ComboFix 08-01-03.4 - Tim 2008-01-04 12:50:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1641 [GMT -10:00]
Running from: E:\Hijack This\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\RCX45.tmp
C:\WINDOWS\system32\RCX55.tmp
.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.
2008-01-02 00:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 23:05 . 2008-01-01 19:44 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-31 19:35 . 2007-12-31 19:35 104,448 --a------ C:\WINDOWS\system32\drvgeg.dll
2007-12-31 19:35 . 2007-12-31 19:35 0 --a--c--- C:\Install
2007-12-08 22:12 . 2007-12-26 00:03 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\skypePM
2007-12-08 22:12 . 2007-12-08 22:12 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-08 22:10 . 2007-12-08 22:10 <DIR> d-------- C:\Program Files\Skype
2007-12-08 22:10 . 2007-12-08 22:10 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-08 22:10 . 2007-12-26 00:58 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Skype
2007-12-08 22:10 . 2007-12-08 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-02 11:15 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-02 11:15 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-02 10:24 --------- d-----w C:\Program Files\S4F
2008-01-02 10:17 --------- d-----w C:\Program Files\QuickTime
2008-01-02 10:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-02 10:17 --------- d-----w C:\Program Files\Function Key Controller
2008-01-02 10:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-01 10:54 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2007-12-31 01:02 --------- d-----w C:\Program Files\Steam
2007-12-27 00:47 --------- d-----w C:\Program Files\Trillian
2007-12-27 00:38 --------- d-----w C:\Documents and Settings\Tim\Application Data\IGN_DLM
2007-12-09 07:16 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-01 01:28 22,328 ----a-w C:\Documents and Settings\Tim\Application Data\PnkBstrK.sys
2007-12-01 00:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-01 00:16 --------- d-----w C:\Program Files\id Software
2007-11-30 22:25 --------- d-----w C:\Documents and Settings\Tim\Application Data\Xfire
2007-11-29 03:41 --------- d-----w C:\Documents and Settings\Tim\Application Data\Leadertech
2007-11-28 08:28 --------- d-----w C:\Documents and Settings\Tim\Application Data\Free Download Manager
2007-11-22 13:50 --------- d-----w C:\Program Files\TinCam
2007-11-22 02:01 --------- d-----w C:\Program Files\Crysis Screensaver
2007-11-21 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-21 10:00 --------- d-----w C:\Program Files\AIM6
2007-11-21 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-21 09:59 --------- d-----w C:\Program Files\Viewpoint
2007-11-21 09:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-21 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-21 09:58 --------- d-----w C:\Program Files\AIM
2007-11-21 09:58 --------- d-----w C:\Documents and Settings\Tim\Application Data\Aim
2007-11-21 09:55 --------- d-----w C:\Program Files\AOD
2007-11-21 09:04 --------- d-----w C:\Program Files\Symantec
2007-11-20 12:07 --------- d-----w C:\Program Files\Xfire
2007-11-20 11:55 --------- d-----w C:\Program Files\Norton 360
2007-11-19 10:54 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-19 10:54 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-19 10:54 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-19 10:54 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-19 06:30 --------- d-----w C:\Documents and Settings\Tim\Application Data\My Games
2007-11-19 06:03 --------- d-----w C:\Program Files\EA Sports
2007-11-18 08:36 --------- d-----w C:\Program Files\City of Heroes
2007-11-16 09:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-16 08:45 --------- d-----w C:\Program Files\Electronic Arts
2007-11-16 08:30 --------- d-----w C:\Program Files\Ventrilo
2007-11-16 08:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 07:50 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-16 05:47 --------- d-----w C:\Program Files\Red Storm Entertainment
2007-11-16 05:25 --------- d-----w C:\Program Files\Ubisoft
2007-11-15 14:58 --------- d-----w C:\Program Files\Ares
2007-11-14 22:21 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2007-11-13 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-12 09:28 --------- d-----w C:\Program Files\AskPBar
2007-11-11 02:53 --------- d-----w C:\Documents and Settings\Tim\Application Data\Ventrilo
2007-11-11 01:42 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Xfire
2007-11-09 08:06 98,304 -c--a-w C:\WINDOWS\system32CmdLineExt.dll
2007-11-09 06:34 --------- d-----w C:\Program Files\Activision
2007-11-09 06:12 --------- d-----w C:\Program Files\Yahoo!
2007-11-09 06:12 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-09 05:38 --------- d-----w C:\Documents and Settings\Tim\Application Data\Yahoo!
2007-11-09 05:27 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-11-09 05:27 --------- d-----w C:\Program Files\Logitech
2007-11-09 05:27 --------- d-----w C:\Program Files\Common Files\LogiShared
2007-11-09 05:27 --------- d-----w C:\Documents and Settings\Tim\Application Data\Logitech
2007-11-09 05:25 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_C oinstaller_Critical.Wdf
2007-11-09 05:25 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_0 1005.Wdf
2007-11-09 05:25 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-09 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-09 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-11-05 21:56 --------- d-----w C:\Program Files\GameShadow
2007-11-05 21:35 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-11-05 08:28 --------- d-----w C:\Documents and Settings\Tim\Application Data\InstallShield Installation Information
2007-11-05 08:27 --------- d-----w C:\Program Files\Unreal Tournament 3 Demo
2007-11-05 08:26 --------- d-----w C:\Program Files\AGEIA Technologies
2007-11-05 04:47 203,264 ----a-w C:\WINDOWS\system32\COD4MW Screensaver.scr
2007-10-25 06:32 356,352 -c--a-w C:\WINDOWS\system32\nvudisp.exe
2007-10-04 21:10 1,424,461 ----a-w C:\WINDOWS\system32\Crysis Screensaver.scr
.
((((((((((((((((((((((((((((( snapshot@2008-01-02_ 0.21.07.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-04 22:49:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [ ]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\dlm.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"FunctionKeyCtrl"="C:\Program Files\Function Key Controller\FKC.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-07 04:41 7700480]
"NvMediaCenter"="NvMCTray.dll" [2007-03-07 04:41 86016 C:\WINDOWS\system32\nvmctray.dll]
"SkyTel"="SkyTel.EXE" [2006-05-16 15:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 15:54 16116224 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [ ]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [ ]
"BisonTrayIcon"="C:\WINDOWS\BisonCam\BisonTrayIcon .exe" [ ]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 10:32 89541 C:\WINDOWS\AGRSMMSG.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 10:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"nwiz"="nwiz.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"S4F"="C:\Program Files\S4F\Filter7.exe" [2003-10-16 11:24 409600]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-08 19:25:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 20:34 24576 C:\Program Files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\wcescomm .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-07-31 04:44 271672 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 19:55 54832 --a--c--- C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkkjh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 12:40 155648 --a--c--- C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S4F]
2003-10-16 11:24 409600 --a------ C:\Program Files\S4F\Filter7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe silentrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zboard]
C:\Program Files\Ideazon\ZEngine\Zboard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"NBService"=3 (0x3)
"Start BT in service"=3 (0x3)
"AresChatServer"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"wuauserv"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"btwdins"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AgereModemAudio"=2 (0x2)
R3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-08-15 02:27]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-11 20:11]
S3 uisp;Freescale USB JW32 driver;C:\WINDOWS\system32\Drivers\usbicp.sys [2001-01-03 20:12]
S3 USTOR;U-Storage Controller;C:\WINDOWS\system32\DRIVERS\UStork.sys [2003-07-08 00:30]
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.s ys [2002-11-20 16:45]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;C:\WINDOWS\system32\DRIVERS\xusb20.sys [2006-10-13 12:48]
S4 Start BT in service;Start BT in service;C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 00:54]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:\.\Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{a8c4c8c3-fdcb-11db-8c5e-99b4e460d61e}]
\Shell\AutoRun\command - E:\pstart.exe
*Newly Created Service* - COMHOST
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 12:52:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system\wins4f.dll
.
Completion time: 2008-01-04 12:52:20
ComboFix-quarantined-files.txt 2008-01-04 22:52:19
ComboFix2.txt 2008-01-02 10:21:20
.
2007-11-21 10:56:13 --- E O F ---

Removed...

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*