"System integrity scan wizard" invaded my computer. HELP!

Printable View

Show 40 post(s) from this thread on one page

January 8th, 2009, 11:57 PM
photoguy1

Combofix Log

I hope I didn't do something wrong, but this is what did. After re-installing, the program still froze for hours, so instead of dragging the entire folder: cfscript.txt, I went into that folder and dragged the text file with all the info you sent into combofix and it worked...I think?! Here's the log file in two parts:

ComboFix 09-01-08.01 - Marty Rosengarten 2009-01-08 21:45:13.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2975 [GMT -5:00]
Running from: c:\documents and settings\Marty Rosengarten\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marty Rosengarten\Desktop\CFscript.txt\CFscript.txt
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
FW: *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-07 18:00 . 2009-01-07 18:00 <DIR> d-------- c:\documents and settings\Marty Rosengarten\Application Data\Grisoft
2009-01-07 18:00 . 2007-05-30 07:10 10,872 --a------ c:\windows\system32\drivers\AvgAsCln.sys
2009-01-06 14:14 . 2009-01-06 14:14 685,056 --a------ c:\windows\isRS-000.tmp
2009-01-06 14:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 02:54 . 2009-01-06 02:54 90,112 --a------ C:\zcxxfilse.exe
2009-01-06 02:54 . 2009-01-06 02:54 90,112 -r-hs---- c:\windows\windsvc.exe
2009-01-06 00:40 . 2009-01-06 00:46 108,516,963 --ah----- C:\Maxthon.html
2009-01-06 00:38 . 2009-01-07 00:26 831,421,626 --ah----- C:\Opera.html
2009-01-06 00:37 . 2009-01-06 00:34 344,064 -rahs---- c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
2009-01-06 00:37 . 2009-01-06 00:38 14,336 --a------ C:\qjfrlys.exe
2009-01-06 00:36 . 2009-01-07 00:26 800,535,260 --ah----- C:\Mozilla.html
2009-01-06 00:35 . 2009-01-06 00:34 344,064 -rahs---- c:\windows\mchost.exe
2009-01-06 00:34 . 2009-01-06 00:34 344,064 --ah----- C:\windll_v354.exe
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 02:45 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\skypePM
2009-01-09 02:45 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Skype
2009-01-09 00:42 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-08 21:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 21:31 --------- d-----w c:\program files\Lavasoft
2009-01-06 19:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-06 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 23:20 --------- d-----w c:\program files\SpywareBlaster
2009-01-05 22:35 --------- d-----w c:\program files\fotoQuote
2009-01-04 23:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-03 08:02 --------- d-----w c:\program files\CCleaner
2009-01-03 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-12-22 04:32 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Lasersoft Imaging
2008-12-17 12:58 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\FileZilla
2008-12-16 05:54 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\SmartFTP
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-26 06:09 --------- d-----w c:\program files\RegCure
2008-11-25 08:53 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\LumaPix
2008-11-13 04:12 --------- d-----w c:\program files\MSXML 4.0
2008-10-26 17:18 273,264 ----a-w c:\windows\FotoFusionV4 Uninstaller.exe
2008-10-26 03:24 5,423,104 ----a-w c:\windows\system32\tlpsplib10.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2006-10-08 05:39 2,388 -c--a-w c:\program files\uninstalcwp2.log
2006-02-28 01:10 48,472 -c--a-w c:\documents and settings\Marty Rosengarten\Application Data\GDIPFONTCACHEV1.DAT
2005-09-10 00:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-10 00:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-10 00:55 35 -c--a-w c:\program files\SCSSDist.ini
2005-02-22 14:16 1,867 -c--a-w c:\documents and settings\Marty Rosengarten\CountCorners.vbs
2003-11-18 18:37 241,664 ----a-w c:\program files\npmusicn.dll
2002-07-26 21:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-09-18 21:39 56 --sh--r c:\windows\system32\01758A4BD5.sys
2007-01-03 10:12 88 --sha-r c:\windows\system32\83BE6B67B2.sys
2008-09-18 21:39 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e93527b115490081dfd3c43ee722bfc7

C:\qjfrlys.exe -- Unable to find Resource table header.
MD5: 21405dd01269a7700ae6380a9f10fd33

---- C:\windll_v354.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e93527b115490081dfd3c43ee722bfc7

---- c:\windows\mchost.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e93527b115490081dfd3c43ee722bfc7

---- c:\windows\windsvc.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e26a9804057a4cafc7053bc1b1328200

---- C:\zcxxfilse.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e26a9804057a4cafc7053bc1b1328200

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2008-07-17 2599224]
"settings"="c:\windows\mchost.exe" [2009-01-06 344064]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-03-24 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2006-04-05 2177256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-15 180269]
"PrettyMay"="c:\program files\PrettyMay\PrettyMay.exe" [2008-04-23 2715648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"settings"="c:\windows\mchost.exe" [2009-01-06 344064]

c:\documents and settings\Marty Rosengarten\Start Menu\Programs\Startup\
PANTONE(R) colorist.lnk - c:\program files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe [2003-10-28 98304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - c:\program files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [2004-12-21 385024]
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe [2005-10-28 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ssvchn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
"dlmMgr"="c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"MediaFace Integration"=c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
"Ink Monitor"=c:\program files\EPSON\Ink Monitor\InkMonitor.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"UpdReg"=c:\windows\UpdReg.EXE
"ehTray"=c:\windows\ehome\ehtray.exe
"P17Helper"=Rundll32 P17.dll,P17Helper
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"CTSysVol"=c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"WD Button Manager"=WDBtnMgr.exe
"DLA"=c:\windows\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Marty Rosengarten\\My Documents\\Download Start-up files\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Adobe\\Adobe Device Central CS3\\DeviceCentral.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Utilities\\ExtendScript Toolkit 2\\ExtendScript Toolkit 2.exe"=
"c:\\Program Files\\Adobe\\Adobe Help Center\\ahc.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS2\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Stock Photos CS3\\Adobe Stock Photos CS3.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\fotoQuote\\My Product Name\\FotoQuote Pro\\FotoQuote Pro.EXE"=
"c:\\Program Files\\BitPim\\bitpimw.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12283:TCP"= 12283:TCP:BitComet 12283 TCP
"12283:UDP"= 12283:UDP:BitComet 12283 UDP
"14461:TCP"= 14461:TCP:BitComet 14461 TCP
"14461:UDP"= 14461:UDP:BitComet 14461 UDP
"9881:TCP"= 9881:TCP:BitComet 9881 TCP
"9881:UDP"= 9881:UDP:BitComet 9881 UDP
"6346:TCP"= 6346:TCP:Shareaza
"8192:TCP"= 8192:TCP:BitComet 8192 TCP
"8192:UDP"= 8192:UDP:BitComet 8192 UDP
"13946:TCP"= 13946:TCP:BitComet 13946 TCP
"13946:UDP"= 13946:UDP:BitComet 13946 UDP

R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-01-24 14976]
S1 bf324a68;bf324a68;c:\windows\system32\drivers\bf324a68.sys --> c:\windows\system32\drivers\bf324a68.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2006-06-24 39048]
S4 HPFECP06;HPFECP06;c:\windows\system32\drivers\HPFECP06.SYS --> c:\windows\system32\drivers\HPFECP06.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{NQQ5L861-82LC-FV28-BC5R-EK164PT2UCAG}]
"c:\windows\mchost.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2009-01-08 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-08 c:\windows\Tasks\xoowsmum.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{56525793-8408-4ED2-8F6C-F195B775570B} - (no file)
Notify-fccyaBUM - (no file)
January 9th, 2009, 02:38 AM
photoguy1

Combofix Log (2nd part)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 21:46:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2397076688-397100244-2678602410-1005\Software\Corel\WordPerfect\12\Power Bar\P*NULL*o*NULL*w*NULL*e*NULL*r*NULL* *NULL*B*NULL*a*NULL*r*NULL* *NULL*L*NULL*a*NULL*s*NULL*t*NULL* *NULL*S*NULL*e*NULL*l*NULL*e*NULL*c*NULL*t*NULL*e*NULL*d*NULL* *NULL*-*NULL* *NULL*(*NULL*t*NULL*a*NULL**NULL*(*NULL*t*NULL*a*NULL**NULL*¨*NULL**NULL*Ý*NULL*s*NULL*Ú*NULL**NULL* ]
"0Decorated035 BT"=hex(80000006):30
"1Staccato222 BT"=hex(80000006):30
"2BernhardMod BT"=hex(80000006):30

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,8c,b1,ce,8b,d4,\
95,3a,df,c8,28,51,af,b0,29,a3,98,47,3e,94,42,f9,05,0c,ac,e2,63,26,f1,3f,c8,\
ff,68,ee,66,39,4d,4c,37,09,68,2e,e8,e1,00,eb,16,2b,de,93,6f,a7,d8,f1,53,5c,\
30,cb,0b,50,36

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,88,07,2e,fb,5f,\
4a,41,65,71,3b,04,66,8b,46,0d,96,b3,a0,99,47,c5,bc,ad,c3,6a,9c,d6,61,af,45,\
84,18,f6,f0,c8,99,32,51,72,0c,46,47,15,b0,92,4b,c7,ef,6f,73,50,f1,63,17,5d,\
00,d1,db,81,e7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,fc,5b,be,ac,47,\
f9,03,be,25,da,ec,7e,55,20,c9,26,35,1b,df,d4,52,a1,2a,66,ff,7c,85,e0,43,d4,\
0e,fe,75,fc,e8,1f,11,c0,5b,16,25,da,ec,7e,55,20,c9,26,f0,51,45,93,a3,34,fb,\
05,2e,3e,e6,7d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,9e,27,bd,7b,80,\
5e,84,23,3e,1e,9e,e0,57,5a,93,61,f1,53,38,89,3e,b6,04,0d,86,8c,21,01,be,91,\
eb,e7,54,a9,dc,6d,7f,38,e7,46,86,8c,21,01,be,91,eb,e7,53,a3,1a,f1,85,f2,e1,\
05,0d,5e,aa,c6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,66,28,36,8a,ba,\
0b,29,59,cd,44,cd,b9,a6,33,6c,cd,c0,bd,dd,83,ce,84,82,54,f5,1d,4d,73,a8,13,\
5c,05,4a,83,6f,ec,ab,30,93,b8,cd,44,cd,b9,a6,33,6c,cd,ec,68,e2,e3,77,d8,a2,\
fe,5a,c9,36,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,1b,33,bb,68,ea,\
97,13,b6,b0,18,ed,a7,3f,8d,37,a4,58,a6,19,ef,5f,8c,56,2b,df,20,58,62,78,6b,\
cf,c8,af,e1,e0,2d,4d,fb,f7,66,b0,18,ed,a7,3f,8d,37,a4,d2,a5,da,5f,28,32,b2,\
96,76,3d,da,69

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6d,f3,4f,be,36,\
3b,dc,5b,31,77,e1,ba,b1,f8,68,02,b6,b0,20,d9,84,2c,22,a4,fb,a7,78,e6,12,2f,\
9a,ea,fc,71,2f,58,fd,2d,b2,24,fb,a7,78,e6,12,2f,9a,ea,62,9c,97,d7,bd,28,00,\
da,10,e7,f2,f7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,07,8a,58,90,67,\
3a,47,32,83,6c,56,8b,a0,85,96,ab,e1,30,9c,50,1f,11,d7,1a,01,3a,48,fc,e8,04,\
4a,f1,5a,27,91,e6,4a,96,ca,c8,83,6c,56,8b,a0,85,96,ab,f2,f8,9a,48,0d,42,f4,\
9e,19,28,ba,ed

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,c2,8e,cc,0d,\
08,65,a0,51,fa,6e,91,28,9e,14,cc,68,c4,0f,40,00,79,4c,a7,f6,0f,4e,58,98,5b,\
89,c9,29,7d,90,c0,46,5c,bd,ba,51,fa,6e,91,28,9e,14,cc,a5,83,9e,f5,f7,55,78,\
13,6c,45,d5,9a

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,52,3f,07,df,a9,\
e9,ad,1b,b1,cd,45,5a,a8,c4,f8,b9,b5,35,26,df,7c,ce,7f,eb,3d,ce,ea,26,2d,45,\
aa,78,56,62,fb,03,7d,46,0b,3c,b1,cd,45,5a,a8,c4,f8,b9,ed,83,f8,8a,86,75,9b,\
6b,c7,ac,5d,6f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,74,ea,1b,16,e9,\
a1,bb,42,e3,0e,66,d5,eb,bc,2f,6b,a5,98,55,d9,5b,ef,59,8e,2a,b7,cc,b5,b9,7f,\
41,e7,79,ae,b9,75,b9,fb,aa,ff,e3,0e,66,d5,eb,bc,2f,6b,1f,99,58,0d,6e,61,fc,\
2a,ea,ce,f2,63

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,64,e0,c7,10,f3,\
89,34,52,fa,ea,66,7f,d4,3b,6b,70,82,e4,61,be,6b,d4,36,84,6c,43,2d,1e,aa,22,\
2f,9c,a5,e6,c7,29,5a,df,3f,bc,fa,ea,66,7f,d4,3b,6b,70,71,3b,da,e5,06,73,eb,\
05,1c,d8,30,0f
.
Completion time: 2009-01-08 21:49:48
ComboFix-quarantined-files.txt 2009-01-09 02:48:34

Pre-Run: 96,814,821,376 bytes free
Post-Run: 96,800,747,520 bytes free

425 --- E O F --- 2008-12-22 02:36:50
January 9th, 2009, 02:39 AM
photoguy1

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:32 AM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\BitComet\BitComet.exe
C:\Documents and Settings\Marty Rosengarten\My Documents\Download Start-up files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\mchost.exe",
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\MARTY ROSENGARTEN\Application Data\Mozilla\Profiles\default\azfimivy.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrettyMay] C:\Program Files\PrettyMay\PrettyMay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [settings] C:\WINDOWS\mchost.exe
O4 - HKCU\..\Policies\Explorer\Run: [settings] C:\WINDOWS\mchost.exe
O4 - Startup: PANTONE(R) colorist.lnk = C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ssvchn.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 13030 bytes
January 9th, 2009, 03:04 AM
photoguy1

c:\windows\isRS-000.tmp

File isRS-000.tmp received on 01.08.2009 04:52:02 (CET)
Current status: finished
Result: 1/38 (2.63%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.08 -
AhnLab-V3 2009.1.8.0 2009.01.08 -
AntiVir 7.9.0.45 2009.01.07 -
Authentium 5.1.0.4 2009.01.07 -
Avast 4.8.1281.0 2009.01.07 -
AVG 8.0.0.199 2009.01.07 -
BitDefender 7.2 2009.01.08 -
CAT-QuickHeal 10.00 2009.01.06 -
ClamAV 0.94.1 2009.01.07 -
Comodo 891 2009.01.07 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.06 -
eTrust-Vet 31.6.6296 2009.01.07 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.07 -
F-Secure 8.0.14470.0 2009.01.08 -
Fortinet 3.117.0.0 2009.01.08 -
GData 19 2009.01.08 -
Ikarus T3.1.1.45.0 2009.01.08 -
K7AntiVirus 7.10.581 2009.01.07 -
Kaspersky 7.0.0.125 2009.01.08 -
McAfee 5488 2009.01.07 -
McAfee+Artemis 5488 2009.01.07 -
Microsoft 1.4205 2009.01.07 -
NOD32 3749 2009.01.07 -
Norman 5.99.02 2009.01.07 -
Panda 9.0.0.4 2009.01.08 Suspicious file
PCTools 4.4.2.0 2009.01.07 -
Rising 21.11.30.00 2009.01.08 -
SecureWeb-Gateway 6.7.6 2009.01.07 -
Sophos 4.37.0 2009.01.08 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.08 -
TheHacker 6.3.1.4.212 2009.01.08 -
TrendMicro 8.700.0.1004 2009.01.08 -
VBA32 3.12.8.10 2009.01.07 -
ViRobot 2009.1.7.1548 2009.01.07 -
VirusBuster 4.5.11.0 2009.01.07 -
Additional information
File size: 685056 bytes
MD5...: faa7a3c2f20d54b0a0d6f3437fc11d50
SHA1..: d04c079e558a4493c7ee460ef38a8fa4c043d6fc
SHA256: acb7971737aa8cdec071733700243079620fc72b8779d6a9433304b6725f5424
SHA512: cc70b5354a341d4e4c948af6416ac62a8a8a669529db2a831b318959701520b3
4ed6c95d87ebc9d21d5a870188a2233336677db9f307ac17b77362779e68b591
ssdeep: 12288:v/vksLWtSNrPi37NzHDA6Y1gbl5d7Ifoz4mrNNpRpzqjxy:HvksLWtkrPi
37NzHDA6Yg5dsfoTzsxy
PEiD..: -
TrID..: File type identification
Windows OCX File (86.8%)
Win32 Executable Delphi generic (10.3%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x490b04
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x8fd34 0x8fe00 6.59 14845ac96af400d883c79c670404b4d2
DATA 0x91000 0xf70 0x1000 4.30 5b5b5131230aa2d505134437519c9eed
BSS 0x92000 0x13ac 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x94000 0x25a4 0x2600 4.93 e31473a4f3c3c5e310b54a1695d2dc0a
.tls 0x97000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x98000 0x18 0x200 0.20 2576789ccaafa41177b70528c836b8df
.reloc 0x99000 0x850c 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0xa2000 0x13a00 0x13a00 4.92 9aff204abe7ef34a0c023eb372259982

( 17 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: SafeArrayPutElement, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
> kernel32.dll: lstrcmpA, WriteProfileStringA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualFree, VirtualAlloc, UnmapViewOfFile, TransactNamedPipe, TerminateThread, TerminateProcess, Sleep, SizeofResource, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, RemoveDirectoryA, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileExA, MoveFileA, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExA, LoadLibraryA, IsDBCSLeadByte, IsBadWritePtr, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTickCount, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetShortPathNameA, GetProfileStringA, GetProcAddress, GetPrivateProfileStringA, GetOverlappedResult, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetComputerNameA, GetCommandLineA, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FlushFileBuffers, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, DeviceIoControl, DeleteFileA, CreateThread, CreateProcessA, CreateNamedPipeA, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CompareFileTime, CloseHandle
> mpr.dll: WNetOpenEnumA, WNetGetUniversalNameA, WNetGetConnectionA, WNetEnumResourceA, WNetCloseEnum
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceA, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExtFloodFill, ExcludeClipRect, EnumFontsA, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateDIBitmap, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceA
> user32.dll: WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageTimeoutA, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassInfoW, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcW, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuA, CharPrevA, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemBuffA, AdjustWindowRectEx
> comctl32.dll: ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create, InitCommonControls
> ole32.dll: CoTaskMemFree, CLSIDFromProgID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
> oleaut32.dll: GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
> shell32.dll: ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, ExtractIconA
> shell32.dll: SHChangeNotify, SHBrowseForFolder, SHGetPathFromIDList, SHGetMalloc
> comdlg32.dll: GetSaveFileNameA, GetOpenFileNameA
> ole32.dll: CoDisconnectObject
> advapi32.dll: AdjustTokenPrivileges

( 0 exports )
CWSandbox info: http://research.sunbelt-software.com...d6f3437fc11d50
January 9th, 2009, 03:08 AM
photoguy1

C:\zcxxfilse.exe

File zcxxfilse.exe received on 01.08.2009 05:24:06 (CET)
Current status: finished
Result: 1/39 (2.56%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.08 -
AhnLab-V3 2009.1.8.0 2009.01.08 -
AntiVir 7.9.0.45 2009.01.07 -
Authentium 5.1.0.4 2009.01.07 -
Avast 4.8.1281.0 2009.01.07 -
AVG 8.0.0.199 2009.01.07 -
BitDefender 7.2 2009.01.08 -
CAT-QuickHeal 10.00 2009.01.06 -
ClamAV 0.94.1 2009.01.07 -
Comodo 891 2009.01.07 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.06 -
eTrust-Vet 31.6.6296 2009.01.07 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.07 -
F-Secure 8.0.14470.0 2009.01.08 -
Fortinet 3.117.0.0 2009.01.08 -
GData 19 2009.01.08 -
Ikarus T3.1.1.45.0 2009.01.08 -
K7AntiVirus 7.10.581 2009.01.07 -
Kaspersky 7.0.0.125 2009.01.08 -
McAfee 5488 2009.01.07 -
McAfee+Artemis 5488 2009.01.07 -
Microsoft 1.4205 2009.01.07 -
NOD32 3749 2009.01.07 -
Norman 5.99.02 2009.01.07 -
Panda 9.0.0.4 2009.01.08 -
PCTools 4.4.2.0 2009.01.07 -
Prevx1 V2 2009.01.08 Cloaked Malware
Rising 21.11.30.00 2009.01.08 -
SecureWeb-Gateway 6.7.6 2009.01.07 -
Sophos 4.37.0 2009.01.08 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.08 -
TheHacker 6.3.1.4.212 2009.01.08 -
TrendMicro 8.700.0.1004 2009.01.08 -
VBA32 3.12.8.10 2009.01.07 -
ViRobot 2009.1.7.1548 2009.01.07 -
VirusBuster 4.5.11.0 2009.01.07 -
Additional information
File size: 90112 bytes
MD5...: e26a9804057a4cafc7053bc1b1328200
SHA1..: a7de3c0108a2c29d83b920ab2d54b61fb0a9e61b
SHA256: 20adabd42efdbca5848a2a4f2ec9aadee0cf5c114d6b3723f6b36f33804319cd
SHA512: 5ccd650773e2e20618e64dfd56b5431e074fba684a1a82b20874081b6a37393b
c850358b074a8d94726e838902a404719442147a20e015d990b08c342427f083
ssdeep: 1536:LDOZS+39NG7BBg5ilda8XlNoC9GWWfS4jYtus5RWO+0pacAXa/S+k:LDsS+
39NG7BBg5ilda8XzoFWWfS4jYkP
PEiD..: -
TrID..: File type identification
Win32 Executable Microsoft Visual Basic 6 (90.9%)
Win32 Executable Generic (6.1%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4019a8
timedatestamp.....: 0x49372c8c (Thu Dec 04 01:04:12 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb640 0xc000 5.58 28f45b2b54b3e69e928d8226e8b8b95b
.data 0xd000 0xd20 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0xe000 0x39c 0x8000 6.98 856cc545c9654fc917a5f47da56b719c

( 1 imports )
> MSVBVM60.DLL: __vbaVarTstGt, __vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, -, __vbaRecAnsiToUni, __vbaStrCat, __vbaLsetFixstr, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaVarTstLe, -, __vbaAryDestruct, __vbaExitProc, -, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaVarIndexLoad, __vbaStrFixstr, __vbaVarTstLt, _CIsin, -, __vbaErase, -, __vbaVargVarMove, __vbaVarZero, __vbaChkstk, -, __vbaFileClose, EVENT_SINK_AddRef, -, __vbaGenerateBoundsError, -, __vbaGet3, __vbaStrCmp, __vbaPutOwner3, __vbaAryConstruct2, __vbaObjVar, -, __vbaI2I4, DllFunctionCall, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaStrUI1, __vbaUI1I4, __vbaExceptHandler, -, __vbaStrToUnicode, -, -, -, _adj_fprem, _adj_fdivr_m64, __vbaVarDiv, __vbaI2Str, -, -, __vbaFPException, __vbaInStrVar, -, __vbaUbound, __vbaStrVarVal, __vbaVarCat, -, __vbaI2Var, -, -, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, -, __vbaInStr, __vbaNew2, __vbaVar2Vec, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, -, __vbaI4Str, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaI4Var, __vbaVarCmpEq, -, __vbaVarAdd, __vbaAryLock, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, -, __vbaFpI4, __vbaLateMemCallLd, -, _CIatan, -, __vbaStrMove, __vbaUI1Str, -, __vbaStrVarCopy, _allmul, _CItan, __vbaAryUnlock, -, _CIexp, __vbaI4ErrVar, __vbaFreeObj, -, __vbaFreeStr, -

( 0 exports )
CWSandbox info: http://research.sunbelt-software.com...053bc1b1328200
Prevx info: http://info.prevx.com/aboutprogramte...8B8300C56829C1
January 9th, 2009, 03:12 AM
photoguy1

c:\windows\windsvc.exe

I don't see this file anymore.
January 9th, 2009, 03:15 AM
crunchie

None of those file scans look correct. It should either read "Nothing Found" after each scanner, or give the malware results.
Did the site give you a link to use after completion?
Those files that I had combofix look at look even more suspicious now. None have a company name or other expected info. I believe them to be bad, but would really like to see a proper online scan result first.
January 9th, 2009, 03:37 AM
photoguy1

When I scanned with Jotti's, it showed: "Nothing Found" with every file. With VirusTotal, the File zcxxfilse.exe showed nothing except in Prevx1 V2 2009.01.08 Cloaked Malware

Also, when looking for this file:
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
the entire "Application Data" folder is missing!
January 9th, 2009, 03:38 AM
photoguy1

File: zcxxfilse.exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: e26a9804057a4cafc7053bc1b1328200
Packers detected:
-
Scanner results
Scan taken on 09 Jan 2009 07:31:34 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
January 9th, 2009, 03:43 AM
photoguy1

File: qjfrlys.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 21405dd01269a7700ae6380a9f10fd33
Packers detected:
PE_PATCH
Scanner results
Scan taken on 09 Jan 2009 07:39:38 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/EncPk-FE
VirusBuster
Found nothing
VBA32
Found nothing
January 9th, 2009, 03:45 AM
photoguy1

C:\windll_v354.exe

I don't see this file anymore.
January 9th, 2009, 03:48 AM
photoguy1

Just a note:
When I turned on all my scanning programs, a Spybot warning popped up asking me if I wanted to allow a registry change to:
c:\windows\mchost.exe. I said no, feeling it was a bad file. Is that why I don't see the folder "Application Data", which also had the file: \mchost.exe?
January 9th, 2009, 04:03 AM
photoguy1

Application Data

Sorry, I didn't have "show hidden files". It's stil there, but the extension: \mchost.exe is missing.
January 9th, 2009, 04:44 AM
crunchie
If spybot pops up asking permission for a registry change when we are fixing something, you need to answer 'allow.' In this case you did right.
I am pretty confident that those filoes need to go. I have done more researching on them and have found nothing good, so I think they should go.

1. Please open Notepad
- Click Start , then Run
- Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll:: File:: C:\zcxxfilse.exe c:\windows\windsvc.exe c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe C:\qjfrlys.exe c:\windows\mchost.exe C:\windll_v354.exe Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "settings"=- [HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run] "settings"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=""

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

https://discussions.virtualdr.com/im.../2010/07/1.gif

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
- Combofix.txt
- A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
January 9th, 2009, 05:41 AM
photoguy1

Combofix Log (1st part)

ComboFix 09-01-08.03 - Marty Rosengarten 2009-01-09 4:20:50.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3005 [GMT -5:00]
Running from: c:\documents and settings\Marty Rosengarten\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marty Rosengarten\Desktop\CFScript.txt
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
C:\qjfrlys.exe
C:\windll_v354.exe
c:\windows\mchost.exe
c:\windows\windsvc.exe
C:\zcxxfilse.exe
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
C:\qjfrlys.exe
C:\windll_v354.exe
c:\windows\mchost.exe
c:\windows\windsvc.exe
C:\zcxxfilse.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-09 03:51 . 2009-01-09 03:51 <DIR> d-------- c:\program files\Avira
2009-01-09 03:51 . 2009-01-09 03:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-07 18:00 . 2009-01-07 18:00 <DIR> d-------- c:\documents and settings\Marty Rosengarten\Application Data\Grisoft
2009-01-07 18:00 . 2007-05-30 07:10 10,872 --a------ c:\windows\system32\drivers\AvgAsCln.sys
2009-01-06 14:14 . 2009-01-06 14:14 685,056 --a------ c:\windows\isRS-000.tmp
2009-01-06 14:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 00:40 . 2009-01-06 00:46 108,516,963 --ah----- C:\Maxthon.html
2009-01-06 00:38 . 2009-01-07 00:26 831,421,626 --ah----- C:\Opera.html
2009-01-06 00:36 . 2009-01-07 00:26 800,535,260 --ah----- C:\Mozilla.html
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 09:29 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Skype
2009-01-09 09:28 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-09 09:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-09 07:24 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-09 07:21 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\skypePM
2009-01-08 21:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 21:31 --------- d-----w c:\program files\Lavasoft
2009-01-06 19:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 23:20 --------- d-----w c:\program files\SpywareBlaster
2009-01-05 22:35 --------- d-----w c:\program files\fotoQuote
2009-01-04 23:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-03 08:02 --------- d-----w c:\program files\CCleaner
2009-01-03 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-12-22 04:32 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Lasersoft Imaging
2008-12-17 12:58 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\FileZilla
2008-12-16 05:54 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\SmartFTP
2008-11-26 06:09 --------- d-----w c:\program files\RegCure
2008-11-25 08:53 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\LumaPix
2008-11-13 04:12 --------- d-----w c:\program files\MSXML 4.0
2008-10-26 17:18 273,264 ----a-w c:\windows\FotoFusionV4 Uninstaller.exe
2006-10-08 05:39 2,388 -c--a-w c:\program files\uninstalcwp2.log
2006-02-28 01:10 48,472 -c--a-w c:\documents and settings\Marty Rosengarten\Application Data\GDIPFONTCACHEV1.DAT
2005-09-10 00:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-10 00:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-10 00:55 35 -c--a-w c:\program files\SCSSDist.ini
2005-02-22 14:16 1,867 -c--a-w c:\documents and settings\Marty Rosengarten\CountCorners.vbs
2003-11-18 18:37 241,664 ----a-w c:\program files\npmusicn.dll
2002-07-26 21:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-09-18 21:39 56 --sh--r c:\windows\system32\01758A4BD5.sys
2007-01-03 10:12 88 --sha-r c:\windows\system32\83BE6B67B2.sys
2008-09-18 21:39 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-08_21.47.15.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 17:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 22:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 15:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 14:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2009-01-08 22:48:05 60,780 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-09 07:24:26 60,780 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-08 22:48:05 399,522 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-09 07:24:26 399,522 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-09 09:26:54 16,384 ----atw c:\windows\temp\Perflib_Perfdata_214.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2008-07-17 2599224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2006-04-05 2177256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-15 180269]
"PrettyMay"="c:\program files\PrettyMay\PrettyMay.exe" [2008-04-23 2715648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

c:\documents and settings\Marty Rosengarten\Start Menu\Programs\Startup\
PANTONE(R) colorist.lnk - c:\program files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe [2003-10-28 98304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - c:\program files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [2004-12-21 385024]
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe [2005-10-28 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
"dlmMgr"="c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"MediaFace Integration"=c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
"Ink Monitor"=c:\program files\EPSON\Ink Monitor\InkMonitor.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"UpdReg"=c:\windows\UpdReg.EXE
"ehTray"=c:\windows\ehome\ehtray.exe
"P17Helper"=Rundll32 P17.dll,P17Helper
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"CTSysVol"=c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"WD Button Manager"=WDBtnMgr.exe
"DLA"=c:\windows\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Marty Rosengarten\\My Documents\\Download Start-up files\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Adobe\\Adobe Device Central CS3\\DeviceCentral.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Utilities\\ExtendScript Toolkit 2\\ExtendScript Toolkit 2.exe"=
"c:\\Program Files\\Adobe\\Adobe Help Center\\ahc.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS2\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Stock Photos CS3\\Adobe Stock Photos CS3.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\fotoQuote\\My Product Name\\FotoQuote Pro\\FotoQuote Pro.EXE"=
"c:\\Program Files\\BitPim\\bitpimw.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12283:TCP"= 12283:TCP:BitComet 12283 TCP
"12283:UDP"= 12283:UDP:BitComet 12283 UDP
"14461:TCP"= 14461:TCP:BitComet 14461 TCP
"14461:UDP"= 14461:UDP:BitComet 14461 UDP
"9881:TCP"= 9881:TCP:BitComet 9881 TCP
"9881:UDP"= 9881:UDP:BitComet 9881 UDP
"6346:TCP"= 6346:TCP:Shareaza
"8192:TCP"= 8192:TCP:BitComet 8192 TCP
"8192:UDP"= 8192:UDP:BitComet 8192 UDP
"13946:TCP"= 13946:TCP:BitComet 13946 TCP
"13946:UDP"= 13946:UDP:BitComet 13946 UDP

R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-01-24 14976]
S1 bf324a68;bf324a68;c:\windows\system32\drivers\bf324a68.sys --> c:\windows\system32\drivers\bf324a68.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2006-06-24 39048]
S4 HPFECP06;HPFECP06;c:\windows\system32\drivers\HPFECP06.SYS --> c:\windows\system32\drivers\HPFECP06.SYS [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cc29b3e-87f7-11dd-8746-00123f75a5ce}]
\Shell\AutoRun\command - "K:\Install FreeAgent Tools.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{NQQ5L861-82LC-FV28-BC5R-EK164PT2UCAG}]
"c:\windows\mchost.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2009-01-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-09 c:\windows\Tasks\xoowsmum.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 04:27:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
January 9th, 2009, 05:42 AM
photoguy1

Combofix Log (2nd part)

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,8c,b1,ce,8b,d4,\
95,3a,df,c8,28,51,af,b0,29,a3,98,47,3e,94,42,f9,05,0c,ac,e2,63,26,f1,3f,c8,\
ff,68,ee,66,39,4d,4c,37,09,68,2e,e8,e1,00,eb,16,2b,de,93,6f,a7,d8,f1,53,5c,\
30,cb,0b,50,36

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,88,07,2e,fb,5f,\
4a,41,65,71,3b,04,66,8b,46,0d,96,b3,a0,99,47,c5,bc,ad,c3,6a,9c,d6,61,af,45,\
84,18,f6,f0,c8,99,32,51,72,0c,46,47,15,b0,92,4b,c7,ef,6f,73,50,f1,63,17,5d,\
00,d1,db,81,e7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,fc,5b,be,ac,47,\
f9,03,be,25,da,ec,7e,55,20,c9,26,35,1b,df,d4,52,a1,2a,66,ff,7c,85,e0,43,d4,\
0e,fe,75,fc,e8,1f,11,c0,5b,16,25,da,ec,7e,55,20,c9,26,f0,51,45,93,a3,34,fb,\
05,2e,3e,e6,7d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,9e,27,bd,7b,80,\
5e,84,23,3e,1e,9e,e0,57,5a,93,61,f1,53,38,89,3e,b6,04,0d,86,8c,21,01,be,91,\
eb,e7,54,a9,dc,6d,7f,38,e7,46,86,8c,21,01,be,91,eb,e7,53,a3,1a,f1,85,f2,e1,\
05,0d,5e,aa,c6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,66,28,36,8a,ba,\
0b,29,59,cd,44,cd,b9,a6,33,6c,cd,c0,bd,dd,83,ce,84,82,54,f5,1d,4d,73,a8,13,\
5c,05,4a,83,6f,ec,ab,30,93,b8,cd,44,cd,b9,a6,33,6c,cd,ec,68,e2,e3,77,d8,a2,\
fe,5a,c9,36,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,1b,33,bb,68,ea,\
97,13,b6,b0,18,ed,a7,3f,8d,37,a4,58,a6,19,ef,5f,8c,56,2b,df,20,58,62,78,6b,\
cf,c8,af,e1,e0,2d,4d,fb,f7,66,b0,18,ed,a7,3f,8d,37,a4,d2,a5,da,5f,28,32,b2,\
96,76,3d,da,69

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6d,f3,4f,be,36,\
3b,dc,5b,31,77,e1,ba,b1,f8,68,02,b6,b0,20,d9,84,2c,22,a4,fb,a7,78,e6,12,2f,\
9a,ea,fc,71,2f,58,fd,2d,b2,24,fb,a7,78,e6,12,2f,9a,ea,62,9c,97,d7,bd,28,00,\
da,10,e7,f2,f7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,07,8a,58,90,67,\
3a,47,32,83,6c,56,8b,a0,85,96,ab,e1,30,9c,50,1f,11,d7,1a,01,3a,48,fc,e8,04,\
4a,f1,5a,27,91,e6,4a,96,ca,c8,83,6c,56,8b,a0,85,96,ab,f2,f8,9a,48,0d,42,f4,\
9e,19,28,ba,ed

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,c2,8e,cc,0d,\
08,65,a0,51,fa,6e,91,28,9e,14,cc,68,c4,0f,40,00,79,4c,a7,f6,0f,4e,58,98,5b,\
89,c9,29,7d,90,c0,46,5c,bd,ba,51,fa,6e,91,28,9e,14,cc,a5,83,9e,f5,f7,55,78,\
13,6c,45,d5,9a

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,52,3f,07,df,a9,\
e9,ad,1b,b1,cd,45,5a,a8,c4,f8,b9,b5,35,26,df,7c,ce,7f,eb,3d,ce,ea,26,2d,45,\
aa,78,56,62,fb,03,7d,46,0b,3c,b1,cd,45,5a,a8,c4,f8,b9,ed,83,f8,8a,86,75,9b,\
6b,c7,ac,5d,6f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,74,ea,1b,16,e9,\
a1,bb,42,e3,0e,66,d5,eb,bc,2f,6b,a5,98,55,d9,5b,ef,59,8e,2a,b7,cc,b5,b9,7f,\
41,e7,79,ae,b9,75,b9,fb,aa,ff,e3,0e,66,d5,eb,bc,2f,6b,1f,99,58,0d,6e,61,fc,\
2a,ea,ce,f2,63

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,64,e0,c7,10,f3,\
89,34,52,fa,ea,66,7f,d4,3b,6b,70,82,e4,61,be,6b,d4,36,84,6c,43,2d,1e,aa,22,\
2f,9c,a5,e6,c7,29,5a,df,3f,bc,fa,ea,66,7f,d4,3b,6b,70,71,3b,da,e5,06,73,eb,\
05,1c,d8,30,0f
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Memeo\AutoBackup\MemeoService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\dllhost.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-01-09 4:34:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 09:34:33
ComboFix2.txt 2009-01-09 02:49:49

Pre-Run: 97,919,279,104 bytes free
Post-Run: 97,904,234,496 bytes free

400 --- E O F --- 2008-12-22 02:36:50
January 9th, 2009, 05:43 AM
photoguy1

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:47 AM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PrettyMay\PrettyMay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Marty Rosengarten\My Documents\Download Start-up files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\MARTY ROSENGARTEN\Application Data\Mozilla\Profiles\default\azfimivy.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrettyMay] C:\Program Files\PrettyMay\PrettyMay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - Startup: PANTONE(R) colorist.lnk = C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 13251 bytes
January 9th, 2009, 06:05 AM
crunchie
- Go to Start > Control Panel double-click on the Software icon > add/remove programs.
- Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
- Select it and click Remove.
- Then Download and install the newest version from here:
- http://www.java.com/en/download/manual.jsp
====

Can you please do the following.

===============

You will have to disable Spybot's Teatimer before we begin, as it will interfere with the fix. To do this can you start Spybot and go to the Mode button and select Advanced. Go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit".
Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Do not forget to re-enable teatimer when we are done :).
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

===============

Scan with HijackThis and then place a check next to all the following, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
- Once the files are downloaded click on Next
- Click on Scan Settings and configure as follows:
  - Scan using the following Anti-Virus database:
    Extended
  - Scan Options:
    Scan Archives
    Scan Mail Bases
- Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
https://discussions.virtualdr.com/im.../2010/04/1.gif
https://discussions.virtualdr.com/im.../2010/04/2.gif
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
January 10th, 2009, 02:14 AM
photoguy1

I don't understand something about the resetTeaTimer.bat. It brings up a page of code and I don't know where to double click to remove the entries.
January 10th, 2009, 02:55 AM
Train

It is wanting to open up instead of starting to download.
Took 3 tries for me to get it.
I Zipped it and attached it.
January 10th, 2009, 03:12 AM
photoguy1

THANKS! I''m now moving to the next phase.
January 10th, 2009, 04:31 AM
photoguy1

Turning off Antivirus for Kaspersky scan to work

I'm confused. I went into Antivir and deactivated Antivir Guard, yet my computer still shows antivirus being active. I'm afraid that the Kaspersky scan won't work right with other antivirus running. How can I completely turn off all antivirus on my computer? As far as I know, I only have Antivir installed. I've looked everywhere and can't find any other antivirus installed or running. Should I run the Kaspersky scan anyway?
January 10th, 2009, 04:52 AM
crunchie

The antivir service is probably still running. Kaspersky should run fine.
January 12th, 2009, 01:27 AM
photoguy1

Kaspersky found nothing

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 11, 2009 07:31:07
Records in database: 1601444
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 179523
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:08:48

No malware has been detected. The scan area is clean.

The selected area was scanned.
January 12th, 2009, 01:49 AM
crunchie

Seems good. How is the peecee going?
January 12th, 2009, 02:02 AM
photoguy1

It seems fine! No popups and it's running a little faster. I can't thank you enough for all the help you've given me. THANK YOU!
January 12th, 2009, 04:16 AM
crunchie
You are welcome :).

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.
1. Uncheck "Cookies" under "Internet Explorer".
2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
3. Close when finished.
====

An alternative to Ccleaner is ATF Cleaner.
Download ATF (Atribune Temp File) Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

====

Use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera, which in my opinion, is better still.

====

Use a firewall. It is an essential part of your computers security. There is a link to a good, free firewall in my signature.

====

Install and keep updated,
Spybot S&D.
Run it on a regular basis, following the maker's recommendations.

====

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

====

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

=====

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

Please mark this thread as solved if all is well.

If you have any more problems, post back.

-

Happy surfing,

crunchie.

====

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.

Show 40 post(s) from this thread on one page