I seem to have been the lucky recipient of I-worm/Bagle.AKA
I tried the usual and it kept popping back. Here is my combofix log:
ComboFix 08-07-23.5 - HP 2008-08-04 0:28:09.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1301 [GMT 3:00]
Running from: C:\Users\HP\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\system32\drivers\downld
.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.
2008-08-04 00:14 . 2008-08-04 00:14 <DIR> d-------- C:\RootkitNO
2008-08-04 00:14 . 2008-08-04 00:14 123 --a------ C:\WINDOWS\rootkitno.ini
2008-08-03 23:08 . 2008-08-03 23:08 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-03 20:30 . 2008-08-04 00:22 <DIR> d-------- C:\Program Files\UnHackMe
2008-08-03 20:30 . 2008-08-03 20:30 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2008-08-01 23:47 . 2008-08-01 23:47 <DIR> d-------- C:\Program Files\iTunes
2008-08-01 23:47 . 2008-08-01 23:47 <DIR> d-------- C:\Program Files\iPod
2008-07-25 11:26 . 2008-07-25 11:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-24 03:01 . 2008-05-27 07:59 106,605 --a------ C:\WINDOWS\System32\StructuredQuerySchema.bin
2008-07-24 03:01 . 2008-05-27 08:17 34,816 --a------ C:\WINDOWS\System32\msscb.dll
2008-07-24 03:01 . 2008-05-27 07:59 18,904 --a------ C:\WINDOWS\System32\StructuredQuerySchemaTrivial.bin
2008-07-24 03:01 . 2008-05-27 08:17 11,776 --a------ C:\WINDOWS\System32\msshooks.dll
2008-07-22 23:13 . 2008-07-22 23:13 <DIR> d-------- C:\Users\HP\AppData\Roaming\dvdcss
2008-07-15 00:06 . 2008-07-15 00:06 <DIR> d-------- C:\Users\HP\AppData\Roaming\Nokia Multimedia Player
2008-07-13 19:19 . 2008-07-13 19:20 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-07-13 19:17 . 2008-07-17 23:58 39 --a------ C:\WINDOWS\vbaddin.ini
2008-07-13 19:16 . 2008-07-13 19:16 162 --a------ C:\WINDOWS\ODBC.INI
2008-07-12 22:22 . 2008-07-12 22:22 <DIR> d-------- C:\Program Files\Bonjour
2008-07-11 19:27 . 2008-06-26 04:45 12,240,896 --a------ C:\WINDOWS\System32\NlsLexicons0007.dll
2008-07-11 19:27 . 2008-06-26 04:45 2,644,480 --a------ C:\WINDOWS\System32\NlsLexicons0009.dll
2008-07-11 19:27 . 2008-06-26 06:29 801,280 --a------ C:\WINDOWS\System32\NaturalLanguage6.dll
2008-07-09 17:45 . 2008-07-09 17:45 <DIR> d-------- C:\swsetup
2008-07-09 17:14 . 2008-04-26 11:25 3,600,952 --a------ C:\WINDOWS\System32\ntkrnlpa.exe
2008-07-09 17:14 . 2008-04-26 11:25 3,549,240 --a------ C:\WINDOWS\System32\ntoskrnl.exe
2008-07-09 17:14 . 2008-04-26 11:26 891,448 --a------ C:\WINDOWS\System32\drivers\tcpip.sys
2008-07-09 17:14 . 2008-04-12 06:32 784,896 --a------ C:\WINDOWS\System32\rpcrt4.dll
2008-07-09 17:14 . 2008-05-10 06:35 564,736 --a------ C:\WINDOWS\System32\emdmgmt.dll
2008-07-09 17:14 . 2008-04-05 04:21 72,192 --a------ C:\WINDOWS\System32\drivers\pacer.sys
2008-07-09 17:14 . 2008-04-05 06:34 15,360 --a------ C:\WINDOWS\System32\pacerprf.dll
2008-07-09 17:11 . 2008-05-09 00:59 430,080 --a------ C:\WINDOWS\System32\vbscript.dll
2008-07-09 17:11 . 2008-05-09 00:59 180,224 --a------ C:\WINDOWS\System32\scrobj.dll
2008-07-09 17:11 . 2008-05-09 00:59 172,032 --a------ C:\WINDOWS\System32\scrrun.dll
2008-07-09 17:11 . 2008-05-09 00:59 155,648 --a------ C:\WINDOWS\System32\wscript.exe
2008-07-09 17:11 . 2008-05-09 00:58 135,168 --a------ C:\WINDOWS\System32\wshom.ocx
2008-07-09 17:11 . 2008-05-09 00:58 135,168 --a------ C:\WINDOWS\System32\cscript.exe
2008-07-09 17:11 . 2008-05-09 00:59 90,112 --a------ C:\WINDOWS\System32\wshext.dll
2008-07-07 23:37 . 2008-07-08 20:32 <DIR> d-------- C:\BNL BACKUP
2008-07-06 22:46 . 2008-07-06 22:46 <DIR> d-------- C:\Users\HP\AppData\Roaming\Research In Motion
2008-07-06 22:44 . 2006-10-20 10:28 26,368 --a------ C:\WINDOWS\System32\drivers\RimSerial.sys
2008-07-06 22:43 . 2008-07-06 22:43 <DIR> d-------- C:\Users\HP\AppData\Roaming\Blackberry Desktop
2008-07-06 22:42 . 2008-07-06 22:42 <DIR> d-------- C:\Program Files\Research In Motion
2008-07-06 22:42 . 2008-07-06 22:43 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2008-07-06 22:20 . 2008-07-06 22:20 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-05 22:08 . 2008-07-05 22:08 <DIR> d-------- C:\Users\All Users\LzG24
2008-07-05 22:08 . 2008-07-05 22:08 <DIR> d-------- C:\ProgramData\LzG24
2008-07-05 22:06 . 2008-07-05 22:06 <DIR> d-------- C:\WINDOWS\TestBank Level I - September 2008
2008-07-05 22:06 . 2008-07-05 22:06 <DIR> d-------- C:\Program Files\UpperMark, LLC
2008-07-05 21:47 . 2008-07-05 21:48 <DIR> d-------- C:\Users\All Users\WebEx
2008-07-05 21:47 . 2008-07-05 21:48 <DIR> d-------- C:\ProgramData\WebEx
2008-07-03 23:57 . 2008-07-03 23:57 <DIR> d-------- C:\Program Files\Vodei
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 19:24 --------- d-----w C:\Users\HP\AppData\Roaming\ChessBase
2008-08-03 13:55 --------- d-----w C:\ProgramData\Google Updater
2008-08-03 13:55 --------- d-----w C:\Program Files\Google
2008-08-02 16:45 --------- d-----w C:\Users\HP\AppData\Roaming\ContentGuard
2008-08-02 06:03 --------- d-----w C:\Users\HP\AppData\Roaming\uTorrent
2008-07-27 19:04 --------- d-----w C:\Users\HP\AppData\Roaming\Skype
2008-07-27 17:58 --------- d-----w C:\Users\HP\AppData\Roaming\skypePM
2008-07-27 14:13 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-25 18:00 --------- d-----w C:\ProgramData\Roxio
2008-07-25 08:26 --------- d-----w C:\Program Files\Common Files\Real
2008-07-19 07:49 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-14 14:54 --------- d-----w C:\Program Files\Java
2008-07-10 00:08 --------- d-----w C:\Program Files\Windows Mail
2008-07-09 14:46 --------- d-----w C:\Program Files\HP
2008-07-05 18:14 --------- d-----w C:\Program Files\Safari
2008-06-22 20:42 --------- d-----w C:\ProgramData\Nokia
2008-06-22 20:41 --------- d-----w C:\Program Files\Nokia
2008-06-22 20:40 --------- d-----w C:\ProgramData\Installations
2008-06-22 20:40 --------- d-----w C:\Program Files\Common Files\Nokia
2008-06-22 20:26 --------- d-----w C:\Users\HP\AppData\Roaming\Nokia
2008-06-22 20:17 0 ---ha-w C:\Windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2008-06-22 15:13 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-22 11:37 --------- d-----w C:\Program Files\DivX
2008-06-21 11:45 --------- d-----w C:\Program Files\uTorrent
2008-06-21 07:48 --------- d-----w C:\Program Files\QuickTime
2008-06-20 07:38 174 --sha-w C:\Program Files\desktop.ini
2008-06-20 07:30 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-20 07:30 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-20 07:30 --------- d-----w C:\Program Files\Windows Defender
2008-06-20 07:30 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-20 07:30 --------- d-----w C:\Program Files\Windows Calendar
2008-06-20 06:53 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-20 06:53 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-14 21:11 --------- d-----w C:\Users\HP\AppData\Roaming\Palo Alto Software
2008-06-14 21:09 --------- d-----w C:\ProgramData\Palo Alto Software
2008-06-14 21:09 --------- d-----w C:\Program Files\Palo Alto Software
2008-06-14 21:09 --------- d-----w C:\Program Files\Common Files\Palo Alto Software
2008-06-14 09:59 --------- d-----w C:\Users\HP\AppData\Roaming\bppenu11
2008-06-14 09:56 --------- d-----w C:\Program Files\Business Plan Pro
2008-06-14 09:30 --------- d-----w C:\ProgramData\IsolatedStorage
2008-06-13 20:10 --------- d-----w C:\Program Files\Common Files\Intuit
2008-06-13 20:04 --------- d-----w C:\ProgramData\PAS
2008-06-13 16:56 --------- d-----w C:\Program Files\QMwin32
2008-06-13 16:54 --------- d-----w C:\Users\HP\AppData\Roaming\SUPERAntiSpyware.com
2008-06-13 16:54 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-13 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 21:11 --------- d-----w C:\Users\HP\AppData\Roaming\ESET
2008-06-11 21:10 --------- d-----w C:\ProgramData\ESET
2008-06-11 17:38 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-06-11 16:27 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-11 16:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-11 16:18 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-06-11 04:16 --------- d-----w C:\ProgramData\Lavasoft
2008-06-11 04:12 --------- d-----w C:\Program Files\Lavasoft
2008-06-10 20:04 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-06-10 20:04 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
2008-06-10 20:04 --------- d-----w C:\ProgramData\avg8
2008-06-10 20:04 --------- d-----w C:\Program Files\AVG
2008-06-05 11:57 --------- d-----w C:\ProgramData\Mindjet
2008-06-05 06:52 --------- d-----w C:\Users\HP\AppData\Roaming\Cogniview
2008-06-05 06:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 06:45 --------- d-----w C:\Program Files\Cogniview
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\Windows\System32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-22 22:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-05-16 08:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-05-10 03:35 885,248 ----a-w C:\Windows\System32\RacEngn.dll
2008-01-08 17:32 32 ----a-w C:\Users\All Users\ezsid.dat
2008-01-08 17:32 32 ----a-w C:\ProgramData\ezsid.dat
.
((((((((((((((((((((((((((((( snapshot_2008-08-04_ 0.10.26.77 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-03 21:16:03 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-03 21:16:03 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-03 21:05:06 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-03 21:18:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-03 21:18:29 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-08-03 21:05:05 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-03 21:18:24 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-03 21:18:24 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-08-03 20:12:06 112,482 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-03 21:20:32 112,482 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-03 20:12:06 633,748 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-03 21:20:32 633,748 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-03 20:07:17 12,212 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-129870416-3998998155-2461932588-1001_UserData.bin
+ 2008-08-03 21:17:52 12,414 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-129870416-3998998155-2461932588-1001_UserData.bin
- 2008-08-03 20:07:17 71,250 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-03 21:17:52 71,330 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-03 20:07:16 38,558 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-03 21:17:51 38,886 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 10:33 125952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 10:33 202240]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-01-26 09:03 708616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 19:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 13:59 118784]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-04-20 04:11 151552]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 12:17 694008]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 12:36 280064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"bgsmsnd.exe"="C:\Windows\system32\bgsmsnd.exe" [2007-11-19 10:36 160136]
"MMReminderService"="C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe" [2007-05-18 00:05 37392]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-10 23:04 1177368]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-08-28 01:59 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-08-28 01:59 8473120]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-08-28 01:59 81920]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 11:26 4874240 C:\WINDOWS\RtHDVCpl.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Palo Alto Software Update Manager 8.0.lnk - C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_UD.exe [2007-02-13 12:03:24 128544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
--a------ 2008-01-08 20:35 3042816 C:\ProgramData\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-129870416-3998998155-2461932588-1001]
"EnableNotificationsRef"=dword:00000007
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1A3EA7E0-A4D1-4C19-8BD7-2FBD264B5800}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{7C735085-2FAD-4ADD-A184-E575311E89A0}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{9A38C7EF-1246-4FD5-8843-70D2FC847E05}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{81950DC3-AD62-4E1F-95B4-8AC89341A0C2}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{165AFFE7-FE9D-49F4-B47F-1B05900509D2}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{C0D7782C-5D7E-4B08-A3B4-425EDAAF89D7}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{C2B7AB0D-1548-45EC-88B5-33987CF45DFD}"= TCP:9442:127.0.0.1:Intel(R) Viiv(TM) Media Server Discovery
"{01ED933C-0271-40A0-8C39-D5ACEE0BED29}"= TCP:1900:LocalSubnet:LocalSubnet:Intel(R) Viiv(TM) Media Server UPnP Discovery
"{A4694F55-3626-4D97-8288-295CD7EA0996}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{10BC16D9-DCFE-4191-A65D-B6745EFA19BA}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{787E827F-22CD-4453-B0FB-B4ECAA26F83D}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{EE7CA935-49AC-4206-8CF8-6E73A3F30601}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{2690BC7D-4D6B-4A33-97D4-245F895F3708}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{68B81E44-17D9-456F-8947-F6B937B310EF}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{F6A8C056-496D-4CEC-AA2B-B1518BE8AE52}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{80B60DBF-0BCD-4898-998E-EF19580E00BB}C:\\program files\\internet chess club\\blitzin 2.6\\blitzin26.exe"= UDP:C:\program files\internet chess club\blitzin 2.6\blitzin26.exe:BlitzIn 2.5 ICC Client
"UDP Query User{A94388A6-96D8-4841-A37B-CA108FD5A3AA}C:\\program files\\internet chess club\\blitzin 2.6\\blitzin26.exe"= TCP:C:\program files\internet chess club\blitzin 2.6\blitzin26.exe:BlitzIn 2.5 ICC Client
"TCP Query User{7BD034ED-36D4-471C-B4EF-79DFE83AE717}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{9F6D97C0-BFE5-44B9-86C5-33B6BC06AC69}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{39AF88C6-EAC6-46EB-8629-3D6E5B7DD68D}"= UDP:C:\WINDOWS\System32\spool\drivers\w32x86\3\HP2014MC.EXE:SMLMProxy Module - HP2014MC.EXE
"{918F7C24-97BA-43BB-898C-7477E0C44187}"= TCP:C:\WINDOWS\System32\spool\drivers\w32x86\3\HP2014MC.EXE:SMLMProxy Module - HP2014MC.EXE
"{7077CF36-3130-4CBB-8C1C-809E6B96F867}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{018D8C02-EF30-4495-963B-06C85F4FC1A4}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4CEC7DC3-758E-4FD3-8220-3E2962F4BF6B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0CF80992-1672-47B0-9081-AF3C09EE50BF}"= UDP:C:\Program Files\Internet Chess Club\BlitzIn 2.7\BlitzIn27.exe:BlitzIn 2.7
"{61A61DFC-240C-491E-8CDF-D8CA7339B740}"= TCP:C:\Program Files\Internet Chess Club\BlitzIn 2.7\BlitzIn27.exe:BlitzIn 2.7
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-10 23:04]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-10 23:04]
R2 DQLWinService;DQLWinService;C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 20:32]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2007-08-31 16:46]
S2 IntelDHSvcConf;Intel DH Service;C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-05-10 19:13]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{066bb7ba-42d0-11dd-8c1f-001bfce08336}]
\shell\AutoRun\command - M:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a509a1b-5567-11dd-afb0-001bfce08336}]
\shell\AutoRun\command - N:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d5af417-50f8-11dd-b8c6-001bfce08336}]
\shell\AutoRun\command - M:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a65643eb-0b02-11dd-8803-001bfce08336}]
\shell\AutoRun\command - L:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a656440c-0b02-11dd-8803-001bfce08336}]
\shell\AutoRun\command - L:\8ng8w.com
\shell\explore\Command - L:\8ng8w.com
\shell\open\Command - L:\8ng8w.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa1e5ca0-b147-11dc-8e41-001bfce08336}]
\shell\AutoRun\command - L:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb1e38cf-c995-11dc-b7cd-001bfce08336}]
\shell\AutoRun\command - L:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d841311f-d0c7-11dc-a10d-001bfce08336}]
\shell\AutoRun\command - L:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://mail.asiacapitalre.com/exchweb/ ... /&reason=0
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 00:30:18
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\Portrait Displays\Pivot Software\winphook.dll
.
Completion time: 2008-08-04 0:31:55
ComboFix-quarantined-files.txt 2008-08-03 21:31:24
ComboFix2.txt 2008-08-03 21:11:40
ComboFix3.txt 2008-06-11 18:05:31
Pre-Run: 105,064,845,312 bytes free
Post-Run: 105,029,906,432 bytes free
318 --- E O F --- 2008-07-24 00:02:15
____________
What can i do, as my security setting still won't work.......??