"System integrity scan wizard" invaded my computer. HELP!

Printable View

Show 40 post(s) from this thread on one page

January 7th, 2009, 04:39 AM
crunchie
Still infected.

==

Please download ComboFix by sUBs from HERE or HERE
- You must download it to and run it from your Desktop
- Physically disconnect from the internet.
- Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
- Double click combofix.exe & follow the prompts.
- When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
- Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!
January 7th, 2009, 06:33 PM
photoguy1

Need help before running Combofix

Combofix showed Antivir Personal Edition running. I disabled it. Combofix still showed it running, so I completely uninstalled it. It still shows as running. I looked in Security and it shows I have Anitivirus running. I have no clue as to what antivirus is running, since I uninstalled Antivir. How do I check which program is still running? I've checked everywhere and can't find a trace of Antivir, but Combofix shows it running.

Marty
January 7th, 2009, 06:43 PM
crunchie

Just check in Task Manager under Processes and see if it's running (shouldn't be if it's uninstalled :)) and run combofix anyway.

Once only please or make sure you post the log from the first run.
January 7th, 2009, 07:33 PM
photoguy1

Combofix results

The entire log won't fit. It's in two parts:
ComboFix 09-01-07.01 - Marty Rosengarten 2009-01-07 18:23:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2974 [GMT -5:00]
Running from: c:\documents and settings\Marty Rosengarten\Desktop\ComboFix.exe
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
FW: *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-07 18:00 . 2009-01-07 18:00 <DIR> d-------- c:\documents and settings\Marty Rosengarten\Application Data\Grisoft
2009-01-07 18:00 . 2007-05-30 07:10 10,872 --a------ c:\windows\system32\drivers\AvgAsCln.sys
2009-01-06 14:14 . 2009-01-06 14:14 685,056 --a------ c:\windows\isRS-000.tmp
2009-01-06 14:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 02:54 . 2009-01-06 02:54 90,112 --a------ C:\zcxxfilse.exe
2009-01-06 02:54 . 2009-01-06 02:54 90,112 -r-hs---- c:\windows\windsvc.exe
2009-01-06 00:40 . 2009-01-06 00:46 108,516,963 --ah----- C:\Maxthon.html
2009-01-06 00:38 . 2009-01-07 00:26 831,421,626 --ah----- C:\Opera.html
2009-01-06 00:37 . 2009-01-06 00:34 344,064 -rahs---- c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
2009-01-06 00:37 . 2009-01-06 00:38 14,336 --a------ C:\qjfrlys.exe
2009-01-06 00:36 . 2009-01-07 00:26 800,535,260 --ah----- C:\Mozilla.html
2009-01-06 00:35 . 2009-01-06 00:34 344,064 -rahs---- c:\windows\mchost.exe
2009-01-06 00:34 . 2009-01-06 00:34 344,064 --ah----- C:\windll_v354.exe
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 23:16 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-07 23:04 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Skype
2009-01-07 21:31 --------- d-----w c:\program files\Lavasoft
2009-01-07 21:25 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\skypePM
2009-01-07 21:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 19:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-06 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 23:20 --------- d-----w c:\program files\SpywareBlaster
2009-01-05 22:35 --------- d-----w c:\program files\fotoQuote
2009-01-04 23:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-03 08:02 --------- d-----w c:\program files\CCleaner
2009-01-03 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-12-22 04:32 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Lasersoft Imaging
2008-12-17 12:58 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\FileZilla
2008-12-16 05:54 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\SmartFTP
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-26 06:09 --------- d-----w c:\program files\RegCure
2008-11-25 08:53 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\LumaPix
2008-11-13 04:12 --------- d-----w c:\program files\MSXML 4.0
2008-10-26 17:18 273,264 ----a-w c:\windows\FotoFusionV4 Uninstaller.exe
2008-10-26 03:24 5,423,104 ----a-w c:\windows\system32\tlpsplib10.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2006-10-08 05:39 2,388 -c--a-w c:\program files\uninstalcwp2.log
2006-02-28 01:10 48,472 -c--a-w c:\documents and settings\Marty Rosengarten\Application Data\GDIPFONTCACHEV1.DAT
2005-09-10 00:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-10 00:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-10 00:55 35 -c--a-w c:\program files\SCSSDist.ini
2005-02-22 14:16 1,867 -c--a-w c:\documents and settings\Marty Rosengarten\CountCorners.vbs
2003-11-18 18:37 241,664 ----a-w c:\program files\npmusicn.dll
2002-07-26 21:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-09-18 21:39 56 --sh--r c:\windows\system32\01758A4BD5.sys
2007-01-03 10:12 88 --sha-r c:\windows\system32\83BE6B67B2.sys
2008-09-18 21:39 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_16.55.32.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-07 21:29:34 60,780 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-07 23:07:24 60,780 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-07 21:29:34 399,522 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-07 23:07:24 399,522 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-07 23:03:05 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_634.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
January 7th, 2009, 07:34 PM
photoguy1

Combofix (2nd part)

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2008-07-17 2599224]
"settings"="c:\windows\mchost.exe" [2009-01-06 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2006-04-05 2177256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-15 180269]
"PrettyMay"="c:\program files\PrettyMay\PrettyMay.exe" [2008-04-23 2715648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"settings"="c:\windows\mchost.exe" [2009-01-06 344064]

c:\documents and settings\Marty Rosengarten\Start Menu\Programs\Startup\
PANTONE(R) colorist.lnk - c:\program files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe [2003-10-28 98304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - c:\program files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [2004-12-21 385024]
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe [2005-10-28 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccyaBUM]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ssvchn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
"dlmMgr"="c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"MediaFace Integration"=c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
"Ink Monitor"=c:\program files\EPSON\Ink Monitor\InkMonitor.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"UpdReg"=c:\windows\UpdReg.EXE
"ehTray"=c:\windows\ehome\ehtray.exe
"P17Helper"=Rundll32 P17.dll,P17Helper
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"CTSysVol"=c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"WD Button Manager"=WDBtnMgr.exe
"DLA"=c:\windows\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Marty Rosengarten\\My Documents\\Download Start-up files\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Adobe\\Adobe Device Central CS3\\DeviceCentral.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Utilities\\ExtendScript Toolkit 2\\ExtendScript Toolkit 2.exe"=
"c:\\Program Files\\Adobe\\Adobe Help Center\\ahc.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS2\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Stock Photos CS3\\Adobe Stock Photos CS3.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\fotoQuote\\My Product Name\\FotoQuote Pro\\FotoQuote Pro.EXE"=
"c:\\Program Files\\BitPim\\bitpimw.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12283:TCP"= 12283:TCP:BitComet 12283 TCP
"12283:UDP"= 12283:UDP:BitComet 12283 UDP
"14461:TCP"= 14461:TCP:BitComet 14461 TCP
"14461:UDP"= 14461:UDP:BitComet 14461 UDP
"9881:TCP"= 9881:TCP:BitComet 9881 TCP
"9881:UDP"= 9881:UDP:BitComet 9881 UDP
"6346:TCP"= 6346:TCP:Shareaza
"8192:TCP"= 8192:TCP:BitComet 8192 TCP
"8192:UDP"= 8192:UDP:BitComet 8192 UDP
"13946:TCP"= 13946:TCP:BitComet 13946 TCP
"13946:UDP"= 13946:UDP:BitComet 13946 UDP

R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-01-24 14976]
S1 bf324a68;bf324a68;c:\windows\system32\drivers\bf324a68.sys --> c:\windows\system32\drivers\bf324a68.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2006-06-24 39048]
S4 HPFECP06;HPFECP06;c:\windows\system32\drivers\HPFECP06.SYS --> c:\windows\system32\drivers\HPFECP06.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{NQQ5L861-82LC-FV28-BC5R-EK164PT2UCAG}]
"c:\windows\mchost.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2009-01-07 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-07 c:\windows\Tasks\xoowsmum.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{56525793-8408-4ED2-8F6C-F195B775570B} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 18:26:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2397076688-397100244-2678602410-1005\Software\Corel\WordPerfect\12\Power Bar\P*NULL*o*NULL*w*NULL*e*NULL*r*NULL* *NULL*B*NULL*a*NULL*r*NULL* *NULL*L*NULL*a*NULL*s*NULL*t*NULL* *NULL*S*NULL*e*NULL*l*NULL*e*NULL*c*NULL*t*NULL*e*NULL*d*NULL* *NULL*-*NULL* *NULL*(*NULL*t*NULL*a*NULL**NULL*(*NULL*t*NULL*a*NULL**NULL*¨*NULL**NULL*Ý*NULL*s*NULL*Ú*NULL**NULL* ]
"0Decorated035 BT"=hex(80000006):30
"1Staccato222 BT"=hex(80000006):30
"2BernhardMod BT"=hex(80000006):30

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,8c,b1,ce,8b,d4,\
95,3a,df,c8,28,51,af,b0,29,a3,98,47,3e,94,42,f9,05,0c,ac,e2,63,26,f1,3f,c8,\
ff,68,ee,66,39,4d,4c,37,09,68,2e,e8,e1,00,eb,16,2b,de,93,6f,a7,d8,f1,53,5c,\
30,cb,0b,50,36

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,88,07,2e,fb,5f,\
4a,41,65,71,3b,04,66,8b,46,0d,96,b3,a0,99,47,c5,bc,ad,c3,6a,9c,d6,61,af,45,\
84,18,f6,f0,c8,99,32,51,72,0c,46,47,15,b0,92,4b,c7,ef,6f,73,50,f1,63,17,5d,\
00,d1,db,81,e7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,fc,5b,be,ac,47,\
f9,03,be,25,da,ec,7e,55,20,c9,26,35,1b,df,d4,52,a1,2a,66,ff,7c,85,e0,43,d4,\
0e,fe,75,fc,e8,1f,11,c0,5b,16,25,da,ec,7e,55,20,c9,26,f0,51,45,93,a3,34,fb,\
05,2e,3e,e6,7d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,9e,27,bd,7b,80,\
5e,84,23,3e,1e,9e,e0,57,5a,93,61,f1,53,38,89,3e,b6,04,0d,86,8c,21,01,be,91,\
eb,e7,54,a9,dc,6d,7f,38,e7,46,86,8c,21,01,be,91,eb,e7,53,a3,1a,f1,85,f2,e1,\
05,0d,5e,aa,c6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,66,28,36,8a,ba,\
0b,29,59,cd,44,cd,b9,a6,33,6c,cd,c0,bd,dd,83,ce,84,82,54,f5,1d,4d,73,a8,13,\
5c,05,4a,83,6f,ec,ab,30,93,b8,cd,44,cd,b9,a6,33,6c,cd,ec,68,e2,e3,77,d8,a2,\
fe,5a,c9,36,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,1b,33,bb,68,ea,\
97,13,b6,b0,18,ed,a7,3f,8d,37,a4,58,a6,19,ef,5f,8c,56,2b,df,20,58,62,78,6b,\
cf,c8,af,e1,e0,2d,4d,fb,f7,66,b0,18,ed,a7,3f,8d,37,a4,d2,a5,da,5f,28,32,b2,\
96,76,3d,da,69

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6d,f3,4f,be,36,\
3b,dc,5b,31,77,e1,ba,b1,f8,68,02,b6,b0,20,d9,84,2c,22,a4,fb,a7,78,e6,12,2f,\
9a,ea,fc,71,2f,58,fd,2d,b2,24,fb,a7,78,e6,12,2f,9a,ea,62,9c,97,d7,bd,28,00,\
da,10,e7,f2,f7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,07,8a,58,90,67,\
3a,47,32,83,6c,56,8b,a0,85,96,ab,e1,30,9c,50,1f,11,d7,1a,01,3a,48,fc,e8,04,\
4a,f1,5a,27,91,e6,4a,96,ca,c8,83,6c,56,8b,a0,85,96,ab,f2,f8,9a,48,0d,42,f4,\
9e,19,28,ba,ed

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,c2,8e,cc,0d,\
08,65,a0,51,fa,6e,91,28,9e,14,cc,68,c4,0f,40,00,79,4c,a7,f6,0f,4e,58,98,5b,\
89,c9,29,7d,90,c0,46,5c,bd,ba,51,fa,6e,91,28,9e,14,cc,a5,83,9e,f5,f7,55,78,\
13,6c,45,d5,9a

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,52,3f,07,df,a9,\
e9,ad,1b,b1,cd,45,5a,a8,c4,f8,b9,b5,35,26,df,7c,ce,7f,eb,3d,ce,ea,26,2d,45,\
aa,78,56,62,fb,03,7d,46,0b,3c,b1,cd,45,5a,a8,c4,f8,b9,ed,83,f8,8a,86,75,9b,\
6b,c7,ac,5d,6f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,74,ea,1b,16,e9,\
a1,bb,42,e3,0e,66,d5,eb,bc,2f,6b,a5,98,55,d9,5b,ef,59,8e,2a,b7,cc,b5,b9,7f,\
41,e7,79,ae,b9,75,b9,fb,aa,ff,e3,0e,66,d5,eb,bc,2f,6b,1f,99,58,0d,6e,61,fc,\
2a,ea,ce,f2,63

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,64,e0,c7,10,f3,\
89,34,52,fa,ea,66,7f,d4,3b,6b,70,82,e4,61,be,6b,d4,36,84,6c,43,2d,1e,aa,22,\
2f,9c,a5,e6,c7,29,5a,df,3f,bc,fa,ea,66,7f,d4,3b,6b,70,71,3b,da,e5,06,73,eb,\
05,1c,d8,30,0f
.
Completion time: 2009-01-07 18:29:49
ComboFix-quarantined-files.txt 2009-01-07 23:28:42
ComboFix2.txt 2009-01-07 21:56:57

Pre-Run: 100,688,531,456 bytes free
Post-Run: 100,670,496,768 bytes free

477 --- E O F --- 2008-12-22 02:36:50
January 7th, 2009, 07:35 PM
photoguy1

New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:02 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marty Rosengarten\My Documents\Download Start-up files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\MARTY ROSENGARTEN\Application Data\Mozilla\Profiles\default\azfimivy.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56525793-8408-4ED2-8F6C-F195B775570B} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrettyMay] C:\Program Files\PrettyMay\PrettyMay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [settings] C:\WINDOWS\mchost.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKCU\..\Policies\Explorer\Run: [settings] C:\WINDOWS\mchost.exe
O4 - Startup: PANTONE(R) colorist.lnk = C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ssvchn.dll
O20 - Winlogon Notify: fccyaBUM - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 13022 bytes
January 7th, 2009, 08:47 PM
crunchie

You posted the log from the 3rd run. In my last post I requested you post the log from the first run. I need to see what was deleted.
January 7th, 2009, 09:08 PM
photoguy1

I thought a copy of the file is automatically saved in C:\combofix.txt, but I don't see it. When I ran it a 2nd time, it showed Antivir still running, so I stopped it to check it. Is there a copy of each log saved or did I have to manually save it? Sorry for the error!
January 7th, 2009, 09:19 PM
crunchie

You can find all of the logs (maximum of 5) in C:\qoobox
January 7th, 2009, 09:37 PM
photoguy1

Is this the 1st or 2nd? (part 1)

ComboFix 09-01-06.02 - Marty Rosengarten 2009-01-07 16:46:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3089 [GMT -5:00]
Running from: c:\documents and settings\Marty Rosengarten\Desktop\ComboFix.exe
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
FW: *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MARTYR~1\LOCALS~1\Temp\service.exe
c:\docume~1\MARTYR~1\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\winupdates
c:\windows\system32\befNUvut.ini
c:\windows\system32\befNUvut.ini2
c:\windows\system32\gydetfcd.dll
c:\windows\system32\HQttBJjl.ini
c:\windows\system32\HQttBJjl.ini2
c:\windows\system32\iPAcLRqr.ini
c:\windows\system32\iPAcLRqr.ini2
c:\windows\system32\LloWyyay.ini
c:\windows\system32\LloWyyay.ini2
c:\windows\system32\nfacvjjg.ini
c:\windows\system32\pbpuddor.ini
c:\windows\system32\rpomgykn.ini
c:\windows\system32\sn.txt
c:\windows\system32\tutuxyay.ini
c:\windows\system32\uymdlqkn.ini2
c:\windows\system32\uymdlqkn.tmp
c:\windows\system32\vysibwiv.ini

----- BITS: Possible infected sites -----

hxxp://dealsforfun.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTBOOT
-------\Legacy_NTLOAD

((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-06 14:14 . 2009-01-06 14:14 685,056 --a------ c:\windows\isRS-000.tmp
2009-01-06 14:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 02:54 . 2009-01-06 02:54 90,112 --a------ C:\zcxxfilse.exe
2009-01-06 02:54 . 2009-01-06 02:54 90,112 -r-hs---- c:\windows\windsvc.exe
2009-01-06 00:40 . 2009-01-06 00:46 108,516,963 --ah----- C:\Maxthon.html
2009-01-06 00:38 . 2009-01-07 00:26 831,421,626 --ah----- C:\Opera.html
2009-01-06 00:37 . 2009-01-06 00:34 344,064 -rahs---- c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
2009-01-06 00:37 . 2009-01-06 00:38 14,336 --a------ C:\qjfrlys.exe
2009-01-06 00:36 . 2009-01-07 00:26 800,535,260 --ah----- C:\Mozilla.html
2009-01-06 00:35 . 2009-01-06 00:34 344,064 -rahs---- c:\windows\mchost.exe
2009-01-06 00:34 . 2009-01-06 00:34 344,064 --ah----- C:\windll_v354.exe
2009-01-05 18:41 . 2009-01-05 18:41 <DIR> d-------- c:\documents and settings\Marty Rosengarten\Application Data\Flock
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 21:42 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-07 21:31 --------- d-----w c:\program files\Lavasoft
2009-01-07 21:26 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Skype
2009-01-07 21:25 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\skypePM
2009-01-07 21:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 19:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-06 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 23:20 --------- d-----w c:\program files\SpywareBlaster
2009-01-05 22:35 --------- d-----w c:\program files\fotoQuote
2009-01-04 23:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-03 08:02 --------- d-----w c:\program files\CCleaner
2009-01-03 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-12-22 04:32 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Lasersoft Imaging
2008-12-17 12:58 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\FileZilla
2008-12-16 05:54 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\SmartFTP
2008-11-26 06:09 --------- d-----w c:\program files\RegCure
2008-11-25 08:53 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\LumaPix
2008-11-13 04:12 --------- d-----w c:\program files\MSXML 4.0
2008-10-26 17:18 273,264 ----a-w c:\windows\FotoFusionV4 Uninstaller.exe
2006-10-08 05:39 2,388 -c--a-w c:\program files\uninstalcwp2.log
2006-02-28 01:10 48,472 -c--a-w c:\documents and settings\Marty Rosengarten\Application Data\GDIPFONTCACHEV1.DAT
2005-09-10 00:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-10 00:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-10 00:55 35 -c--a-w c:\program files\SCSSDist.ini
2005-02-22 14:16 1,867 -c--a-w c:\documents and settings\Marty Rosengarten\CountCorners.vbs
2003-11-18 18:37 241,664 ----a-w c:\program files\npmusicn.dll
2002-07-26 21:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-09-18 21:39 56 --sh--r c:\windows\system32\01758A4BD5.sys
2007-01-03 10:12 88 --sha-r c:\windows\system32\83BE6B67B2.sys
2008-09-18 21:39 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
January 7th, 2009, 09:39 PM
photoguy1

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2008-07-17 2599224]
"settings"="c:\windows\mchost.exe" [2009-01-06 344064]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-03-24 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2006-04-05 2177256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-15 180269]
"PrettyMay"="c:\program files\PrettyMay\PrettyMay.exe" [2008-04-23 2715648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"settings"="c:\windows\mchost.exe" [2009-01-06 344064]

c:\documents and settings\Marty Rosengarten\Start Menu\Programs\Startup\
PANTONE(R) colorist.lnk - c:\program files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe [2003-10-28 98304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - c:\program files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [2004-12-21 385024]
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe [2005-10-28 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe \"c:\windows\mchost.exe\""
"Userinit"="c:\windows\system32\userinit.exe,\"c:\windows\mchost.exe\","

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ssvchn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hldrrr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
"dlmMgr"="c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"MediaFace Integration"=c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
"Ink Monitor"=c:\program files\EPSON\Ink Monitor\InkMonitor.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"UpdReg"=c:\windows\UpdReg.EXE
"ehTray"=c:\windows\ehome\ehtray.exe
"P17Helper"=Rundll32 P17.dll,P17Helper
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"CTSysVol"=c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"WD Button Manager"=WDBtnMgr.exe
"DLA"=c:\windows\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Marty Rosengarten\\My Documents\\Download Start-up files\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Adobe\\Adobe Device Central CS3\\DeviceCentral.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Utilities\\ExtendScript Toolkit 2\\ExtendScript Toolkit 2.exe"=
"c:\\Program Files\\Adobe\\Adobe Help Center\\ahc.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS2\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Stock Photos CS3\\Adobe Stock Photos CS3.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\fotoQuote\\My Product Name\\FotoQuote Pro\\FotoQuote Pro.EXE"=
"c:\\Program Files\\BitPim\\bitpimw.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12283:TCP"= 12283:TCP:BitComet 12283 TCP
"12283:UDP"= 12283:UDP:BitComet 12283 UDP
"14461:TCP"= 14461:TCP:BitComet 14461 TCP
"14461:UDP"= 14461:UDP:BitComet 14461 UDP
"9881:TCP"= 9881:TCP:BitComet 9881 TCP
"9881:UDP"= 9881:UDP:BitComet 9881 UDP
"6346:TCP"= 6346:TCP:Shareaza
"8192:TCP"= 8192:TCP:BitComet 8192 TCP
"8192:UDP"= 8192:UDP:BitComet 8192 UDP
"13946:TCP"= 13946:TCP:BitComet 13946 TCP
"13946:UDP"= 13946:UDP:BitComet 13946 UDP

R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-01-24 14976]
S1 bf324a68;bf324a68;c:\windows\system32\drivers\bf324a68.sys --> c:\windows\system32\drivers\bf324a68.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2006-06-24 39048]
S4 HPFECP06;HPFECP06;c:\windows\system32\drivers\HPFECP06.SYS --> c:\windows\system32\drivers\HPFECP06.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{NQQ5L861-82LC-FV28-BC5R-EK164PT2UCAG}]
"c:\windows\mchost.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2009-01-07 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-07 c:\windows\Tasks\xoowsmum.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{56525793-8408-4ED2-8F6C-F195B775570B} - (no file)
HKCU-Run-WebCamRT.exe - (no file)
Notify-fccyaBUM - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll

ATTENTION: FIREFOX POLICIES ARE IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 16:50:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
January 7th, 2009, 09:40 PM
photoguy1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2397076688-397100244-2678602410-1005\Software\Corel\WordPerfect\12\Power Bar\P*NULL*o*NULL*w*NULL*e*NULL*r*NULL* *NULL*B*NULL*a*NULL*r*NULL* *NULL*L*NULL*a*NULL*s*NULL*t*NULL* *NULL*S*NULL*e*NULL*l*NULL*e*NULL*c*NULL*t*NULL*e*NULL*d*NULL* *NULL*-*NULL* *NULL*(*NULL*t*NULL*a*NULL**NULL*(*NULL*t*NULL*a*NULL**NULL*¨*NULL**NULL*Ý*NULL*s*NULL*Ú*NULL**NULL* ]
"0Decorated035 BT"=hex(80000006):30
"1Staccato222 BT"=hex(80000006):30
"2BernhardMod BT"=hex(80000006):30

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,8c,b1,ce,8b,d4,\
95,3a,df,c8,28,51,af,b0,29,a3,98,47,3e,94,42,f9,05,0c,ac,e2,63,26,f1,3f,c8,\
ff,68,ee,66,39,4d,4c,37,09,68,2e,e8,e1,00,eb,16,2b,de,93,6f,a7,d8,f1,53,5c,\
30,cb,0b,50,36

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,88,07,2e,fb,5f,\
4a,41,65,71,3b,04,66,8b,46,0d,96,b3,a0,99,47,c5,bc,ad,c3,6a,9c,d6,61,af,45,\
84,18,f6,f0,c8,99,32,51,72,0c,46,47,15,b0,92,4b,c7,ef,6f,73,50,f1,63,17,5d,\
00,d1,db,81,e7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,fc,5b,be,ac,47,\
f9,03,be,25,da,ec,7e,55,20,c9,26,35,1b,df,d4,52,a1,2a,66,ff,7c,85,e0,43,d4,\
0e,fe,75,fc,e8,1f,11,c0,5b,16,25,da,ec,7e,55,20,c9,26,f0,51,45,93,a3,34,fb,\
05,2e,3e,e6,7d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,9e,27,bd,7b,80,\
5e,84,23,3e,1e,9e,e0,57,5a,93,61,f1,53,38,89,3e,b6,04,0d,86,8c,21,01,be,91,\
eb,e7,54,a9,dc,6d,7f,38,e7,46,86,8c,21,01,be,91,eb,e7,53,a3,1a,f1,85,f2,e1,\
05,0d,5e,aa,c6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,66,28,36,8a,ba,\
0b,29,59,cd,44,cd,b9,a6,33,6c,cd,c0,bd,dd,83,ce,84,82,54,f5,1d,4d,73,a8,13,\
5c,05,4a,83,6f,ec,ab,30,93,b8,cd,44,cd,b9,a6,33,6c,cd,ec,68,e2,e3,77,d8,a2,\
fe,5a,c9,36,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,1b,33,bb,68,ea,\
97,13,b6,b0,18,ed,a7,3f,8d,37,a4,58,a6,19,ef,5f,8c,56,2b,df,20,58,62,78,6b,\
cf,c8,af,e1,e0,2d,4d,fb,f7,66,b0,18,ed,a7,3f,8d,37,a4,d2,a5,da,5f,28,32,b2,\
96,76,3d,da,69

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6d,f3,4f,be,36,\
3b,dc,5b,31,77,e1,ba,b1,f8,68,02,b6,b0,20,d9,84,2c,22,a4,fb,a7,78,e6,12,2f,\
9a,ea,fc,71,2f,58,fd,2d,b2,24,fb,a7,78,e6,12,2f,9a,ea,62,9c,97,d7,bd,28,00,\
da,10,e7,f2,f7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,07,8a,58,90,67,\
3a,47,32,83,6c,56,8b,a0,85,96,ab,e1,30,9c,50,1f,11,d7,1a,01,3a,48,fc,e8,04,\
4a,f1,5a,27,91,e6,4a,96,ca,c8,83,6c,56,8b,a0,85,96,ab,f2,f8,9a,48,0d,42,f4,\
9e,19,28,ba,ed

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,c2,8e,cc,0d,\
08,65,a0,51,fa,6e,91,28,9e,14,cc,68,c4,0f,40,00,79,4c,a7,f6,0f,4e,58,98,5b,\
89,c9,29,7d,90,c0,46,5c,bd,ba,51,fa,6e,91,28,9e,14,cc,a5,83,9e,f5,f7,55,78,\
13,6c,45,d5,9a

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,52,3f,07,df,a9,\
e9,ad,1b,b1,cd,45,5a,a8,c4,f8,b9,b5,35,26,df,7c,ce,7f,eb,3d,ce,ea,26,2d,45,\
aa,78,56,62,fb,03,7d,46,0b,3c,b1,cd,45,5a,a8,c4,f8,b9,ed,83,f8,8a,86,75,9b,\
6b,c7,ac,5d,6f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,74,ea,1b,16,e9,\
a1,bb,42,e3,0e,66,d5,eb,bc,2f,6b,a5,98,55,d9,5b,ef,59,8e,2a,b7,cc,b5,b9,7f,\
41,e7,79,ae,b9,75,b9,fb,aa,ff,e3,0e,66,d5,eb,bc,2f,6b,1f,99,58,0d,6e,61,fc,\
2a,ea,ce,f2,63

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,64,e0,c7,10,f3,\
89,34,52,fa,ea,66,7f,d4,3b,6b,70,82,e4,61,be,6b,d4,36,84,6c,43,2d,1e,aa,22,\
2f,9c,a5,e6,c7,29,5a,df,3f,bc,fa,ea,66,7f,d4,3b,6b,70,71,3b,da,e5,06,73,eb,\
05,1c,d8,30,0f
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\Memeo\AutoBackup\MemeoService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-01-07 16:56:56 - machine was rebooted [Marty Rosengarten]
ComboFix-quarantined-files.txt 2009-01-07 21:56:46

Pre-Run: 100,852,592,640 bytes free
Post-Run: 100,784,451,584 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

510 --- E O F --- 2008-12-22 02:36:50
January 7th, 2009, 09:40 PM
crunchie

Thats the one I am looking for.
January 7th, 2009, 09:44 PM
crunchie

Please locate this file;

ssvchn.dll

Could be in the system32 folder. Let me know the full path to it.

Go to Jotti's or virustotal and have the following files scanned, as well as the one above;

c:\windows\isRS-000.tmp
C:\zcxxfilse.exe
c:\windows\windsvc.exe
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
C:\qjfrlys.exe
c:\windows\mchost.exe
C:\windll_v354.exe
c:\windows\system32\01758A4BD5.sys
c:\windows\system32\83BE6B67B2.sys
c:\windows\system32\KGyGaAvL.sys

Let me know the results.
January 7th, 2009, 10:38 PM
photoguy1

Is there a way to search the file ssvchn.dll? I looked in system32. Do I have to simply search every file on my computer?

Show 40 post(s) from this thread on one page