Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:01 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\zimbra\zdesktop\zdesktop.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\No-IP\DUC20.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\explorer.exe
C:\highjackthis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 3.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone:
http://www.msi.com.twO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
http://housecall65.trendmicro.com/house ... hcImpl.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/Shar ... vSniff.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -
http://acs.pandasoftware.com/activescan ... stubie.cabO16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} -
http://moneycentral.msn.com/cabs/pmupd806.exeO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://photos.walmart.com/WalmartActivia.cabO16 - DPF: {49232000-16E4-426C-A231-62846947304B} -
http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cabO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitdefender.com/resourc ... oscan8.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resour ... se6662.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v ... 3661854406O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) -
http://www.youbet.net/wr_5_8/controls/ybrequest.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004 ... scan53.cabO16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) -
http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cabO16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) -
http://tw.msi.com.tw/autobios/LOnline/install.cabO16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivirus.com/scan/ravonline.cabO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.com/download.yahoo.c ... mplete.cabO16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) -
http://support.f-secure.com/ols/fscax.cabO16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} -
http://www.seagate.com/support/disc/asp ... atools.cabO20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Update Service (gupdate1c9202de24f0e3e) (gupdate1c9202de24f0e3e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Zimbra Desktop Service - Unknown owner - C:\zimbra\zdesktop\zdesktop.exe
--
End of file - 8767 bytes
ComboFix 09-01-08.04 - Tom 2009-01-10 14:54:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.829 [GMT -6:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\documents and settings\Tom\LOCAL SETTINGS\Temp\RLOOCCUE.exe
c:\windows\system32\5.tmp
c:\windows\system32\drivers\pkwwjrdy.sys
c:\windows\system32\kfrls.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\pkwwjrdy.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PKWWJRDY
-------\Service_pkwwjrdy
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.
2009-01-07 21:13 . 2009-01-07 21:16 <DIR> d-------- C:\regsearch
2009-01-07 12:35 . 2009-01-07 12:35 <DIR> d-------- c:\program files\ERUNT
2009-01-07 12:32 . 2009-01-07 18:24 <DIR> d-------- C:\Reg Finder
2009-01-05 17:25 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-05 17:24 . 2009-01-05 17:24 <DIR> d-------- c:\program files\Panda Security
2009-01-01 16:37 . 2009-01-01 16:37 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-01 12:27 . 2009-01-01 12:27 <DIR> d-------- c:\documents and settings\Georgia\Application Data\Malwarebytes
2008-12-31 21:22 . 2008-12-31 21:22 <DIR> d-------- c:\program files\Opera
2008-12-31 21:17 . 2008-12-31 21:17 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-26 19:33 . 2009-01-07 21:08 <DIR> d-------- C:\1avgtemp1
2008-12-24 15:09 . 2009-01-09 00:06 250 --a------ c:\windows\gmer.ini
2008-12-24 12:59 . 2009-01-09 06:25 <DIR> d-------- C:\1avgtemp
2008-12-24 12:44 . 2008-12-24 12:47 11,164,087 --------- c:\windows\system32\TAQAUEZOZJR
2008-12-23 03:24 . 2008-12-23 03:24 665,088 --------- c:\windows\system32\spsplib1.dll
2008-12-17 17:16 . 2008-12-17 17:32 <DIR> d-------- c:\windows\NV36961336.TMP
2008-12-17 17:16 . 2008-09-17 23:55 453,152 --------- c:\windows\system32\nvuninst.exe
2008-12-17 17:16 . 2008-09-17 23:55 201,050 --------- c:\windows\system32\nvapps.nvb
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 20:49 --------- d-----w c:\documents and settings\Tom\Application Data\Spamihilator
2009-01-10 19:40 --------- d-----w c:\documents and settings\Tom\Application Data\AVG7
2009-01-10 00:38 --------- d-----w c:\program files\QuoteTracker
2009-01-07 18:34 --------- d-----w c:\documents and settings\Tom\Application Data\uTorrent
2009-01-07 18:33 --------- d-----w c:\program files\Java
2009-01-07 18:31 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 00:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 00:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-01 18:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 18:46 --------- d-----w c:\program files\SpywareBlaster
2009-01-01 18:13 --------- d-----w c:\program files\Spamihilator
2009-01-01 03:46 --------- d-----w c:\program files\YPOPs
2008-12-27 01:04 --------- d-----w c:\documents and settings\Tom\Application Data\Move Networks
2008-12-18 23:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 21:29 --------- d-----w c:\documents and settings\Tom\Application Data\Thinstall
2008-12-06 21:23 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2008-12-06 16:58 --------- d-----w c:\documents and settings\Tom\Application Data\DivX
2008-12-06 16:56 --------- d-----w c:\program files\DivX
2008-12-05 03:06 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-25 21:11 0 ---h--w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-11-25 21:08 --------- d-----w c:\program files\Motorola Phone Tools
2008-11-25 21:04 --------- d-----w c:\program files\Common Files\Motorola Shared
2008-11-25 21:02 92,064 ------w c:\documents and settings\Tom\mqdmmdm.sys
2008-11-25 21:02 9,232 ------w c:\documents and settings\Tom\mqdmmdfl.sys
2008-11-25 21:02 79,328 ------w c:\documents and settings\Tom\mqdmserd.sys
2008-11-25 21:02 66,656 ------w c:\documents and settings\Tom\mqdmbus.sys
2008-11-25 21:02 6,208 ------w c:\documents and settings\Tom\mqdmcmnt.sys
2008-11-25 21:02 5,936 ------w c:\documents and settings\Tom\mqdmwhnt.sys
2008-11-25 21:02 4,048 ------w c:\documents and settings\Tom\mqdmcr.sys
2008-11-25 21:02 25,600 ------w c:\documents and settings\Tom\usbsermptxp.sys
2008-11-25 21:02 22,768 ------w c:\documents and settings\Tom\usbsermpt.sys
2004-02-12 00:25 560 ------w c:\documents and settings\Tom\PCDOC.BAT
2004-02-07 02:00 26,296 ------w c:\documents and settings\Tom\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 02:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-08_23.57.09.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-10 21:00:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"Spamihilator"="c:\program files\Spamihilator\spamihilator.exe" [2008-12-23 1321984]
"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-02 219136]
c:\documents and settings\Tom\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2006-11-16 1172992]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 3.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-03-02 16:20 9216 c:\windows\system32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\
0lsdelete\
0pgdfgsvc C 1
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 2.lnk]
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 2.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
backup=c:\windows\pss\Microsoft Office.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk.disabled]
backup=c:\windows\pss\WinZip Quick Pick.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Tom^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2002-08-29 06:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 23:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2002-08-29 06:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--------- 2008-09-17 23:55 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDRealtime]
--------- 2003-03-15 22:46 168448 c:\windows\realtime.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2003-09-20 19:12 77824 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-09-16 11:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2008-10-30 08:40 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2008-09-17 23:55 1657376 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=2 (0x2)
"RasMan"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=3 (0x3)
"TermService"=2 (0x2)
"Backup Server"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SoundMan"=SOUNDMAN.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TPP Auto Loader"=c:\windows\tppaldr.exe
"ATIPTA"=c:\mea\WINDOWS\SYSTEM32\atiptaxx.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Spamihilator\\cdcc.exe"=
"c:\\Program Files\\Spamihilator\\dccproc.exe"=
"c:\\Program Files\\Spamihilator\\spamihilator.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-05 28544]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-06 47640]
R4 Yahoo! Zimbra Desktop Service;Yahoo! Zimbra Desktop Service;c:\zimbra\zdesktop\zdesktop.exe [2008-12-05 139264]
S3 ATICDSDr;ATICDSDr; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X; [x]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\drivers\TPP300.SYS [2003-09-29 33669]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2005-10-07 24447]
S4 Backup Server;Backup Server;c:\progra~1\NOVANE~1\BACKUP~2.EXE [2004-01-05 576512]
S4 gupdate1c9202de24f0e3e;Google Update Service (gupdate1c9202de24f0e3e);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 133104]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 RLOOCCUE;RLOOCCUE;c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe --> c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - PKWWJRDY
.
Contents of the 'Scheduled Tasks' folder
2009-01-10 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]
2009-01-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 17:54]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/advanced_search?hl=enuLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
mLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) =
hxxp://www.google.com/keyword/%s
IE: Add To CheckIt &86 Trust List - c:\progra~1\CheckIt\86\AddToTrustList.js
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone:
www.msi.com.twO16 -: DirectAnimation Java Classes -
file://c:\i386\DAJAVA.CAB
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java -
file://c:\i386\XMLDSO.CAB
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} -
hxxp://tw.msi.com.tw/autobios/LOnline/install.cabc:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\
FF - prefs.js: browser.startup.homepage -
hxxp://www.okhistory.orgFF - plugin: c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-10 15:00:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(508)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\avgwlntf.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Grisoft\AVG7\avgamsvr.exe
c:\program files\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-01-10 15:06:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 21:06:17
ComboFix2.txt 2009-01-09 13:11:29
ComboFix3.txt 2009-01-09 05:58:50
Pre-Run: 50,314,506,240 bytes free
Post-Run: 50,310,930,432 bytes free
275 --- E O F --- 2008-12-12 09:03:41
HAXFIX logfile - by Marckie
version 5.054
Sat 01/10/2009 15:08:08.65
running from C:\HaxFix
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
matching notify keys found
AtiE
checking for matching services
no matching services found
checking for matching safeboot services
no matching safeboot services found
--- Checking for Goldun - Spybanker ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for random used files and services
these files are not necessarily malicious
C:\blakleyCdrive\CABS\WIN95-98\AUDIO\SB1373\AUDIO\ENGLISH\WIN9XDRV\SBPCIR16.DLL
C:\blakleyCdrive\Program Files\Canon Creative\ImageStrip\Graphics\CmraBtn.bmp
C:\blakleyCdrive\Program Files\INSIGHT98\ER6\EN\rpt\1\Toolbox\Master Sheets\stevia.pdf
C:\blakleyCdrive\Program Files\Microsoft Works\workscor\j0187771.wmf
C:\blakleyCdrive\Program Files\MySoftware\MyAdvanced LabelDesigner\Clipart\MENS_RM.PCX
C:\Documents and Settings\Tom\My Documents\My Pictures\amy&josh\thumbs\253t[1].jpg
C:\mea\Program Files\Intuit\QuickBooks Pro\Components\Services\logo3.html
C:\mea\Program Files\Intuit\QuickBooks Pro\Components\Services\insurance1.html
C:\mea\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF
C:\mea\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF
C:\mea\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF
C:\mea\WINDOWS\INF\netdf650.PNF
C:\mea\WINDOWS\INF\MTXVIDEO.PNF
C:\mea\WINDOWS\$xpsp1hfm$\Q328310\update\q328310.cat
C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\8310-v4.2.2.170_P2.5.0.30\Java\net_rim_crypto_keystore_browser_certificate.cod
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF
C:\WINDOWS\inf\netdf650.PNF
C:\WINDOWS\inf\mtxvideo.PNF
C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.inf
C:\WINDOWS\avxoscan\Plugins\lha.xmd
C:\WINDOWS\avxoscan\Plugins\swf.xmd
C:\zimbra\zdesktop\jetty\webapps\zimbra\WEB-INF\classes\messages\ZMsg_sv.properties
C:\zimbra\zdesktop\jetty\webapps\zimbra\yui\2.5.1\calendar\assets\skins\sam\calendar.css
no matching services found
checking for browser helper objects
no known browser helper objects found
checking for appinit files
no files found
checking for possible infected files
please submit these file here:
http://www.bleepingcomputer.com/submit- ... channel=11no files found
checking for Active Setup Installed Components
no known Active Setup Installed Components found
checking iexplore.exe
iexplore.exe is not infected
--- Checking for other Goldun, Spybanker and Haxdoor files ---
no other Haxdoor or Goldun files found
--- Catchme logfile - thank you Gmer ---
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-10 15:17:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
--- Analysing Catchme logfile ---
no matching regkeys found
Finished!