Re: need help please read asap!!!
ComboFix 08-10-03.01 - Neymore 2008-10-04 12:47:36.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246 [GMT -4:00]
Running from: C:\Documents and Settings\Neymore\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Neymore\Application Data\inst.exe
C:\WINDOWS\system32\systeminfo.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MCHINJDRV
((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.
2008-10-03 02:22 . 2008-10-03 02:22 <DIR> d----c--- C:\rsit
2008-10-03 02:22 . 2008-10-03 02:22 <DIR> d----c--- C:\Program Files\trend micro
2008-10-03 02:12 . 2008-10-03 02:12 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-03 02:12 . 2008-10-03 02:12 <DIR> d----c--- C:\Documents and Settings\Neymore\Application Data\Malwarebytes
2008-10-03 02:12 . 2008-10-03 02:12 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-10-03 02:12 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-03 02:12 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-03 01:53 . 2008-10-03 01:53 <DIR> d----c--- C:\Sandbox
2008-10-03 01:52 . 2008-10-03 01:52 <DIR> d----c--- C:\Program Files\Sandboxie
2008-10-03 01:52 . 2008-10-04 12:06 1,664 --a------ C:\WINDOWS\Sandboxie.ini
2008-10-02 21:41 . 2008-10-02 21:41 <DIR> d--hsc--- C:\Documents and Settings\Neymore\PrivacIE
2008-10-02 21:27 . 2007-08-13 18:45 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
2008-10-02 21:27 . 2007-08-13 18:45 78,336 --a------ C:\WINDOWS\system32\dllcache\ieencode.dll
2008-10-02 19:46 . 2008-10-02 19:46 <DIR> d----c--- C:\Program Files\MySpace
2008-10-02 19:46 . 2008-10-02 19:46 <DIR> d----c--- C:\Documents and Settings\Neymore\Application Data\MySpace
2008-09-29 02:12 . 2008-09-29 02:12 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-26 00:04 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-09-25 23:53 . 2008-09-26 00:03 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-09-25 23:53 . 2008-09-25 23:53 <DIR> d-------- C:\WINDOWS\Logs
2008-09-25 23:47 . 2008-09-25 23:47 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-23 17:38 . 2006-11-30 16:24 86,016 --a------ C:\WINDOWS\system32\custmon32.dll
2008-09-04 17:24 . 2008-09-06 13:29 <DIR> d----c--- C:\Documents and Settings\Neymore\Application Data\Yahoo!
2008-09-04 17:22 . 2008-09-29 19:58 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-09-04 17:21 . 2008-10-02 01:24 <DIR> d----c--- C:\Program Files\Yahoo!
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-10-04 03:15 --------- dc----w C:\Documents and Settings\Neymore\Application Data\uTorrent
2008-10-04 02:56 --------- d-----w C:\Program Files\Google
2008-10-02 16:32 --------- dc----w C:\Documents and Settings\Neymore\Application Data\LimeWire
2008-09-28 06:35 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Paltalk
2008-09-28 06:34 --------- dc----w C:\Program Files\Elaborate Bytes
2008-09-23 22:15 --------- dc--a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-09-23 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-08 04:38 --------- dc----w C:\Program Files\Stardock
2008-09-03 07:49 --------- dc----w C:\Program Files\Common Files\Stardock
2008-09-03 07:31 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-08-31 20:57 --------- dc----w C:\Program Files\LimeWire
2008-08-29 02:40 --------- dc----w C:\Program Files\Conduit
2008-08-29 02:36 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Corel
2008-08-29 01:59 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Corel
2008-08-29 01:43 --------- dc----w C:\Documents and Settings\Neymore\Application Data\InstallShield
2008-08-29 01:33 --------- dc----w C:\Program Files\Common Files\Adobe
2008-08-22 21:16 --------- dc----w C:\Program Files\Java
2008-08-21 19:46 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Apple Computer
2008-08-21 16:59 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Vso
2008-08-20 10:45 --------- dc----w C:\Documents and Settings\Neymore\Application Data\CoreCodec
2008-08-17 22:25 --------- dc----w C:\Program Files\DivX
2008-08-04 06:36 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Azureus
2008-08-01 05:45 47,360 -c--a-w C:\Documents and Settings\Neymore\Application Data\pcouffin.sys
2008-07-13 05:57 286,720 ----a-w C:\WINDOWS\iun507.exe
.
------- Sigcheck -------
2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2004-08-04 08:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 20:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
2007-02-28 05:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2qfe\ntkrnlpa.exe
2005-03-01 20:34 2068608 700e4ad3775420daa937ee3935c0d74f C:\WINDOWS\system32\ntkrnlpa.exe
2005-03-01 20:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe
2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2004-08-04 08:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 05:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2gdr\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2005-03-01 20:59 2191104 fd4a858c7ccb63fcd8907294b4de1511 C:\WINDOWS\system32\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\system32\VITrans\ntoskrnl.exe
2004-08-04 08:00 1422336 cd7ee0e0b4c778c3df22f8dbb9f855b4 C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f 0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f 0595a363bcec5e9229d8564\sp2qfe\explorer.exe
2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-06-19 68856]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"SandboxieControl"="C:\Program Files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-19 185896]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 C:\WINDOWS\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-07-22 16:42 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-19 15:44 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2008-09-19 17:34 4347120 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"Aim6"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.s ys [2007-04-19 194048]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
S2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [ ]
S3 avfwim;AvFw Packet Filter Miniport;C:\WINDOWS\system32\DRIVERS\avfwim.sys [ ]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Aim6 - C:\Program Files\AIM6\aim6.exe
MSConfigStartUp-CursorFX - C:\Program Files\Stardock\CursorFX\CursorFX.exe
MSConfigStartUp-LClock - C:\Program Files\LClock\lclock.exe
MSConfigStartUp-SMrhcjvqj0e3aj - C:\Program Files\rhcjvqj0e3aj\rhcjvqj0e3aj.exe
MSConfigStartUp-SpybotSnD - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
MSConfigStartUp-Veoh - C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
MSConfigStartUp-ViOrb - C:\Program Files\ViOrb\ViOrb.exe
MSConfigStartUp-ViStart - C:\Program Files\ViStart\ViStart.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.fxeyes.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Neymore\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Neymore\Start Menu\Programs\IMVU\Run IMVU.lnk -
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.inf
C:\WINDOWS\Downloaded Program Files\Manager.exe
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 12:53:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\DOCUME~1\Neymore\LOCALS~1\temp\RtkBtMnt.exe
.
************************************************** ************************
.
Completion time: 2008-10-04 12:55:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-04 16:55:41
Pre-Run: 69,862,735,872 bytes free
Post-Run: 69,951,643,648 bytes free
193 --- E O F --- 2008-06-24 07:07:49
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246 [GMT -4:00]
Running from: C:\Documents and Settings\Neymore\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Neymore\Application Data\inst.exe
C:\WINDOWS\system32\systeminfo.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MCHINJDRV
((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.
2008-10-03 02:22 . 2008-10-03 02:22 <DIR> d----c--- C:\rsit
2008-10-03 02:22 . 2008-10-03 02:22 <DIR> d----c--- C:\Program Files\trend micro
2008-10-03 02:12 . 2008-10-03 02:12 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-03 02:12 . 2008-10-03 02:12 <DIR> d----c--- C:\Documents and Settings\Neymore\Application Data\Malwarebytes
2008-10-03 02:12 . 2008-10-03 02:12 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-10-03 02:12 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-03 02:12 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-03 01:53 . 2008-10-03 01:53 <DIR> d----c--- C:\Sandbox
2008-10-03 01:52 . 2008-10-03 01:52 <DIR> d----c--- C:\Program Files\Sandboxie
2008-10-03 01:52 . 2008-10-04 12:06 1,664 --a------ C:\WINDOWS\Sandboxie.ini
2008-10-02 21:41 . 2008-10-02 21:41 <DIR> d--hsc--- C:\Documents and Settings\Neymore\PrivacIE
2008-10-02 21:27 . 2007-08-13 18:45 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
2008-10-02 21:27 . 2007-08-13 18:45 78,336 --a------ C:\WINDOWS\system32\dllcache\ieencode.dll
2008-10-02 19:46 . 2008-10-02 19:46 <DIR> d----c--- C:\Program Files\MySpace
2008-10-02 19:46 . 2008-10-02 19:46 <DIR> d----c--- C:\Documents and Settings\Neymore\Application Data\MySpace
2008-09-29 02:12 . 2008-09-29 02:12 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-26 00:04 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-09-25 23:53 . 2008-09-26 00:03 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-09-25 23:53 . 2008-09-25 23:53 <DIR> d-------- C:\WINDOWS\Logs
2008-09-25 23:47 . 2008-09-25 23:47 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-23 17:38 . 2006-11-30 16:24 86,016 --a------ C:\WINDOWS\system32\custmon32.dll
2008-09-04 17:24 . 2008-09-06 13:29 <DIR> d----c--- C:\Documents and Settings\Neymore\Application Data\Yahoo!
2008-09-04 17:22 . 2008-09-29 19:58 <DIR> d----c--- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-09-04 17:21 . 2008-10-02 01:24 <DIR> d----c--- C:\Program Files\Yahoo!
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-10-04 03:15 --------- dc----w C:\Documents and Settings\Neymore\Application Data\uTorrent
2008-10-04 02:56 --------- d-----w C:\Program Files\Google
2008-10-02 16:32 --------- dc----w C:\Documents and Settings\Neymore\Application Data\LimeWire
2008-09-28 06:35 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Paltalk
2008-09-28 06:34 --------- dc----w C:\Program Files\Elaborate Bytes
2008-09-23 22:15 --------- dc--a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-09-23 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-08 04:38 --------- dc----w C:\Program Files\Stardock
2008-09-03 07:49 --------- dc----w C:\Program Files\Common Files\Stardock
2008-09-03 07:31 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-08-31 20:57 --------- dc----w C:\Program Files\LimeWire
2008-08-29 02:40 --------- dc----w C:\Program Files\Conduit
2008-08-29 02:36 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Corel
2008-08-29 01:59 --------- dc----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Corel
2008-08-29 01:43 --------- dc----w C:\Documents and Settings\Neymore\Application Data\InstallShield
2008-08-29 01:33 --------- dc----w C:\Program Files\Common Files\Adobe
2008-08-22 21:16 --------- dc----w C:\Program Files\Java
2008-08-21 19:46 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Apple Computer
2008-08-21 16:59 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Vso
2008-08-20 10:45 --------- dc----w C:\Documents and Settings\Neymore\Application Data\CoreCodec
2008-08-17 22:25 --------- dc----w C:\Program Files\DivX
2008-08-04 06:36 --------- dc----w C:\Documents and Settings\Neymore\Application Data\Azureus
2008-08-01 05:45 47,360 -c--a-w C:\Documents and Settings\Neymore\Application Data\pcouffin.sys
2008-07-13 05:57 286,720 ----a-w C:\WINDOWS\iun507.exe
.
------- Sigcheck -------
2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2004-08-04 08:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 20:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
2007-02-28 05:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2qfe\ntkrnlpa.exe
2005-03-01 20:34 2068608 700e4ad3775420daa937ee3935c0d74f C:\WINDOWS\system32\ntkrnlpa.exe
2005-03-01 20:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe
2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2004-08-04 08:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 05:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2gdr\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2005-03-01 20:59 2191104 fd4a858c7ccb63fcd8907294b4de1511 C:\WINDOWS\system32\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\system32\VITrans\ntoskrnl.exe
2004-08-04 08:00 1422336 cd7ee0e0b4c778c3df22f8dbb9f855b4 C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f 0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f 0595a363bcec5e9229d8564\sp2qfe\explorer.exe
2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 08:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-06-19 68856]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"SandboxieControl"="C:\Program Files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-19 185896]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 C:\WINDOWS\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-07-22 16:42 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-06-19 15:44 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2008-09-19 17:34 4347120 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"Aim6"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.s ys [2007-04-19 194048]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
S2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [ ]
S3 avfwim;AvFw Packet Filter Miniport;C:\WINDOWS\system32\DRIVERS\avfwim.sys [ ]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Aim6 - C:\Program Files\AIM6\aim6.exe
MSConfigStartUp-CursorFX - C:\Program Files\Stardock\CursorFX\CursorFX.exe
MSConfigStartUp-LClock - C:\Program Files\LClock\lclock.exe
MSConfigStartUp-SMrhcjvqj0e3aj - C:\Program Files\rhcjvqj0e3aj\rhcjvqj0e3aj.exe
MSConfigStartUp-SpybotSnD - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
MSConfigStartUp-Veoh - C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
MSConfigStartUp-ViOrb - C:\Program Files\ViOrb\ViOrb.exe
MSConfigStartUp-ViStart - C:\Program Files\ViStart\ViStart.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.fxeyes.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Neymore\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Neymore\Start Menu\Programs\IMVU\Run IMVU.lnk -
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.inf
C:\WINDOWS\Downloaded Program Files\Manager.exe
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 12:53:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\DOCUME~1\Neymore\LOCALS~1\temp\RtkBtMnt.exe
.
************************************************** ************************
.
Completion time: 2008-10-04 12:55:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-04 16:55:41
Pre-Run: 69,862,735,872 bytes free
Post-Run: 69,951,643,648 bytes free
193 --- E O F --- 2008-06-24 07:07:49
Linear Mode
