f5571d98f50637a6_0001.0000_dfbf2f0297459d82\\Commissure.Render.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"111:TCP"= 111:TCP:Integrad
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [2007-10-21 243584]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 CVPNDRV;Cisco Systems Inc. IPSec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2002-10-04 263749]
R4 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [2007-12-13 18944]
R4 PortProxyService;PortProxyService;c:\portproxyservice\PortProxyService.exe [2006-07-24 28672]
R4 spydetector;spydetector;c:\program files\Spyware Process Detector\spydetector.sys [2008-07-20 9216]
R4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-24 603904]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-23 24652]
S0 ati1pvxx;ati1pvxx;c:\windows\system32\Drivers\ati1pvxx.sys --> c:\windows\system32\Drivers\ati1pvxx.sys [?]
S3 SaiH040C;SaiH040C;c:\windows\system32\drivers\SaiH040C.sys [2007-05-01 132232]
S3 SaiU040C;SaiU040C;c:\windows\system32\drivers\SaiU040C.sys [2007-05-01 28416]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-10-27 356920]
S3 ZSMC0305;Vimicro USB PC Camera (VC0305);c:\windows\system32\drivers\usbVM305.sys [2008-06-19 391737]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1afea8f1-36f1-11dc-ad94-00032f367d88}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 15:36]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-rs32net - c:\windows\System32\rs32net.exe
SafeBoot-ati2cixx.sys
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: ameritrade.com\wwws
Trusted Zone: com.tw\www.msi
DPF: MIW Deployment -
hxxps://kintegrad.bayhealth.org/downloads/MIWDeploy.cabDPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} -
hxxp://liveupdate.msi.com.tw/autobios/L ... nstall.cabFF - ProfilePath - c:\documents and settings\RSK\Application Data\Mozilla\Firefox\Profiles\u45xa40i.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage -
hxxp://www.yahoo.com/?rs=1FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-27 22:59:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-329068152-920026266-839522115-1003\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000
[HKEY_USERS\S-1-5-21-329068152-920026266-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,54,c6,61,75,39,67,94,32,e3,2f,87,ad,20,09,15,83,3b,f3,45,cd,eb,48,
51,1e,30,6a,d6,ce,99,07,ea,59,01,9e,53,af,59,7e,ca,49,4f,22,9d,d5,0d,ae,ad,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,14,3d,00,cc,58,
7c,c9,b2,c8,28,51,af,b0,29,a3,98,9a,ed,59,44,5c,d5,56,1b,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,fc,11,1a,81,52,
c7,82,ee,71,3b,04,66,8b,46,0d,96,95,73,1c,b9,99,ec,73,b0,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,e4,b7,ee,35,9a,
6d,dd,05,25,da,ec,7e,55,20,c9,26,e7,94,c8,ad,34,89,06,b2,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,0d,d0,b1,41,07,
a2,e6,3d,3e,1e,9e,e0,57,5a,93,61,37,c9,75,0d,6d,d1,b4,7e,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ec,4f,7e,54,dc,
13,0b,6c,cd,44,cd,b9,a6,33,6c,cd,8c,ba,50,50,6b,23,1d,ae,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,03,56,e5,29,04,
c9,71,6b,b0,18,ed,a7,3f,8d,37,a4,1d,4a,3d,b3,bb,ce,4f,c8,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,7f,c4,63,ed,55,
a5,d3,44,31,77,e1,ba,b1,f8,68,02,48,eb,ac,b4,5b,7f,b2,11,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,f8,28,61,30,ca,
81,f0,a7,83,6c,56,8b,a0,85,96,ab,8b,8b,14,25,35,4a,6c,61,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,45,00,a6,bb,80,
3d,d4,b4,51,fa,6e,91,28,9e,14,cc,94,7c,90,b1,f5,7e,1e,3a,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,b2,d6,06,e8,40,
02,12,14,b1,cd,45,5a,a8,c4,f8,b9,b8,4f,70,32,fb,b1,47,35,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,fc,22,2e,cc,65,
cc,3d,02,e3,0e,66,d5,eb,bc,2f,6b,5e,25,a7,ae,7a,c7,64,4f,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,f1,29,32,7c,bb,
ab,67,3c,fa,ea,66,7f,d4,3b,6b,70,8e,20,aa,50,08,92,b9,1f,6c,43,2d,1e,aa,22,\
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="9ADB0357344721E0DD05F6E4A03831E58CA36CA0049E6B2573354A2393FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA2D97226D213B5555D575E7D6A3B9808F37DE893F2913CB9584A05667824AF94FD1C83505010785419B77F4168CFDE0B3B1116EEE8FA590A3F9395D3471BA1AC83F175B522859BA0EC97A9BC76C90651471437A81C3302D364A926801857E6ED9BDCBDE23EAFE3A511238CDE1F4F79E54A12CBDECA19BA2F1EA88523DF965F5AE228944AEDD0B06D83767071A241B4FACA18C8D54B4EB7179631F4192ADD1FD64AA52A04106C11669A358F63D1C663A9A1B816F605BB64ED4D66A6E313746D2E94281E46984EC9E3FD82184896C9E7EB7C8B10CBF30BDEF695EFC6A8CAE6468BD88A08718B00D39A2C8AAE56EB7858A1DD2C050629ACFADA1579F0AE9786D70105A7718703555BA574F96969DF457C0E9B373A7848D33EA5C7B237E453658606D66159AD2F63C0847C0253FD15E554585FD0E71C0976E348FBCE1DDA6ADDEAF0629CB02DD0819918BC59EA3A45D30F8CA59E3A8C3A50D917D3071C46DD0B4E819040DCF4BFCE2D280238A463B94F931941CBD009B86042C94615A10043CBB1579B3B3A17642CF7DD6C5D6665D3D8FA5258073FF4FAEA737D9EB80F04444649F915FB15C83D3CABC772898C4D84B6126F64038ED90875F9B27BB638751E62F9515F782F645EEB2C59DA83E4CE54735C8B3376B8E2FD4C124DCED6E716A24BE1AAB2A8BE676DE591E7C39332C0DC5C0E27E59BB1600B7DB01761E3D85036724F389A8AEE73239C29AE9D09AB9ED00511A3F3B15945F45DF8B9CB2E3E31510AC60FF79CDC4FCEC3F14BADB4FD08EF43814A257A0A2B938348C87E08BC6A038C7E287CE59B6453D523400BEBC53D9330B24518BD0FCB5349ACB53BCA6C4F6BB462E0B2ED30C0260FA27424099728A62BA925BDC42808344E67DB19D15AD9C003127B73C0141751710F3239E87A51A855205B5EDF8AE4C977EF7582FB8727CBBAE19CF0EFB53B734137275F6EE8692B1603C111DF5D083EE8F0A2B6AD69F5E865D84EAC8F7829408920E7FE7D51C25895F392C41D3CBE4C1149E9494DE92E8BCE327D8039B0FCFB9403E7540198D3E844496D3BF13879441D8A329E47E5D63786DC7C170829FA01754C8272E613B62D530CD48ABB554B8A00FA48740D2C9D85E17D7EF01E20063F819BF73B9F0F2C8838F8B19CDE0A6B98F117DCD78F83D2A2786C20E09F46AA375046E7E822C81671AE02CD2DC0C437F86E8A83AA47256BD2A5325B103544168140D45B88E675FBF4B2CDD950CCE32E4DB23AB4A530BD01E8891194798A3199C5F1033AF86C3A08B0883468EA713BF349433CCDD24A6D4FCE89FA8FEB521D"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1876)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-01-27 23:01:50 - machine was rebooted [RSK]
ComboFix-quarantined-files.txt 2009-01-28 04:01:48
Pre-Run: 86,186,299,392 bytes free
Post-Run: 86,100,033,536 bytes free
290
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:25 PM, on 1/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PortProxyService\PortProxyService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ResChanger XP\ResChangerXP.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Ctixute] rundll32.exe "C:\WINDOWS\Bwuwutapimoxihuv.dll",e
O4 - HKLM\..\Run: [Pfogoxuxa] rundll32.exe "C:\WINDOWS\aziqipuz.dll",e
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: VPN Dialer (OnStartup).lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone:
http://www.msi.com.twO16 - DPF: MIW Deployment -
https://kintegrad.bayhealth.org/downloads/MIWDeploy.cabO16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) -
http://liveupdate.msi.com.tw/autobios/L ... nstall.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bayhealth.org
O17 - HKLM\Software\..\Telephony: DomainName = bayhealth.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bayhealth.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bayhealth.org
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PortProxyService - Unknown owner - C:\PortProxyService\PortProxyService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8326 bytes