ComboFix log:
ComboFix 08-12-20.01 - Edgar 2008-12-20 12:29:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.493 [GMT -8:00]
Running from: c:\documents and settings\Edgar\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Edgar\Application Data\gadcom
c:\documents and settings\Edgar\Application Data\GetModule
c:\documents and settings\Edgar\Application Data\GetModule\dicik.gz
c:\documents and settings\Edgar\Application Data\GetModule\kwdik.gz
c:\documents and settings\Edgar\Application Data\GetModule\ofadik.gz
c:\documents and settings\Edgar\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\program files\GetModule
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Mjcore
c:\program files\Video Add-on
c:\windows\IE4 Error Log.txt
c:\windows\system32\khfFYOHY.dll
c:\windows\system32\psYccccf.ini
c:\windows\system32\psYccccf.ini2
c:\windows\system32\ssqRJyYr.dll
c:\windows\system32\vaaccnjq.dll
c:\windows\system32\wpv381227390376.cpx
c:\windows\system32\wpv891226787518.cpx
c:\windows\system32\xxyaxUmK.dll
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.
2008-12-13 14:48 . 2008-12-18 13:42 1,589,605 ---hs---- c:\windows\system32\ifowuvuv.ini
2008-12-10 21:00 . 2008-12-11 22:31 1,644,376 ---hs---- c:\windows\system32\opumotif.ini
2008-12-07 10:01 . 2008-12-09 12:40 1,564,089 ---hs---- c:\windows\system32\ajibarev.ini
2008-12-06 12:38 . 2008-12-06 12:38 1,428,212 ---hs---- c:\windows\system32\olanerik.ini
2008-12-06 00:18 . 2008-12-06 00:18 1,428,212 ---hs---- c:\windows\system32\ahudajun.ini
2008-12-02 08:49 . 2008-12-02 08:49 674,816 --a------ c:\windows\system32\nsrC.dll
2008-11-25 20:13 . 2008-11-25 20:13 78,636 --a------ c:\windows\system32\xlglqqvgseqqrwclc.exe
2008-11-25 20:13 . 2008-12-03 19:56 53,942 --a------ c:\windows\system32\cont_adsoftinc-remove.exe
2008-11-23 13:44 . 2008-11-23 13:44 <DIR> d-------- c:\program files\Webtools
2008-11-22 21:12 . 2008-11-22 21:12 25,600 --a------ c:\windows\system32\mlJApPHx.dll
2008-11-21 22:19 . 2008-11-21 22:19 <DIR> d-------- c:\program files\Trend Micro
2008-11-21 17:44 . 2008-11-21 17:44 230 --a------ c:\windows\system32\spupdsvc.inf
2008-11-21 17:36 . 2008-12-20 12:16 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-21 17:36 . 2008-11-21 17:37 1,641,321 ---hs---- c:\windows\system32\qjnccaav.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 20:31 --------- d-----w c:\program files\Common
2008-11-26 04:19 --------- d-----w c:\program files\Azureus
2008-11-16 20:39 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-16 20:38 --------- d-----w c:\program files\AVG
2008-11-16 20:38 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-14 06:33 --------- d-----w c:\documents and settings\Edgar\Application Data\Move Networks
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-12-02 16:49 642,048 ----a-w c:\program files\mozilla firefox\components\nsadsoftinc.dll
2008-09-09 20:39 65,217 --sha-w c:\windows\system32\gibuyata.dll
2008-09-09 20:38 89,088 --sha-w c:\windows\system32\jahamure.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{142af284-f74e-a116-901f-984514500e2a}]
2008-12-02 08:49 674816 --a------ c:\windows\system32\nsrC.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"6cc20251"="c:\windows\system32\vuvuwofi.dll" [2008-12-13 85694]
c:\documents and settings\Edgar\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ ecli
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe"=
"c:\\Program Files\\a-squared Free\\a2service.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-16 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 atinysxx;ATI USB 2.0 TV Audio Crossbar;c:\windows\system32\DRIVERS\atinysxx.sys [2005-07-03 93696]
S3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;c:\windows\system32\DRIVERS\atinyvxx.sys [2005-07-03 185344]
S3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;c:\windows\system32\DRIVERS\atinyuxx.sys [2005-07-03 75776]
S3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;c:\windows\system32\Drivers\ATIUTD.sys [2005-07-03 38912]
S3 gkmixern;gkmixern;\??\c:\docume~1\Edgar\LOCALS~1\Temp\gkmixern.sys []
S3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;c:\windows\system32\DRIVERS\atinyttx.sys [2005-07-03 13824]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f8ac631-fdb6-11dc-a2bd-000e9b01a74b}]
\Shell\AutoRun\command - F:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ea295a7-e17c-11dc-a2b8-000e9b01a74b}]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-{1bb33913-a2c5-4385-95e5-cef4c52a6a65} - c:\windows\system32\pijahudu.dll
BHO-{592871eb-c52b-4d71-81e8-e4b0fbda8ab2} - c:\windows\system32\xzykci.dll
BHO-{8DDED7E9-5A17-45A9-A615-A554E630F252} - c:\windows\system32\fccccYsp.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-GetModule27 - c:\program files\GetModule\GetModule27.exe
HKLM-Run-kotejovazi - c:\windows\system32\litovelu.dll
HKLM-Run-CPM6ff131cd - c:\windows\system32\gejaneme.dll
HKLM-Run-ATIModeChange - Ati2mdxx.exe
Notify-ssqNHaYQ - ssqNHaYQ.dll
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/uSearchMigratedDefaultURL =
hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Edgar\Application Data\Mozilla\Firefox\Profiles\djdwwvl2.Default User\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL -
hxxp://www9.yoog.com/search.php?q=FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\nsadsoftinc.dll
FF - plugin: c:\documents and settings\Edgar\Application Data\Mozilla\Firefox\Profiles\djdwwvl2.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
ATTENTION: FIREFOX POLICES IS IN FORCE FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL -
hxxp://www9.yoog.com/search.php?q=FF - user.js: keyword.enabled - true
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-20 12:43:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Java\jre1.5.0_02\bin\jucheck.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-12-20 12:56:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-20 20:55:38
Pre-Run: 2,958,811,136 bytes free
Post-Run: 3,321,610,240 bytes free
206 --- E O F --- 2008-11-14 03:05:37