Post by: HTPConvert on November 22, 2008, 08:23:14 PM
I will be either: doing nothing yet have my HTPC on OR
watching a recorded video on my HTPC
When all of a sudden, music (or more recently what sounded like an ad) will start to play for about 5 seconds �" then just go away. I can't stop it myself be pressing stop on my remote or closing windows media centre - so it coming from elsewhere
The music didn't sound like anything I have in my library and the ad, well. didn't have that either.
So...any clues as to what it could be and what could be causing it (other than a ghost!!)
Also - Symantec virus (http://\"http://www.thetechguide.com/forum/index.php?showtopic=78990#\") scan (http://\"http://www.thetechguide.com/forum/index.php?showtopic=78990#\") has been going crazy saying i haev a trojan - when i delete it, it looks like another takes its place...HELP!!
Here is m hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:38 PM, on 8/04/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\ASUS\EZVCR\ASUS_IRAppl.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Windows\ehome\ehShell.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunOnce: [GEST] "C:\Program Files\GIGABYTE\GEST\run.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6178 bytes
Post by: guestolo on November 22, 2008, 08:26:43 PM
What location
Let's see if this shows anything
Download [color=\"blue\"]random's system information tool (RSIT)[/color] by [color=\"#6600cc\"]random/random[/color] from >>[color=\"red\"]here[/color]<< (http://\"http://images.malwareremoval.com/random/RSIT.exe\") and save it to your desktop.
- RIGHT click on RSIT.exe and "Run as Administrator"
- Click Continue at the disclaimer screen.
- Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
- Once it has finished, two logs will open: log.txt[color=\"red\"]<-- this will be maximized[/color] and info.txt[color=\"red\"]<-- this will be minimized[/color].
Post by: HTPConvert on November 22, 2008, 08:42:03 PM
Run by Media Centre at 2008-11-23 12:40:28
Microsoft® Windows Vista™ Ultimate Service Pack 1
System drive C: has 8 GB (21%) free of 40 GB
Total RAM: 3582 MB (54% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:31 PM, on 23/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\ASUS\EZVCR\ASUS_IRAppl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Nero\Nero8\Nero Toolkit\DriveSpeed.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\No-IP\DUC20.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Windows\system32\dllhost.exe
C:\Windows\ehome\EHTray.exe
C:\Windows\ehome\ehshell.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Windows\ehome\ehExtHost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\ehome\ehExtHost.exe
C:\Windows\ehome\ehExtHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
D:\tmp\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Media Centre.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MagicTuneEngine] C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [Nero DriveSpeed] "C:\PROGRA~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O13 - Gopher Prefix:
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab (http://\"http://ax.emsisoft.com/asquared.cab\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: afisicx Portable Media Serial Service (afisicx) - Unknown owner - C:\Windows\system32\afisicx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\Windows\system32\mabidwe.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\Windows\system32\Nobicyt.exe (file missing)
O23 - Service: noxtcyr Settings storage service (noxtcyr) - Unknown owner - C:\Windows\system32\noxtcyr.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\Windows\system32\noytcyr.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: perfmons - Unknown owner - C:\Windows\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\Windows\system32\roytctm.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: solewxte Service (solewxte) - Unknown owner - C:\Windows\system32\solewxte.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\Windows\system32\soxpeca.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\Windows\system32\tdydowkc.exe
O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe
O23 - Service: WebGuideTranscode - WebGuide LLC - D:\Program Files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe
O23 - Service: Windows Media Center Guide Service Proxy (wmcGuideServiceProxy) - epgStream.net - C:\Program Files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe
O23 - Service: wsldoekd Co. Ltd. (wsldoekd) - Unknown owner - C:\Windows\system32\wsldoekd.exe
O23 - Service: XMLTV Download Schedule Service (xmltvDownload) - epgStream.net - C:\Program Files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe
--
End of file - 10158 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-18 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-09-19 4702208]
"JMB36X IDE Setup"=C:\Windows\RaidTool\xInsIDE.exe [2007-03-20 36864]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"RemoteControl"=C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe [2005-01-12 32768]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"MagicTuneEngine"=C:\Program Files\MagicTune Premium\MagicTuneEngine.exe [2007-06-14 69632]
"Windows Mobile Device Center"=C:\Windows\WindowsMobile\wmdc.exe [2007-05-31 648072]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-09 289576]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-02-01 115560]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2008-04-03 136080]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-18 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-18 125952]
"PowerArchiver Tray"=C:\Program Files\PowerArchiver\PASTARTER.EXE [2007-02-23 139816]
"Windows Media Center"=C:\Windows\ehome\ehuihlp.dll [2008-01-18 1499136]
"Nero DriveSpeed"=C:\PROGRA~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE [2007-09-20 1975592]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-18 202240]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Users\Media Centre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccEvtMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccSetMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antivirus]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"DisableTaskMgr"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e61a0ef-f72b-11dc-8675-001b2f2ce128}]
shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47fee477-fcae-11dc-a19d-001d7daf31dc}]
shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64f9c3cd-022e-11dd-afd1-001d7daf31dc}]
shell\Auto\command - auto.exe
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
======File associations======
.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*
======List of files/folders created in the last 1 months======
2008-11-23 12:40:28 ----D---- C:\rsit
2008-11-23 12:01:17 ----D---- C:\Program Files\Panda Security
2008-11-23 11:19:13 ----D---- C:\ProgramData\MC Menu Mender BETA
2008-11-23 11:19:00 ----D---- C:\Program Files\MC Menu Mender
2008-11-23 11:16:50 ----D---- C:\Program Files\SamSoft
2008-11-16 20:17:22 ----D---- C:\Program Files\Xvid
2008-11-16 20:17:22 ----A---- C:\Windows\system32\xvidvfw.dll
2008-11-16 20:17:22 ----A---- C:\Windows\system32\xvidcore.dll
2008-11-16 19:28:43 ----D---- C:\Program Files\avi.NET
2008-11-16 17:58:41 ----D---- C:\ProgramData\VistaCodecs
2008-11-15 12:21:02 ----D---- C:\ProgramData\OpenMediaLibrary
2008-11-15 12:20:30 ----D---- C:\Program Files\OpenMediaLibrary
======List of files/folders modified in the last 1 months======
2008-11-23 12:40:29 ----D---- C:\Windows\temp
2008-11-23 12:03:38 ----D---- C:\Windows\system32\drivers
2008-11-23 12:01:17 ----D---- C:\Program Files
2008-11-23 11:54:17 ----SD---- C:\Windows\Downloaded Program Files
2008-11-23 11:38:25 ----D---- C:\Windows\Prefetch
2008-11-23 11:35:40 ----D---- C:\Windows
2008-11-23 11:26:57 ----D---- C:\Windows\ehome
2008-11-23 11:19:13 ----D---- C:\ProgramData
2008-11-23 11:19:02 ----SHD---- C:\Windows\Installer
2008-11-23 11:18:54 ----SHD---- C:\System Volume Information
2008-11-23 11:16:51 ----RSD---- C:\Windows\assembly
2008-11-23 11:15:27 ----D---- C:\Windows\System32
2008-11-23 11:15:27 ----D---- C:\Windows\inf
2008-11-23 11:15:27 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-11-23 11:09:08 ----D---- C:\Windows\registration
2008-11-23 11:08:27 ----A---- C:\Windows\ezvcr.ini
2008-11-22 17:46:50 ----D---- C:\Users\Media Centre\AppData\Roaming\uTorrent
2008-11-22 10:48:50 ----AD---- C:\ProgramData\TEMP
2008-11-22 10:46:38 ----D---- C:\Users\Media Centre\AppData\Roaming\VideoReDoPlus
2008-11-17 18:29:31 ----D---- C:\Program Files\AviSynth 2.5
2008-11-17 09:03:54 ----D---- C:\ProgramData\VideoBrowser
2008-11-16 20:15:13 ----D---- C:\Program Files\Mozilla Firefox
2008-11-16 20:15:08 ----D---- C:\Program Files\DivX
2008-11-16 20:13:43 ----D---- C:\Program Files\Winnydows
2008-11-16 18:32:53 ----D---- C:\Windows\system32\catroot2
2008-11-16 18:00:26 ----D---- C:\Program Files\Common Files\PX Storage Engine
2008-11-16 17:43:20 ----D---- C:\TEMP
2008-11-16 17:26:04 ----A---- C:\Windows\NeroDigital.ini
2008-11-15 13:27:36 ----SD---- C:\Users\Media Centre\AppData\Roaming\Microsoft
2008-11-13 04:02:55 ----D---- C:\Windows\system32\catroot
2008-11-13 04:02:54 ----D---- C:\Windows\winsxs
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 cdrbsdrv;cdrbsdrv; C:\Windows\system32\drivers\cdrbsdrv.sys [2008-05-11 33408]
R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-18 350720]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2008-09-05 371248]
R1 MagicTune;MagicTune; C:\Windows\system32\drivers\MTiCtwl.sys [2007-06-11 12672]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [2008-01-17 420400]
R1 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [2008-02-04 279088]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [2008-02-04 43696]
R1 SYMTDI;SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [2007-01-09 191544]
R2 DefragFS;DefragFS; C:\Windows\system32\drivers\DefragFS.sys [2008-02-04 68624]
R2 Hardlock;Hardlock; C:\Windows\system32\drivers\hardlock.sys [2006-11-22 693760]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2007-10-31 3168768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-05 99376]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-09-19 1959832]
R3 MRV6X32P;Vista 32-bits Native WiFi Driver; C:\Windows\system32\DRIVERS\MRVW13B.sys [2007-10-16 256512]
R3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
R3 NAVENG;NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20081121.003\NAVENG.SYS [2008-11-22 89104]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20081121.003\NAVEX15.SYS [2008-11-22 876112]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2008-07-24 47360]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-09-18 98816]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2008-09-12 123952]
R3 SYMREDRV;SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [2007-01-09 27576]
R3 u3kmini;ASUS My Cinema-U3000 Mini; C:\Windows\System32\Drivers\u3kmini.sys [2006-10-16 350720]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 ET5Drv;ET5Drv; \??\C:\Windows\system32\Drivers\ET5Drv.sys [2007-10-11 30008]
S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2008-05-11 16608]
S3 gmer;gmer; C:\Windows\System32\DRIVERS\gmer.sys [2008-04-04 86097]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [2008-02-04 317616]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-09-05 36864]
S3 winusb;WinUsb Driver; C:\Windows\system32\DRIVERS\winusb.sys [2008-01-18 31616]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-18 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 afisicx;afisicx Portable Media Serial Service; C:\Windows\system32\afisicx.exe [2006-11-02 37888]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-05 116040]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2007-10-31 622592]
R2 bgsvcgen;B's Recorder GOLD Library General Service; C:\Windows\system32\bgsvcgen.exe [2008-05-11 118784]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-18 21504]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-01 108392]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-01 108392]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-18 21504]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2008-04-03 31120]
R2 EZSERVICE;EZSERVICE; C:\Program Files\ASUS\EZVCR\EZSERVICE.exe [2007-03-27 61440]
R2 mabidwe;mabidwe Service; C:\Windows\system32\mabidwe.exe [2006-11-02 46080]
R2 noxtcyr;noxtcyr Settings storage service; C:\Windows\system32\noxtcyr.exe [2006-11-02 37888]
R2 noytcyr;noytcyr Service; C:\Windows\system32\noytcyr.exe [2006-11-02 45568]
R2 PD91Agent;PD91Agent; C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-02-28 668936]
R2 perfmons;perfmons; C:\Windows\system32\perfs.exe [2006-11-02 34304]
R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2008-01-18 21504]
R2 Routing;Routing Service; C:\Windows\system32\routing.exe [2006-11-02 34816]
R2 roytctm;roytctm Service; C:\Windows\system32\roytctm.exe [2006-11-02 44544]
R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2008-04-03 121744]
R2 solewxte;solewxte Service; C:\Windows\system32\solewxte.exe [2006-11-02 45056]
R2 soxpeca;soxpeca Service; C:\Windows\system32\soxpeca.exe [2006-11-02 43520]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2008-04-03 1956240]
R2 tdydowkc;tdydowkc Service; C:\Windows\system32\tdydowkc.exe [2006-11-02 46080]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0; C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe [2007-02-08 49152]
R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2008-01-18 21504]
R2 WebGuideTranscode;WebGuideTranscode; D:\Program Files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe [2007-08-08 40960]
R2 wmcGuideServiceProxy;Windows Media Center Guide Service Proxy; C:\Program Files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe [2008-09-28 22016]
R2 wsldoekd;wsldoekd Co. Ltd.; C:\Windows\system32\wsldoekd.exe [2006-11-02 38400]
R2 xmltvDownload;XMLTV Download Schedule Service; C:\Program Files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe [2008-09-28 40960]
R3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-18 21504]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-09 536872]
S2 nobicyt;nobicyt Service; C:\Windows\system32\Nobicyt.exe []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-03-31 68096]
S3 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-18 523776]
S3 GEST Service;GEST Service for program management.; C:\Program Files\GIGABYTE\GEST\GSvr.exe [2007-12-14 47624]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-08-11 3093872]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-10-15 382248]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 PD91Engine;PD91Engine; C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-02-29 894216]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-18 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-18 917504]
-----------------EOF-----------------
info.txt logfile of random's system information tool 1.04 2008-11-23 12:40:33
======Uninstall list======
@BIOS -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}\setup.exe" -l0x9 -removeonly
-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Premiere Pro 1.5-->RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{A14F7508-B784-40B8-B11A-E0E2EEB7229F}\setup.exe" -l0x0009
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player-->C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support-->MsiExec.exe /I{C7C895CA-331B-4D7D-A0FB-D3BC637949F9}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ASUS EZVCR-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{01051276-3213-4A6A-8FEF-CFFF0BE26633}
ASUS My Cinema-U3000 Mini-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D2A1A00-F630-49ED-8E6C-C199544DD3AB}\Setup.exe" -l0x9
ASUS TSSI-->MsiExec.exe /I{76A2DC7C-D385-498E-9C6B-CF9626F8BE1E}
ASUSDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
ATI AVIVO Codecs-->MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}
Auto Gordian Knot 2.45-->C:\Program Files\AutoGK\uninst.exe
avi.NET 2.5.8.0-->C:\Program Files\avi.NET\Uninstall.exe
Avidemux 2.4-->C:\Program Files\Avidemux 2.4\uninstall.exe
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.6.0-->"C:\Program Files\DVDFab 5\unins000.exe"
Dynamic Energy Saver B7.1214.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5869CE1E-BC0B-4648-B1AE-6EF4A985590C}\setup.exe" -l0x9 -removeonly
Handbrake 0.9.2-->C:\Program Files\Handbrake\uninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes-->MsiExec.exe /I{EA418519-2160-43A0-AABD-6608DDD8D87F}
Japanese Fonts Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5760-0000-800000000003}
Java(tm) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JMB36X Raid Configurer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x9 -removeonly
LiveUpdate 3.3 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
MagicTunePremium-->C:\Program Files\InstallShield Installation Information\{59625CC8-69B3-4917-864B-3CE27B76DCF3}\setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MC Menu Mender-->MsiExec.exe /I{08579D83-B23F-418F-9F61-1D38F667B9C9}
Microsoft .NET Framework 3.5-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Office Word Viewer 2003-->MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MKVtoolnix 2.2.0-->C:\Program Files\MKVtoolnix\uninst.exe
MobileMe Control Panel-->MsiExec.exe /I{6DA9102E-199F-43A0-A36B-6EF48081A658}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MusicIP Mixer 1.8.1-->"C:\Program Files\MusicIP\MusicIP Mixer\unins000.exe"
Nero 8 Essentials-->MsiExec.exe /X{523DF39E-DF7D-488F-8022-783946571033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NETGEAR WG311v3 PCI Adapter-->C:\Program Files\InstallShield Installation Information\{70014586-7BBA-4A92-A610-CDC896C48F8F}\setup.exe -runfromtemp -l0x0409
No-IP.com DUC (remove only)-->"C:\Program Files\No-IP\DUC20.exe" -uninstall
Open Media Library-->MsiExec.exe /X{282FFE47-5856-4F07-A5E1-617A24A9B4A5}
OpenAL-->"C:\Program Files\OpenAL\OalinstGridRelease.exe" /U
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PerfectDisk 2008 Professional-->MsiExec.exe /I{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}
PowerArchiver 2007-->MsiExec.exe /I{4D1CF286-EBD1-4B08-9B71-A439712D1150}
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Sansa Media Converter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2A0F8F4-CE50-4857-A21C-3061682B2E87}\Setup.exe" -l0x9
Sony Vegas Pro 8.0-->MsiExec.exe /X{1246FF64-3035-4A92-8FE6-A968275495EB}
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Symantec AntiVirus-->MsiExec.exe /I{B798631A-E543-492B-9063-1F4D8336D377}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TMPGEnc 4.0 XPress-->MsiExec.exe /I{34E89C10-3E14-4396-A58C-72047CD458AD}
TMPGEnc DVD Author 3 with DivX Authoring-->MsiExec.exe /I{8D4942F1-D5EB-40A7-9D7B-07F8ED1B71E9}
TMPGEnc MPEG Editor 2.0-->MsiExec.exe /I{06607A48-98DC-48F9-922F-40FD2D7FF6D1}
UltiDev Cassini Web Server Explorer-->MsiExec.exe /I{40247AAC-AB0D-449C-882F-90401C3351E8}
UltiDev Cassini Web Server for ASP.NET 2.0-->MsiExec.exe /I{F6C8DAED-8CC7-43FD-9DA4-1F629B873A17}
Unreal Tournament 3 Demo-->MsiExec.exe /X{3266FEA9-98E9-448B-B235-DAC63D4CE781}
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Video Browser-->MsiExec.exe /X{C704736F-45F7-46FF-943E-7D24C2FB33C2}
Videora iPhone Converter 3.08-->C:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Videora iPod Converter 4.00-->C:\Program Files\Red Kawa\Video Converter App\uninstaller.exe
VideoReDo/Plus Version 2.5.4.507-->"C:\Program Files\VideoReDoPlus\unins000.exe"
Vista Shortcut Manager-->MsiExec.exe /I{47609E69-4C5E-48B1-A889-24C6B82B5C04}
VobSub v2.23 (Remove Only)-->"C:\Program Files\Gabest\VobSub\uninstall.exe"
WebGuide4-->MsiExec.exe /I{C9C0C251-3ECD-4DBC-A30F-1D996BC78400}
Windows Mobile Device Center Driver Update-->MsiExec.exe /X{E7044E25-3038-4A76-9064-344AC038043E}
Windows Mobile Device Center-->MsiExec.exe /X{904CCF62-818D-4675-BC76-D37EB399F917}
WinSCP 4.1.6-->"C:\Program Files\WinSCP\unins000.exe"
XMLTV Guide Pack v1.0.17-->MsiExec.exe /I{0B05386C-A9A2-4903-80FE-F1192FD97AEA}
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"
=====HijackThis Backups=====
O2 - BHO: {6a0d8b83-aa89-06ba-4964-e1835081729d} - {d9271805-381e-4694-ab60-98aa38b8d0a6} - C:\Windows\system32\sggdmjhs.dll (file missing)
O2 - BHO: (no name) - {98159628-D979-45A1-A568-C148B40ECAF8} - C:\Windows\system32\wvwvw.dll (file missing)
O20 - Winlogon Notify: cupluadx - cupluadx.dll (file missing)
O4 - HKLM\..\Run: [96dc0077] rundll32.exe "C:\Windows\system32\cofktlif.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O20 - Winlogon Notify: ysntnefw - ysntnefw.dll (file missing)
======Hosts File======
127.0.0.1 madderwort.com
======Security center information======
AV: Symantec AntiVirus
AS: Symantec AntiVirus
AS: Windows Defender
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=4
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
-----------------EOF-----------------
Norton seems to say it finds in in its onw folder, program files/symantec --> but norton is locking up so I can't give you all the details
Post by: HTPConvert on November 22, 2008, 08:45:20 PM
It calls the files a varitey of things - trojan horse, trojan adclicker, securityrisk etc
Post by: guestolo on November 22, 2008, 09:45:36 PM
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post that log from ComboFix along with a fresh hijackthis log
Post by: HTPConvert on November 22, 2008, 10:06:53 PM
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1611 [GMT 11:00]
Running from: c:\users\Media Centre\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\update.exe
c:\users\Media Centre\AppData\Roaming\inst.exe
c:\windows\BM95ef33eb.txt
c:\windows\BM95ef33eb.xml
c:\windows\Install.txt
c:\windows\pskt.ini
c:\windows\system32\afisicx.exe
c:\windows\system32\atsxyzd.sys
c:\windows\system32\comsa32.sys
c:\windows\system32\filtkfoc.ini
c:\windows\system32\lwaemjij.ini
c:\windows\system32\mabidwe.exe
c:\windows\system32\noxtcyr.exe
c:\windows\system32\noytcyr.exe
c:\windows\system32\perfs.exe
c:\windows\system32\routing.exe
c:\windows\system32\roytctm.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\tdydowkc.exe
c:\windows\system32\tmp0_115047810747.bk
c:\windows\system32\tmp0_186804389726.bk
c:\windows\system32\tmp0_224977588242.bk
c:\windows\system32\tmp0_514739119399.bk
c:\windows\system32\tmp0_576990597331.bk
c:\windows\system32\tmp0_620659106581.bk
c:\windows\system32\tmp0_62837460417.bk
c:\windows\system32\tpszxyd.sys
c:\windows\system32\wsldoekd.exe
c:\windows\system32\wvwvw.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_nobicyt
-------\Service_noxtcyr
-------\Service_noytcyr
-------\Service_perfmons
-------\Service_Routing
-------\Service_roytctm
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd
((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.
2008-11-23 12:40 . 2008-11-23 12:40 <DIR> d-------- C:\rsit
2008-11-23 12:01 . 2008-11-23 12:01 <DIR> d-------- c:\program files\Panda Security
2008-11-23 12:01 . 2008-06-19 17:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2008-11-23 11:58 . 2008-11-23 12:00 <DIR> d-------- c:\users\Media Centre\.housecall6.6
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\users\All Users\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\programdata\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\program files\MC Menu Mender
2008-11-23 11:16 . 2008-11-23 11:16 <DIR> d-------- c:\program files\SamSoft
2008-11-16 20:17 . 2008-11-16 20:17 <DIR> d-------- c:\program files\Xvid
2008-11-16 20:17 . 2007-06-28 18:52 765,952 --a------ c:\windows\System32\xvidcore.dll
2008-11-16 20:17 . 2007-06-28 18:54 180,224 --a------ c:\windows\System32\xvidvfw.dll
2008-11-16 19:28 . 2008-11-16 19:28 <DIR> d-------- c:\program files\avi.NET
2008-11-16 17:58 . 2008-11-16 17:58 <DIR> d-------- c:\users\All Users\VistaCodecs
2008-11-16 17:58 . 2008-11-16 17:58 <DIR> d-------- c:\programdata\VistaCodecs
2008-11-15 12:21 . 2008-11-15 12:23 <DIR> d-------- c:\users\All Users\OpenMediaLibrary
2008-11-15 12:21 . 2008-11-15 12:23 <DIR> d-------- c:\programdata\OpenMediaLibrary
2008-11-15 12:20 . 2008-11-15 12:20 <DIR> d-------- c:\program files\OpenMediaLibrary
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 06:46 --------- d-----w c:\users\Media Centre\AppData\Roaming\uTorrent
2008-11-21 23:48 --------- d---a-w c:\programdata\TEMP
2008-11-21 23:46 --------- d-----w c:\users\Media Centre\AppData\Roaming\VideoReDoPlus
2008-11-17 07:29 --------- d-----w c:\program files\AviSynth 2.5
2008-11-16 22:03 --------- d-----w c:\programdata\VideoBrowser
2008-11-16 09:15 --------- d-----w c:\program files\DivX
2008-11-16 09:13 --------- d-----w c:\program files\Winnydows
2008-11-16 07:00 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-10-19 03:24 --------- d-----w c:\programdata\IsolatedStorage
2008-10-19 03:24 --------- d-----w c:\programdata\epgStream.net
2008-10-19 03:24 --------- d-----w c:\program files\epgStream.net
2008-10-07 04:11 --------- d-----w c:\program files\Red Kawa
2008-09-30 23:23 --------- d-----w c:\users\Media Centre\AppData\Roaming\MusicIP
2008-09-30 23:23 --------- d-----w c:\program files\MusicIP
2008-07-24 01:07 47,360 ----a-w c:\users\Media Centre\AppData\Roaming\pcouffin.sys
2008-03-21 09:33 174 --sha-w c:\program files\desktop.ini
2008-02-14 03:28 29 ----a-w c:\program files\version.ini
2008-02-14 03:23 231,944 ----a-w c:\program files\gwflash.exe
2007-09-21 08:42 19,008 ----a-w c:\program files\markfun.a64
2007-08-21 08:49 17,912 ----a-w c:\program files\markfun.w32
2007-08-21 08:49 125,504 ----a-w c:\program files\MarkFunDrv.dll
2007-04-04 07:35 207,680 ----a-w c:\program files\updateutility.exe
2007-03-29 17:36 301 ----a-w c:\program files\update.ini
2007-03-01 17:48 240,448 ----a-w c:\program files\gwf32.exe
2006-11-23 12:47 207,680 ----a-w c:\program files\BIOS_Run.exe
2006-11-23 12:40 60,224 ----a-w c:\program files\HUADRV.DLL
2006-11-03 07:09 528 ----a-w c:\program files\CONFIG.INI
2005-04-27 08:40 6,800 ----a-w c:\program files\W95_HUA.vxd
2008-05-07 08:37 16,496 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows NT\DiskQuota\NTDiskQuotaSidCache.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2007-02-23 139816]
"Windows Media Center"="c:\windows\ehome\ehuihlp.dll" [2008-01-18 1499136]
"Nero DriveSpeed"="c:\progra~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE" [2007-09-20 1975592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MagicTuneEngine"="c:\program files\MagicTune Premium\MagicTuneEngine.exe" [2007-06-14 69632]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-04-03 136080]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 c:\windows\RtHDVCpl.exe]
c:\users\Media Centre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [5/10/2008 7:27:33 PM 1172992]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [4/22/2008 11:42:26 AM 36864]
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\WG311v3.exe [8/31/2005 11:46:50 AM 1691648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.CDVC"= cdvccodc.dll
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{AEAB85D1-5BDF-44BE-B1E5-0AFE137237E9}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{88B75BFA-0E87-48C8-ACCC-64504BDBAA65}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{651256BB-6D67-49C0-90DB-1174C4F5FEDF}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{8F5BE7E9-D5F4-4D35-BE47-F8CAD9CA4644}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{3176DAF5-F46E-43E0-B540-13A846A82E04}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= UDP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"UDP Query User{70F4429B-2439-419B-83FF-DA766D263D61}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= TCP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"TCP Query User{43FAAC04-9451-4360-9EAA-1F1B364B3CD1}c:\\program files\\gwflash.exe"= UDP:c:\program files\gwflash.exe:gwflash
"UDP Query User{FDB4E5B5-5285-415F-9806-B389D2B09A13}c:\\program files\\gwflash.exe"= TCP:c:\program files\gwflash.exe:gwflash
"TCP Query User{F204A39D-B297-49FF-B63B-C4D9F639D8EB}c:\\program files\\gigabyte\\@bios\\update.exe"= UDP:c:\program files\gigabyte\@bios\update.exe:update
"UDP Query User{BE296ADA-9CC5-46D0-87F5-A7E18186440F}c:\\program files\\gigabyte\\@bios\\update.exe"= TCP:c:\program files\gigabyte\@bios\update.exe:update
"TCP Query User{3367E75B-FFF5-4413-BF67-C7D933706696}d:\\program files\\tmnationsforever\\tmforever.exe"= UDP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{C2630B7A-93F5-4D51-9450-CD343A773C42}d:\\program files\\tmnationsforever\\tmforever.exe"= TCP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"{8A86151E-16AA-4308-A077-9FE605C9F5C0}"= UDP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"{DA808245-DD19-4E61-85A7-AC37F31800E9}"= TCP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"TCP Query User{B61B2908-E781-4FD2-9214-29C99ED0E153}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= UDP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"UDP Query User{8BAF1DF4-D050-4971-A25B-7C2AF68A5C09}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= TCP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"{963CC70A-5B6D-4869-AA0A-89C5C268AB98}"= UDP:56484:WebGuide
"{AAA7EFBE-C8E3-4590-A219-47EBEDF338FF}"= UDP:56485:WebGuide
"TCP Query User{4F3FFA99-7D4E-4E2A-9D3A-6ADAD9A3EFC3}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= UDP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"UDP Query User{A51263EA-0DD2-44DC-875A-B59D3AD8D540}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= TCP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"{46A11C06-2E57-436B-BFAE-FF65419BF063}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{236B0E50-A09C-4E5D-91B1-4A1FBDB104F0}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{90C63744-6260-4009-ABFF-89AD6FD2957B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{54A692D9-818D-481C-8529-E4F1241206A9}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{70C45649-7952-4C31-8A2A-4012C8E0FF9B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BCC11C71-76AF-45D3-BBB3-F5484424EA8C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BB4C64AA-3F0B-4B51-8ED8-37CC961C3510}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{738A84E1-918C-44C9-8E93-46DB1240ECC2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F3249610-7B2E-40F7-8041-3CCD410FE6A6}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{B3FE81E3-AE8F-47B7-851D-AA106865D45C}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{7B11553E-036F-4874-8B07-255A7C74072B}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E1E98ED7-CB38-4670-8360-65953A030A3D}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/23/2008 12:01:42 PM 28544]
R2 EZSERVICE;EZSERVICE;c:\program files\ASUS\EZVCR\EZSERVICE.exe [3/27/2007 6:32:10 PM 61440]
R2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe [11/2/2006 8:46:03 PM 46080]
R2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2/28/2008 10:44:58 AM 668936]
R2 solewxte;solewxte Service;c:\windows\system32\solewxte.exe [11/2/2006 8:46:03 PM 45056]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;"c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe" [2/8/2007 1:06:10 AM 49152]
R2 WebGuideTranscode;WebGuideTranscode;"d:\program files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe" [8/8/2007 8:28:42 PM 40960]
R2 wmcGuideServiceProxy;Windows Media Center Guide Service Proxy;"c:\program files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe" [9/28/2008 1:20:32 AM 22016]
R2 xmltvDownload;XMLTV Download Schedule Service;"c:\program files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe" [9/28/2008 1:12:00 AM 40960]
R3 atikmdag;atikmdag;c:\windows\system32\DRIVERS\atikmdag.sys [10/31/2007 8:53:04 AM 3168768]
R3 MRV6X32P;Vista 32-bits Native WiFi Driver;c:\windows\system32\DRIVERS\MRVW13B.sys [10/16/2007 6:14:24 PM 256512]
R3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\Drivers\u3kmini.sys [10/16/2006 5:15:58 PM 350720]
S3 GEST Service;GEST Service for program management.;"c:\program files\GIGABYTE\GEST\GSvr.exe" [3/21/2008 7:34:26 PM 47624]
S3 Mea0xxoe;Mea0xxoe; []
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2/29/2008 2:08:14 PM 894216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - h:\wd_windows_tools\WDSetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e61a0ef-f72b-11dc-8675-001b2f2ce128}]
\shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47fee477-fcae-11dc-a19d-001d7daf31dc}]
\shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64f9c3cd-022e-11dd-afd1-001d7daf31dc}]
\shell\Auto\command - auto.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
*Newly Created Service* - PAVBOOT
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\Media Centre\AppData\Roaming\Mozilla\Firefox\Profiles\dwft2yz6.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-11-23 14:01:09
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\ASUS\EZVCR\Agent.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxy.exe
c:\program files\Raxco\PerfectDisk2008\PD91AgentS1.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\program files\Nero\Nero8\Nero Toolkit\DriveSpeed.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehshell.exe
c:\windows\ehome\ehmsas.exe
c:\windows\ehome\ehsched.exe
c:\program files\MagicTune Premium\MagicTune.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\System32\wercon.exe
c:\windows\System32\dllhost.exe
c:\windows\System32\dllhost.exe
c:\windows\System32\msdtc.exe
d:\program files\WebGuide\WebGuide4\bin\WebGuideServiceMonitor.exe
c:\windows\System32\tpszxyd.sys
c:\windows\System32\wsldoekd.exe
c:\windows\System32\afisicx.exe
c:\windows\System32\roytctm.exe
c:\windows\System32\udxfytw.sys
c:\windows\System32\tdydowkc.exe
c:\windows\System32\mabidwe.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\soxpeca.exe
.
**************************************************************************
.
Completion time: 2008-11-23 14:05:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-23 03:05:04
Pre-Run: 8,297,168,896 bytes free
Post-Run: 7,967,449,088 bytes free
277
HJK LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:31 PM, on 23/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\ASUS\EZVCR\ASUS_IRAppl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Nero\Nero8\Nero Toolkit\DriveSpeed.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\No-IP\DUC20.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Windows\system32\dllhost.exe
C:\Windows\ehome\EHTray.exe
C:\Windows\ehome\ehshell.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Windows\ehome\ehExtHost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\ehome\ehExtHost.exe
C:\Windows\ehome\ehExtHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
D:\tmp\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Media Centre.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MagicTuneEngine] C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [Nero DriveSpeed] "C:\PROGRA~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O13 - Gopher Prefix:
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab (http://\"http://ax.emsisoft.com/asquared.cab\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: afisicx Portable Media Serial Service (afisicx) - Unknown owner - C:\Windows\system32\afisicx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\Windows\system32\mabidwe.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\Windows\system32\Nobicyt.exe (file missing)
O23 - Service: noxtcyr Settings storage service (noxtcyr) - Unknown owner - C:\Windows\system32\noxtcyr.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\Windows\system32\noytcyr.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: perfmons - Unknown owner - C:\Windows\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\Windows\system32\roytctm.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: solewxte Service (solewxte) - Unknown owner - C:\Windows\system32\solewxte.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\Windows\system32\soxpeca.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\Windows\system32\tdydowkc.exe
O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe
O23 - Service: WebGuideTranscode - WebGuide LLC - D:\Program Files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe
O23 - Service: Windows Media Center Guide Service Proxy (wmcGuideServiceProxy) - epgStream.net - C:\Program Files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe
O23 - Service: wsldoekd Co. Ltd. (wsldoekd) - Unknown owner - C:\Windows\system32\wsldoekd.exe
O23 - Service: XMLTV Download Schedule Service (xmltvDownload) - epgStream.net - C:\Program Files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe
--
End of file - 10158 bytes
Can I delete combofix now?
Post by: guestolo on November 22, 2008, 10:41:04 PM
Ensure that Windows Defender is also disabled
1. Open Windows Defender by clicking the Start button, clicking All Programs, and then clicking Windows Defender.
2. Click Tools, and then click Options.
3. Under Administrator options, select or clear the Use Windows Defender check box, and then click Save. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
Can you do the following
You still have Malwarebytes Anti-malware installed
Can you open it
Don't run it yet
Instead, check for Updates, let it update
Keep rechecking for updates till you are sure you have the latest version and latest database
Afterwards
- Click the Scanner tab and select Quick Scan then click Scan
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
[color=\"#4169E1\"]Run ComboFix again[/color] with the previous instructions
Post the new log from ComboFix
The log from MBAM
A fresh Hijackthis log
Post by: HTPConvert on November 22, 2008, 11:07:20 PM
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2343 [GMT 11:00]
Running from: c:\users\Media Centre\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Install.txt
c:\windows\system32\tpszxyd.sys
.
((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.
2008-11-23 14:52 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-23 14:52 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-23 12:40 . 2008-11-23 12:40 <DIR> d-------- C:\rsit
2008-11-23 12:01 . 2008-11-23 12:01 <DIR> d-------- c:\program files\Panda Security
2008-11-23 12:01 . 2008-06-19 17:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2008-11-23 11:58 . 2008-11-23 12:00 <DIR> d-------- c:\users\Media Centre\.housecall6.6
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\users\All Users\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\programdata\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\program files\MC Menu Mender
2008-11-23 11:16 . 2008-11-23 11:16 <DIR> d-------- c:\program files\SamSoft
2008-11-16 20:17 . 2008-11-16 20:17 <DIR> d-------- c:\program files\Xvid
2008-11-16 20:17 . 2007-06-28 18:52 765,952 --a------ c:\windows\System32\xvidcore.dll
2008-11-16 20:17 . 2007-06-28 18:54 180,224 --a------ c:\windows\System32\xvidvfw.dll
2008-11-16 19:28 . 2008-11-16 19:28 <DIR> d-------- c:\program files\avi.NET
2008-11-16 17:58 . 2008-11-16 17:58 <DIR> d-------- c:\users\All Users\VistaCodecs
2008-11-16 17:58 . 2008-11-16 17:58 <DIR> d-------- c:\programdata\VistaCodecs
2008-11-15 12:21 . 2008-11-15 12:23 <DIR> d-------- c:\users\All Users\OpenMediaLibrary
2008-11-15 12:21 . 2008-11-15 12:23 <DIR> d-------- c:\programdata\OpenMediaLibrary
2008-11-15 12:20 . 2008-11-15 12:20 <DIR> d-------- c:\program files\OpenMediaLibrary
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 03:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-22 06:46 --------- d-----w c:\users\Media Centre\AppData\Roaming\uTorrent
2008-11-21 23:48 --------- d---a-w c:\programdata\TEMP
2008-11-21 23:46 --------- d-----w c:\users\Media Centre\AppData\Roaming\VideoReDoPlus
2008-11-17 07:29 --------- d-----w c:\program files\AviSynth 2.5
2008-11-16 22:03 --------- d-----w c:\programdata\VideoBrowser
2008-11-16 09:15 --------- d-----w c:\program files\DivX
2008-11-16 09:13 --------- d-----w c:\program files\Winnydows
2008-11-16 07:00 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-10-19 03:24 --------- d-----w c:\programdata\IsolatedStorage
2008-10-19 03:24 --------- d-----w c:\programdata\epgStream.net
2008-10-19 03:24 --------- d-----w c:\program files\epgStream.net
2008-10-07 04:11 --------- d-----w c:\program files\Red Kawa
2008-09-30 23:23 --------- d-----w c:\users\Media Centre\AppData\Roaming\MusicIP
2008-09-30 23:23 --------- d-----w c:\program files\MusicIP
2008-09-05 12:16 1,900,544 ----a-w c:\windows\System32\usbaaplrc.dll
2008-08-29 00:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-28 23:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-07-24 01:07 47,360 ----a-w c:\users\Media Centre\AppData\Roaming\pcouffin.sys
2008-03-21 09:33 174 --sha-w c:\program files\desktop.ini
2008-02-14 03:28 29 ----a-w c:\program files\version.ini
2008-02-14 03:23 231,944 ----a-w c:\program files\gwflash.exe
2007-10-16 07:19 245,248 ----a-w c:\windows\inf\WG311v3\Vista64\MRVW13C.sys
2007-10-16 07:14 256,512 ----a-w c:\windows\inf\WG311v3\Vista32\MRVW13B.sys
2007-09-21 08:42 19,008 ----a-w c:\program files\markfun.a64
2007-08-21 08:49 17,912 ----a-w c:\program files\markfun.w32
2007-08-21 08:49 125,504 ----a-w c:\program files\MarkFunDrv.dll
2007-05-24 04:58 249,856 ----a-w c:\windows\inf\WG311v3\Vista32\InsDrv2k.exe
2007-04-04 07:35 207,680 ----a-w c:\program files\updateutility.exe
2007-03-29 17:36 301 ----a-w c:\program files\update.ini
2007-03-01 17:48 240,448 ----a-w c:\program files\gwf32.exe
2006-11-23 12:47 207,680 ----a-w c:\program files\BIOS_Run.exe
2006-11-23 12:40 60,224 ----a-w c:\program files\HUADRV.DLL
2006-11-03 07:09 528 ----a-w c:\program files\CONFIG.INI
2005-11-17 05:46 845,736 ----a-w c:\windows\inf\WG311v3\Vista64\DPInst.exe
2005-04-27 08:40 6,800 ----a-w c:\program files\W95_HUA.vxd
2008-05-07 08:37 16,496 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows NT\DiskQuota\NTDiskQuotaSidCache.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-23_14.04.12.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-23 03:57:26 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-11-23 03:57:26 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-11-23 03:01:08 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-23 03:58:58 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-23 03:58:58 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-11-23 03:01:09 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-23 04:00:48 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-23 04:00:48 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-11-23 03:01:46 1,425,408 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-23 03:55:06 1,425,408 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-23 03:01:46 5,865,472 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-23 03:55:06 5,865,472 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-23 03:01:46 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-23 03:55:06 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-23 00:15:27 105,448 ----a-w c:\windows\System32\perfc009.dat
+ 2008-11-23 03:07:05 105,448 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-23 00:15:27 599,942 ----a-w c:\windows\System32\perfh009.dat
+ 2008-11-23 03:07:05 599,942 ----a-w c:\windows\System32\perfh009.dat
- 2008-11-23 00:10:17 12,182 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-220370344-2337913255-810275737-1000_UserData.bin
+ 2008-11-23 03:59:15 12,342 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-220370344-2337913255-810275737-1000_UserData.bin
- 2008-11-23 00:10:16 72,060 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-23 03:59:14 72,306 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-23 00:10:14 78,702 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-23 03:59:11 79,058 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2007-02-23 139816]
"Windows Media Center"="c:\windows\ehome\ehuihlp.dll" [2008-01-18 1499136]
"Nero DriveSpeed"="c:\progra~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE" [2007-09-20 1975592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MagicTuneEngine"="c:\program files\MagicTune Premium\MagicTuneEngine.exe" [2007-06-14 69632]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-04-03 136080]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 c:\windows\RtHDVCpl.exe]
c:\users\Media Centre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [5/10/2008 7:27:33 PM 1172992]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [4/22/2008 11:42:26 AM 36864]
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\WG311v3.exe [8/31/2005 11:46:50 AM 1691648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.CDVC"= cdvccodc.dll
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{AEAB85D1-5BDF-44BE-B1E5-0AFE137237E9}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{88B75BFA-0E87-48C8-ACCC-64504BDBAA65}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{651256BB-6D67-49C0-90DB-1174C4F5FEDF}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{8F5BE7E9-D5F4-4D35-BE47-F8CAD9CA4644}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{3176DAF5-F46E-43E0-B540-13A846A82E04}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= UDP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"UDP Query User{70F4429B-2439-419B-83FF-DA766D263D61}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= TCP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"TCP Query User{43FAAC04-9451-4360-9EAA-1F1B364B3CD1}c:\\program files\\gwflash.exe"= UDP:c:\program files\gwflash.exe:gwflash
"UDP Query User{FDB4E5B5-5285-415F-9806-B389D2B09A13}c:\\program files\\gwflash.exe"= TCP:c:\program files\gwflash.exe:gwflash
"TCP Query User{F204A39D-B297-49FF-B63B-C4D9F639D8EB}c:\\program files\\gigabyte\\@bios\\update.exe"= UDP:c:\program files\gigabyte\@bios\update.exe:update
"UDP Query User{BE296ADA-9CC5-46D0-87F5-A7E18186440F}c:\\program files\\gigabyte\\@bios\\update.exe"= TCP:c:\program files\gigabyte\@bios\update.exe:update
"TCP Query User{3367E75B-FFF5-4413-BF67-C7D933706696}d:\\program files\\tmnationsforever\\tmforever.exe"= UDP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{C2630B7A-93F5-4D51-9450-CD343A773C42}d:\\program files\\tmnationsforever\\tmforever.exe"= TCP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"{8A86151E-16AA-4308-A077-9FE605C9F5C0}"= UDP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"{DA808245-DD19-4E61-85A7-AC37F31800E9}"= TCP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"TCP Query User{B61B2908-E781-4FD2-9214-29C99ED0E153}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= UDP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"UDP Query User{8BAF1DF4-D050-4971-A25B-7C2AF68A5C09}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= TCP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"{963CC70A-5B6D-4869-AA0A-89C5C268AB98}"= UDP:56484:WebGuide
"{AAA7EFBE-C8E3-4590-A219-47EBEDF338FF}"= UDP:56485:WebGuide
"TCP Query User{4F3FFA99-7D4E-4E2A-9D3A-6ADAD9A3EFC3}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= UDP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"UDP Query User{A51263EA-0DD2-44DC-875A-B59D3AD8D540}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= TCP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"{46A11C06-2E57-436B-BFAE-FF65419BF063}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{236B0E50-A09C-4E5D-91B1-4A1FBDB104F0}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{90C63744-6260-4009-ABFF-89AD6FD2957B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{54A692D9-818D-481C-8529-E4F1241206A9}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{70C45649-7952-4C31-8A2A-4012C8E0FF9B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BCC11C71-76AF-45D3-BBB3-F5484424EA8C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BB4C64AA-3F0B-4B51-8ED8-37CC961C3510}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{738A84E1-918C-44C9-8E93-46DB1240ECC2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F3249610-7B2E-40F7-8041-3CCD410FE6A6}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{B3FE81E3-AE8F-47B7-851D-AA106865D45C}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{7B11553E-036F-4874-8B07-255A7C74072B}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E1E98ED7-CB38-4670-8360-65953A030A3D}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/23/2008 12:01:42 PM 28544]
R2 EZSERVICE;EZSERVICE;c:\program files\ASUS\EZVCR\EZSERVICE.exe [3/27/2007 6:32:10 PM 61440]
R2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2/28/2008 10:44:58 AM 668936]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;"c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe" [2/8/2007 1:06:10 AM 49152]
R2 WebGuideTranscode;WebGuideTranscode;"d:\program files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe" [8/8/2007 8:28:42 PM 40960]
R2 wmcGuideServiceProxy;Windows Media Center Guide Service Proxy;"c:\program files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe" [9/28/2008 1:20:32 AM 22016]
R2 xmltvDownload;XMLTV Download Schedule Service;"c:\program files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe" [9/28/2008 1:12:00 AM 40960]
R3 atikmdag;atikmdag;c:\windows\system32\DRIVERS\atikmdag.sys [10/31/2007 8:53:04 AM 3168768]
R3 MRV6X32P;Vista 32-bits Native WiFi Driver;c:\windows\system32\DRIVERS\MRVW13B.sys [10/16/2007 6:14:24 PM 256512]
R3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\Drivers\u3kmini.sys [10/16/2006 5:15:58 PM 350720]
S3 GEST Service;GEST Service for program management.;"c:\program files\GIGABYTE\GEST\GSvr.exe" [3/21/2008 7:34:26 PM 47624]
S3 Mea0xxoe;Mea0xxoe; []
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2/29/2008 2:08:14 PM 894216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - h:\wd_windows_tools\WDSetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e61a0ef-f72b-11dc-8675-001b2f2ce128}]
\shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47fee477-fcae-11dc-a19d-001d7daf31dc}]
\shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64f9c3cd-022e-11dd-afd1-001d7daf31dc}]
\shell\Auto\command - auto.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\Media Centre\AppData\Roaming\Mozilla\Firefox\Profiles\dwft2yz6.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-11-23 15:01:00
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-23 15:01:59
ComboFix-quarantined-files.txt 2008-11-23 04:01:57
ComboFix2.txt 2008-11-23 03:05:08
Pre-Run: 7,915,225,088 bytes free
Post-Run: 7,893,602,304 bytes free
230
MALWARE:
Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 6.0.6001 Service Pack 1
23/11/2008 2:55:25 PM
mbam-log-2008-11-23 (14-55-25).txt
Scan type: Quick Scan
Objects scanned: 44913
Time elapsed: 1 minute(s), 31 second(s)
Memory Processes Infected: 8
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
C:\Windows\System32\solewxte.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Windows\System32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Windows\System32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Windows\System32\noytcyr.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Windows\System32\roytctm.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Windows\System32\soxpeca.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Windows\System32\tdydowkc.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Windows\System32\wsldoekd.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\solewxte (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\solewxte (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\solewxte (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\solewxte.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\noytcyr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\roytctm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\soxpeca.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\tdydowkc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\wsldoekd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:31 PM, on 23/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\ASUS\EZVCR\ASUS_IRAppl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Nero\Nero8\Nero Toolkit\DriveSpeed.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\No-IP\DUC20.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Windows\system32\dllhost.exe
C:\Windows\ehome\EHTray.exe
C:\Windows\ehome\ehshell.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Windows\ehome\ehExtHost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\ehome\ehExtHost.exe
C:\Windows\ehome\ehExtHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
D:\tmp\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Media Centre.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MagicTuneEngine] C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [Nero DriveSpeed] "C:\PROGRA~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O13 - Gopher Prefix:
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab (http://\"http://ax.emsisoft.com/asquared.cab\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: afisicx Portable Media Serial Service (afisicx) - Unknown owner - C:\Windows\system32\afisicx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\Windows\system32\mabidwe.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\Windows\system32\Nobicyt.exe (file missing)
O23 - Service: noxtcyr Settings storage service (noxtcyr) - Unknown owner - C:\Windows\system32\noxtcyr.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\Windows\system32\noytcyr.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: perfmons - Unknown owner - C:\Windows\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\Windows\system32\roytctm.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: solewxte Service (solewxte) - Unknown owner - C:\Windows\system32\solewxte.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\Windows\system32\soxpeca.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\Windows\system32\tdydowkc.exe
O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe
O23 - Service: WebGuideTranscode - WebGuide LLC - D:\Program Files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe
O23 - Service: Windows Media Center Guide Service Proxy (wmcGuideServiceProxy) - epgStream.net - C:\Program Files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe
O23 - Service: wsldoekd Co. Ltd. (wsldoekd) - Unknown owner - C:\Windows\system32\wsldoekd.exe
O23 - Service: XMLTV Download Schedule Service (xmltvDownload) - epgStream.net - C:\Program Files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe
--
End of file - 10158 bytes
During the malware scan - i had the audio problem again - sounded like an ad for something :-(
Post by: guestolo on November 23, 2008, 12:13:28 AM
I want to make sure other files are still hiding
Please do a scan with [color=\"#3333FF\"]Kaspersky Online Scanner[/color] (http://\"http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html\")
[color=\"green\"]Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.[/color]
Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- In the drop down box labeled Files of type change the type to Text file and give the file a name
- Save the file to your desktop.
- Copy and paste that information in your next post
Post by: HTPConvert on November 23, 2008, 01:57:52 AM
Post by: HTPConvert on November 23, 2008, 09:06:25 PM
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 24, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 23, 2008 01:49:29
Records in database: 1404263
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
Scan statistics:
Files scanned: 115666
Threat name: 19
Infected objects: 45
Suspicious objects: 0
Duration of the scan: 01:41:41
File name / Threat name / Threats count
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16B80000.VBN Infected: Trojan.Win32.DNSChanger.ipq 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40022.VBN Infected: Trojan-Clicker.Win32.VB.btu 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40023.VBN Infected: Trojan.Win32.Delf.eyx 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40024.VBN Infected: Trojan.Win32.Agent.aomo 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40027.VBN Infected: Trojan.Win32.Agent.aomo 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40028.VBN Infected: Trojan.Win32.Agent.aomo 1
C:\Qoobox\Quarantine\C\Windows\System32\afisicx.exe.vir Infected: Trojan.Win32.Agent.aldm 1
C:\Qoobox\Quarantine\C\Windows\System32\noxtcyr.exe.vir Infected: Trojan.Win32.Agent.adfj 1
C:\Qoobox\Quarantine\C\Windows\System32\perfs.exe.vir Infected: Trojan.Win32.Agent.aagc 1
C:\Qoobox\Quarantine\C\Windows\System32\wsldoekd.exe.vir Infected: Trojan.Win32.Agent.abgy 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16B80000.VBN Infected: Trojan.Win32.DNSChanger.ipq 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40022.VBN Infected: Trojan-Clicker.Win32.VB.btu 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40023.VBN Infected: Trojan.Win32.Delf.eyx 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40024.VBN Infected: Trojan.Win32.Agent.aomo 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40027.VBN Infected: Trojan.Win32.Agent.aomo 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40028.VBN Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\otaxyzd.sys Infected: Trojan-Downloader.Win32.Delf.nxm 1
C:\Windows\System32\sxtsyctd.sys Infected: Trojan.Win32.Delf.dwq 1
C:\Windows\System32\sytsyctd.sys Infected: Trojan.Win32.Delf.fdg 1
C:\Windows\System32\tmpxr_12493603732.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_14473625980.bk Infected: Trojan.Win32.Agent.aoml 1
C:\Windows\System32\tmpxr_22714849146.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_29822753375.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_363328710668.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_389931602173.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_407655195666.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_41896297445.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_428438206071.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_47074853538.bk Infected: Trojan.Win32.Agent.agcq 1
C:\Windows\System32\tmpxr_486279743654.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_496483265188.bk Infected: Trojan.Win32.Agent.agcq 1
C:\Windows\System32\tmpxr_497535700406.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_524603798649.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_56018976788.bk Infected: Trojan.Win32.Agent.aoml 1
C:\Windows\System32\tmpxr_643621144325.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_67648332970.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_755151303061.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_828407789394.bk Infected: Trojan.Win32.Agent.aomo 1
C:\Windows\System32\tmpxr_829061536196.bk Infected: Trojan.Win32.Agent.aoml 1
C:\Windows\System32\tmpxr_839401238675.bk Infected: Trojan.Win32.Delf.ffa 1
C:\Windows\System32\udxfytw.sys Infected: Trojan.Win32.Agent.albx 1
D:\tmp\Downloads\DVDFab.Platinum v.5.0.6.0 with.Serial\DVDFab5060.exe Infected: Trojan-Dropper.Win32.SFX.p 1
D:\tmp\FU-Setup_LE.exe Infected: not-a-virus:AdWare.Win32.Rabio.ij 1
D:\tmp\SmitfraudFix.exe Infected: Hoax.Win32.Renos.dws 1
D:\tmp\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
The selected area was scanned.
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:51 PM, on 24/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Nero\Nero8\Nero Toolkit\DriveSpeed.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\ehome\ehShell.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\ehome\ehExtHost.exe
C:\Windows\system32\dllhost.exe
C:\Windows\ehome\ehExtHost.exe
C:\Program Files\avi.NET\avi.NET.exe
C:\Program Files\Pegasys Inc\TMPGEnc 4.0 XPress\TMPGEnc4XP.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MagicTuneEngine] C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [Nero DriveSpeed] "C:\PROGRA~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O13 - Gopher Prefix:
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab (http://\"http://ax.emsisoft.com/asquared.cab\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe
O23 - Service: WebGuideTranscode - WebGuide LLC - D:\Program Files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe
O23 - Service: Windows Media Center Guide Service Proxy (wmcGuideServiceProxy) - epgStream.net - C:\Program Files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe
O23 - Service: XMLTV Download Schedule Service (xmltvDownload) - epgStream.net - C:\Program Files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe
--
End of file - 8306 bytes
Post by: guestolo on November 24, 2008, 03:36:39 PM
Delete your copy of ComboFix from desktop
Then redownload a fresh copy from the following link and save it again ONLY to your desktop
Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
Don't run it yet
Instead
I'm not sure what drive letter represents your H: drive, but if you have any external USB flash drives, harddrives, etc.., can you ensure they are plugged into your computer
If they do autostart, just close them out for now, but leave them plugged into the computer for now
Can you also empty Norton's Anti-Virus Quarantine area
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]KillAll::
File::
C:\Windows\System32\otaxyzd.sys
C:\Windows\System32\sxtsyctd.sys
C:\Windows\System32\sytsyctd.sys
C:\Windows\System32\tmpxr_12493603732.bk
C:\Windows\System32\tmpxr_14473625980.bk
C:\Windows\System32\tmpxr_22714849146.bk
C:\Windows\System32\tmpxr_29822753375.bk
C:\Windows\System32\tmpxr_363328710668.bk
C:\Windows\System32\tmpxr_389931602173.bk
C:\Windows\System32\tmpxr_407655195666.bk
C:\Windows\System32\tmpxr_41896297445.bk
C:\Windows\System32\tmpxr_428438206071.bk
C:\Windows\System32\tmpxr_47074853538.bk
C:\Windows\System32\tmpxr_486279743654.bk
C:\Windows\System32\tmpxr_496483265188.bk
C:\Windows\System32\tmpxr_524603798649.bk
C:\Windows\System32\tmpxr_56018976788.bk
C:\Windows\System32\tmpxr_643621144325.bk
C:\Windows\System32\tmpxr_67648332970.bk
C:\Windows\System32\tmpxr_755151303061.bk
C:\Windows\System32\tmpxr_828407789394.bk
C:\Windows\System32\tmpxr_829061536196.bk
C:\Windows\System32\tmpxr_839401238675.bk
C:\Windows\System32\udxfytw.sys
D:\tmp\Downloads\DVDFab.Platinum v.5.0.6.0 with.Serial\DVDFab5060.exe
D:\tmp\FU-Setup_LE.exe
D:\tmp\SmitfraudFix.exe
Driver::
Mea0xxoe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - h:\wd_windows_tools\WDSetup.exe
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64f9c3cd-022e-11dd-afd1-001d7daf31dc}]
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
I'll need to see that log again later
But before you post it back
Can you leave any external Flash drives plugged in, go back and run another Virus scan at Kaspersky's
It shouldn't take so long to load this time
Ensure to scan "My Computer"
Post the results along with the new log from ComboFix please
Post by: HTPConvert on November 24, 2008, 05:36:55 PM
As for the h:drive...that could one of many - a usb key OR a USB HDD (very new - about 2 weeks old used as a back-up) is there any chance I could loose the data on this drive?
By the look of the scan - the computer seems fairly infected - does this seem like something that would cause the muisc/audio stuff to occur?
ALSO - as you prob know from the logs i have 4gb ram (3.5gb in vista) and when the computer idles (for me this is with media centre open but not doing anything) it utilises over 2gb, normally about 2.2-2.3gb
This is not normal and did not used to be like this - it used to idle well below 2gb -- could a virus be causing this?
Cheers
Post by: guestolo on November 24, 2008, 06:34:54 PM
There can never be a guarantee that you will be 100% clean
You do have a choice of backing up and doing a clean install to guarantee the computer is clean
I would also change all online passwords
Eg.. banking, email, etc....
BUT>> We could clean it and you may be ok, however, if you choose to reinstall
I would make sure that none of your External drives are infected
They would need to be scanned with an updated Virus scanner
It may be best at this time, follow my last set of instructions
Also, ensure to connect your externals and run Kaspersky's on them
Ensuring they are clean
Post by: HTPConvert on November 25, 2008, 04:11:20 AM
ComboFix 08-11-24.01 - Media Centre 2008-11-25 19:55:44.3 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.985 [GMT 11:00]
Running from: c:\users\Media Centre\Desktop\ComboFix.exe
Command switches used :: c:\users\Media Centre\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\System32\otaxyzd.sys
c:\windows\System32\sxtsyctd.sys
c:\windows\System32\sytsyctd.sys
c:\windows\System32\tmpxr_12493603732.bk
c:\windows\System32\tmpxr_14473625980.bk
c:\windows\System32\tmpxr_22714849146.bk
c:\windows\System32\tmpxr_29822753375.bk
c:\windows\System32\tmpxr_363328710668.bk
c:\windows\System32\tmpxr_389931602173.bk
c:\windows\System32\tmpxr_407655195666.bk
c:\windows\System32\tmpxr_41896297445.bk
c:\windows\System32\tmpxr_428438206071.bk
c:\windows\System32\tmpxr_47074853538.bk
c:\windows\System32\tmpxr_486279743654.bk
c:\windows\System32\tmpxr_496483265188.bk
c:\windows\System32\tmpxr_524603798649.bk
c:\windows\System32\tmpxr_56018976788.bk
c:\windows\System32\tmpxr_643621144325.bk
c:\windows\System32\tmpxr_67648332970.bk
c:\windows\System32\tmpxr_755151303061.bk
c:\windows\System32\tmpxr_828407789394.bk
c:\windows\System32\tmpxr_829061536196.bk
c:\windows\System32\tmpxr_839401238675.bk
c:\windows\System32\udxfytw.sys
d:\tmp\Downloads\DVDFab.Platinum v.5.0.6.0 with.Serial\DVDFab5060.exe
d:\tmp\FU-Setup_LE.exe
d:\tmp\SmitfraudFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\System32\otaxyzd.sys
c:\windows\System32\sxtsyctd.sys
c:\windows\System32\sytsyctd.sys
c:\windows\System32\tmpxr_12493603732.bk
c:\windows\System32\tmpxr_14473625980.bk
c:\windows\System32\tmpxr_22714849146.bk
c:\windows\System32\tmpxr_29822753375.bk
c:\windows\System32\tmpxr_363328710668.bk
c:\windows\System32\tmpxr_389931602173.bk
c:\windows\System32\tmpxr_407655195666.bk
c:\windows\System32\tmpxr_41896297445.bk
c:\windows\System32\tmpxr_428438206071.bk
c:\windows\System32\tmpxr_47074853538.bk
c:\windows\System32\tmpxr_486279743654.bk
c:\windows\System32\tmpxr_496483265188.bk
c:\windows\System32\tmpxr_524603798649.bk
c:\windows\System32\tmpxr_56018976788.bk
c:\windows\System32\tmpxr_643621144325.bk
c:\windows\System32\tmpxr_67648332970.bk
c:\windows\System32\tmpxr_755151303061.bk
c:\windows\System32\tmpxr_828407789394.bk
c:\windows\System32\tmpxr_829061536196.bk
c:\windows\System32\tmpxr_839401238675.bk
c:\windows\System32\udxfytw.sys
d:\tmp\Downloads\DVDFab.Platinum v.5.0.6.0 with.Serial\DVDFab5060.exe
d:\tmp\FU-Setup_LE.exe
d:\tmp\SmitfraudFix.exe
I:\autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_Mea0xxoe
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.
2008-11-24 15:45 . 2008-11-24 15:50 19 --a------ C:\videos.vf
2008-11-23 14:52 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-23 14:52 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-23 12:40 . 2008-11-23 12:40 <DIR> d-------- C:\rsit
2008-11-23 12:01 . 2008-11-23 12:01 <DIR> d-------- c:\program files\Panda Security
2008-11-23 12:01 . 2008-06-19 17:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2008-11-23 11:58 . 2008-11-23 12:00 <DIR> d-------- c:\users\Media Centre\.housecall6.6
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\users\All Users\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\programdata\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\program files\MC Menu Mender
2008-11-23 11:16 . 2008-11-23 11:16 <DIR> d-------- c:\program files\SamSoft
2008-11-16 20:17 . 2008-11-16 20:17 <DIR> d-------- c:\program files\Xvid
2008-11-16 20:17 . 2007-06-28 18:52 765,952 --a------ c:\windows\System32\xvidcore.dll
2008-11-16 20:17 . 2007-06-28 18:54 180,224 --a------ c:\windows\System32\xvidvfw.dll
2008-11-16 19:28 . 2008-11-16 19:28 <DIR> d-------- c:\program files\avi.NET
2008-11-16 17:58 . 2008-11-16 17:58 <DIR> d-------- c:\users\All Users\VistaCodecs
2008-11-16 17:58 . 2008-11-16 17:58 <DIR> d-------- c:\programdata\VistaCodecs
2008-11-15 12:21 . 2008-11-15 12:23 <DIR> d-------- c:\users\All Users\OpenMediaLibrary
2008-11-15 12:21 . 2008-11-15 12:23 <DIR> d-------- c:\programdata\OpenMediaLibrary
2008-11-15 12:20 . 2008-11-15 12:20 <DIR> d-------- c:\program files\OpenMediaLibrary
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 10:49 --------- d-----w c:\users\Media Centre\AppData\Roaming\VideoReDoPlus
2008-11-24 10:48 --------- d---a-w c:\programdata\TEMP
2008-11-23 03:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-22 06:46 --------- d-----w c:\users\Media Centre\AppData\Roaming\uTorrent
2008-11-17 07:29 --------- d-----w c:\program files\AviSynth 2.5
2008-11-16 22:03 --------- d-----w c:\programdata\VideoBrowser
2008-11-16 09:15 --------- d-----w c:\program files\DivX
2008-11-16 09:13 --------- d-----w c:\program files\Winnydows
2008-11-16 07:00 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-10-19 03:24 --------- d-----w c:\programdata\IsolatedStorage
2008-10-19 03:24 --------- d-----w c:\programdata\epgStream.net
2008-10-19 03:24 --------- d-----w c:\program files\epgStream.net
2008-10-07 04:11 --------- d-----w c:\program files\Red Kawa
2008-09-30 23:23 --------- d-----w c:\users\Media Centre\AppData\Roaming\MusicIP
2008-09-30 23:23 --------- d-----w c:\program files\MusicIP
2008-07-24 01:07 47,360 ----a-w c:\users\Media Centre\AppData\Roaming\pcouffin.sys
2008-03-21 09:33 174 --sha-w c:\program files\desktop.ini
2008-02-14 03:28 29 ----a-w c:\program files\version.ini
2008-02-14 03:23 231,944 ----a-w c:\program files\gwflash.exe
2007-10-16 07:19 245,248 ----a-w c:\windows\inf\WG311v3\Vista64\MRVW13C.sys
2007-10-16 07:14 256,512 ----a-w c:\windows\inf\WG311v3\Vista32\MRVW13B.sys
2007-09-21 08:42 19,008 ----a-w c:\program files\markfun.a64
2007-08-21 08:49 17,912 ----a-w c:\program files\markfun.w32
2007-08-21 08:49 125,504 ----a-w c:\program files\MarkFunDrv.dll
2007-05-24 04:58 249,856 ----a-w c:\windows\inf\WG311v3\Vista32\InsDrv2k.exe
2007-04-04 07:35 207,680 ----a-w c:\program files\updateutility.exe
2007-03-29 17:36 301 ----a-w c:\program files\update.ini
2007-03-01 17:48 240,448 ----a-w c:\program files\gwf32.exe
2006-11-23 12:47 207,680 ----a-w c:\program files\BIOS_Run.exe
2006-11-23 12:40 60,224 ----a-w c:\program files\HUADRV.DLL
2006-11-03 07:09 528 ----a-w c:\program files\CONFIG.INI
2005-11-17 05:46 845,736 ----a-w c:\windows\inf\WG311v3\Vista64\DPInst.exe
2005-04-27 08:40 6,800 ----a-w c:\program files\W95_HUA.vxd
2008-05-07 08:37 16,496 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows NT\DiskQuota\NTDiskQuotaSidCache.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-23_14.04.12.94 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-23 02:59:10 1,143,664 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-11-25 08:58:28 1,143,664 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-11-23 03:01:08 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-25 09:00:43 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-25 09:00:43 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-11-23 03:01:09 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-25 09:00:42 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-25 09:00:42 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-11-23 03:01:46 1,425,408 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-23 03:55:06 1,425,408 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-23 03:01:46 5,865,472 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-23 03:55:06 5,865,472 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-23 03:01:46 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-23 03:55:06 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-23 02:57:00 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-11-25 08:55:14 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-11-23 00:15:27 105,448 ----a-w c:\windows\System32\perfc009.dat
+ 2008-11-23 04:02:52 105,448 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-23 00:15:27 599,942 ----a-w c:\windows\System32\perfh009.dat
+ 2008-11-23 04:02:52 599,942 ----a-w c:\windows\System32\perfh009.dat
- 2008-11-23 00:10:17 12,182 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-220370344-2337913255-810275737-1000_UserData.bin
+ 2008-11-23 03:59:15 12,342 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-220370344-2337913255-810275737-1000_UserData.bin
- 2008-11-23 00:10:16 72,060 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-23 03:59:14 72,306 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-23 00:10:14 78,702 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-23 03:59:11 79,058 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2007-02-23 139816]
"Windows Media Center"="c:\windows\ehome\ehuihlp.dll" [2008-01-18 1499136]
"Nero DriveSpeed"="c:\progra~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE" [2007-09-20 1975592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MagicTuneEngine"="c:\program files\MagicTune Premium\MagicTuneEngine.exe" [2007-06-14 69632]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-04-03 136080]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 c:\windows\RtHDVCpl.exe]
c:\users\Media Centre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [5/10/2008 7:27:33 PM 1172992]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [4/22/2008 11:42:26 AM 36864]
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\WG311v3.exe [8/31/2005 11:46:50 AM 1691648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.CDVC"= cdvccodc.dll
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{AEAB85D1-5BDF-44BE-B1E5-0AFE137237E9}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{88B75BFA-0E87-48C8-ACCC-64504BDBAA65}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{651256BB-6D67-49C0-90DB-1174C4F5FEDF}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{8F5BE7E9-D5F4-4D35-BE47-F8CAD9CA4644}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{3176DAF5-F46E-43E0-B540-13A846A82E04}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= UDP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"UDP Query User{70F4429B-2439-419B-83FF-DA766D263D61}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= TCP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"TCP Query User{43FAAC04-9451-4360-9EAA-1F1B364B3CD1}c:\\program files\\gwflash.exe"= UDP:c:\program files\gwflash.exe:gwflash
"UDP Query User{FDB4E5B5-5285-415F-9806-B389D2B09A13}c:\\program files\\gwflash.exe"= TCP:c:\program files\gwflash.exe:gwflash
"TCP Query User{F204A39D-B297-49FF-B63B-C4D9F639D8EB}c:\\program files\\gigabyte\\@bios\\update.exe"= UDP:c:\program files\gigabyte\@bios\update.exe:update
"UDP Query User{BE296ADA-9CC5-46D0-87F5-A7E18186440F}c:\\program files\\gigabyte\\@bios\\update.exe"= TCP:c:\program files\gigabyte\@bios\update.exe:update
"TCP Query User{3367E75B-FFF5-4413-BF67-C7D933706696}d:\\program files\\tmnationsforever\\tmforever.exe"= UDP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{C2630B7A-93F5-4D51-9450-CD343A773C42}d:\\program files\\tmnationsforever\\tmforever.exe"= TCP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"{8A86151E-16AA-4308-A077-9FE605C9F5C0}"= UDP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"{DA808245-DD19-4E61-85A7-AC37F31800E9}"= TCP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"TCP Query User{B61B2908-E781-4FD2-9214-29C99ED0E153}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= UDP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"UDP Query User{8BAF1DF4-D050-4971-A25B-7C2AF68A5C09}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= TCP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"{963CC70A-5B6D-4869-AA0A-89C5C268AB98}"= UDP:56484:WebGuide
"{AAA7EFBE-C8E3-4590-A219-47EBEDF338FF}"= UDP:56485:WebGuide
"TCP Query User{4F3FFA99-7D4E-4E2A-9D3A-6ADAD9A3EFC3}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= UDP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"UDP Query User{A51263EA-0DD2-44DC-875A-B59D3AD8D540}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= TCP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"{46A11C06-2E57-436B-BFAE-FF65419BF063}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{236B0E50-A09C-4E5D-91B1-4A1FBDB104F0}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{90C63744-6260-4009-ABFF-89AD6FD2957B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{54A692D9-818D-481C-8529-E4F1241206A9}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{70C45649-7952-4C31-8A2A-4012C8E0FF9B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BCC11C71-76AF-45D3-BBB3-F5484424EA8C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BB4C64AA-3F0B-4B51-8ED8-37CC961C3510}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{738A84E1-918C-44C9-8E93-46DB1240ECC2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F3249610-7B2E-40F7-8041-3CCD410FE6A6}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{B3FE81E3-AE8F-47B7-851D-AA106865D45C}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{7B11553E-036F-4874-8B07-255A7C74072B}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E1E98ED7-CB38-4670-8360-65953A030A3D}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/23/2008 12:01:42 PM 28544]
R2 EZSERVICE;EZSERVICE;c:\program files\ASUS\EZVCR\EZSERVICE.exe [3/27/2007 6:32:10 PM 61440]
R2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2/28/2008 10:44:58 AM 668936]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;"c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe" [2/8/2007 1:06:10 AM 49152]
R2 WebGuideTranscode;WebGuideTranscode;"d:\program files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe" [8/8/2007 8:28:42 PM 40960]
R2 wmcGuideServiceProxy;Windows Media Center Guide Service Proxy;"c:\program files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe" [9/28/2008 1:20:32 AM 22016]
R2 xmltvDownload;XMLTV Download Schedule Service;"c:\program files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe" [9/28/2008 1:12:00 AM 40960]
R3 atikmdag;atikmdag;c:\windows\system32\DRIVERS\atikmdag.sys [10/31/2007 8:53:04 AM 3168768]
R3 MRV6X32P;Vista 32-bits Native WiFi Driver;c:\windows\system32\DRIVERS\MRVW13B.sys [10/16/2007 6:14:24 PM 256512]
R3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\Drivers\u3kmini.sys [10/16/2006 5:15:58 PM 350720]
S3 GEST Service;GEST Service for program management.;"c:\program files\GIGABYTE\GEST\GSvr.exe" [3/21/2008 7:34:26 PM 47624]
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2/29/2008 2:08:14 PM 894216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e61a0ef-f72b-11dc-8675-001b2f2ce128}]
\shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47fee477-fcae-11dc-a19d-001d7daf31dc}]
\shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-11-25 20:00:51
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\ASUS\EZVCR\Agent.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxy.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Raxco\PerfectDisk2008\PD91AgentS1.exe
c:\windows\ehome\ehsched.exe
c:\windows\System32\dllhost.exe
c:\windows\System32\dllhost.exe
c:\windows\System32\msdtc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\program files\Nero\Nero8\Nero Toolkit\DriveSpeed.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehshell.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MagicTune Premium\MagicTune.exe
c:\windows\ehome\ehrecvr.exe
d:\program files\WebGuide\WebGuide4\bin\WebGuideServiceMonitor.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\wercon.exe
c:\windows\ehome\ehrec.exe
.
**************************************************************************
.
Completion time: 2008-11-25 20:07:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-25 09:07:55
ComboFix2.txt 2008-11-23 04:02:00
ComboFix3.txt 2008-11-23 03:05:08
Pre-Run: 7,618,744,320 bytes free
Post-Run: 9,150,824,448 bytes free
313
Awaiting Kapersy to update again --> the updates take up alot of download bandwidth :-(
Post by: HTPConvert on November 25, 2008, 04:06:17 PM
I won't be able to do the kapersky scan. I have a download cap and the updates for the online scanner are going to cap me. Is there another scanning program (not online) that can scan my computer and my external drives?
Cheers
Post by: guestolo on November 25, 2008, 05:37:07 PM
I won't be able to do the kapersky scan. I have a download cap and the updates for the online scanner are going to cap me. Is there another scanning program (not online) that can scan my computer and my external drives?
Cheers[/quote]
Sorry to hear about the cap
/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' /> Oh well, it happens
Why don't we try another scanner from Kaspersky's
This updates a few times a day, so if you must download it from another computer
Do it before you go get back to this one to ensure you have the latest updated version
I recommend you download it and burn it to a CDR/CDRW preferrably
Transfer the installer to this computers desktop
It's about 28mb in size
Before running the installer, if possible, disable Norton's Autoprotect
If that function is disabled by the Administrator, just carry on
Here's the remainder of the instructions
Download the latest version of [color=\"#800080\"]Kaspersky Virus Removal Tool[/color] (http://\"ftp://downloads2.kaspersky-labs.com/devbuilds/AVPTool/index.html\")
In your case, remember to transfer the installer to the desktop of this computer
- Close all other applications and double-click and run the installer.
- When AVPTool starts, select All the scanable items except for CD-ROM drives and click the Scan button.
- If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active) if prompted
- After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
- In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
- In the Scan window click the Reports button and select Save to file.
- Name the report AVPT.txt, and save it to the Desktop.
- Close AVPTool.
- You will be prompted if you want to uninstall the program; click Yes.
- You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
- Copy and paste the Only the first part of the report ([color=\"#0000FF\"]Detected[/color]) that you saved in your next reply. Do not include the longer list marked Events.
Post by: HTPConvert on November 27, 2008, 05:48:17 AM
Post by: guestolo on November 27, 2008, 07:58:28 AM
http://www.tech-recipes.com/rx/1269/vista_...ile_extensions/ (http://\"http://www.tech-recipes.com/rx/1269/vista_show_unhide_file_extensions/\")
Once set, can you ensure the name of the text file is exactly the following
AVPT.txt
If not, rename it to that
If that doesn't work, can you open it in wordpad?
Start>>All programs>>Accessories>>Wordpad
Post by: HTPConvert on November 28, 2008, 03:48:57 PM
----
Scanned: 1098332
Detected: 93
Untreated: 24
Start time: 27/11/2008 6:39:29 PM
Duration: 03:00:17
Finish time: 27/11/2008 9:39:46 PM
Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.Win32.DNSChanger.ipq File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16B80000.VBN//CryptZ
deleted: Trojan program Trojan-Clicker.Win32.VB.btu File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40022.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Delf.eyx File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40023.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40024.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40027.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40028.VBN//CryptZ
detected: Trojan program Trojan-Clicker.Win32.VB.cdj File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\096C0000\49EEC3AD.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.abdf File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40000\5AF597D3.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.aciw File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40001\5AF597E8.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.zem File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40002\5AF597FE.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.aclr File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40003\5AF59811.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.abaw File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40004\5AF59825.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.acmq File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40005\5AF59833.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.aamh File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40006\5AF59843.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.adfl File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40007\5AF59853.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.adjn File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40008\5AF59863.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.acim File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40009\5AF59873.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.abay File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F4000A\5AF59882.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.Win32.Delf.pgg File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680001\5F69FA2D.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680002\5F69FA38.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680003\5F69FA42.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.amek File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680004\5F69FA4C.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680005\5F69FA57.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680006\5F69FA62.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680007\5F69FA6C.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680008\5F69FA78.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aldm File: C:\Qoobox\Quarantine\C\Windows\System32\afisicx.exe.vir
deleted: Trojan program Trojan-Downloader.Win32.Delf.pva File: C:\Qoobox\Quarantine\C\Windows\System32\atsxyzd.sys.vir
deleted: Trojan program Trojan.Win32.Agent.adfj File: C:\Qoobox\Quarantine\C\Windows\System32\noxtcyr.exe.vir
deleted: Trojan program Trojan-Downloader.Win32.Delf.nxm File: C:\Qoobox\Quarantine\C\Windows\System32\otaxyzd.sys.vir
deleted: Trojan program Trojan.Win32.Agent.aagc File: C:\Qoobox\Quarantine\C\Windows\System32\perfs.exe.vir
deleted: Trojan program Trojan.Win32.Delf.dwq File: C:\Qoobox\Quarantine\C\Windows\System32\sxtsyctd.sys.vir
deleted: Trojan program Trojan.Win32.Delf.fdg File: C:\Qoobox\Quarantine\C\Windows\System32\sytsyctd.sys.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_12493603732.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aoml File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_14473625980.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_22714849146.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_29822753375.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_363328710668.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_389931602173.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_407655195666.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_41896297445.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_428438206071.bk.vir
deleted: Trojan program Trojan.Win32.Agent.agcq File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_47074853538.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_486279743654.bk.vir
deleted: Trojan program Trojan.Win32.Agent.agcq File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_496483265188.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_524603798649.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aoml File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_56018976788.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_643621144325.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_67648332970.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_755151303061.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_828407789394.bk.vir
deleted: Trojan program Trojan.Win32.Agent.aoml File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_829061536196.bk.vir
deleted: Trojan program Trojan.Win32.Delf.ffa File: C:\Qoobox\Quarantine\C\Windows\System32\tmpxr_839401238675.bk.vir
deleted: Trojan program Trojan.Win32.Agent.albx File: C:\Qoobox\Quarantine\C\Windows\System32\udxfytw.sys.vir
deleted: Trojan program Trojan.Win32.Agent.abgy File: C:\Qoobox\Quarantine\C\Windows\System32\wsldoekd.exe.vir
not found: Trojan program Trojan.Win32.DNSChanger.ipq File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16B80000.VBN//CryptZ
not found: Trojan program Trojan-Clicker.Win32.VB.btu File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40022.VBN//CryptZ
not found: Trojan program Trojan.Win32.Delf.eyx File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40023.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.aomo File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40024.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.aomo File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40027.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.aomo File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\34C40028.VBN//CryptZ
detected: Trojan program Trojan-Clicker.Win32.VB.cdj File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\096C0000\49EEC3AD.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.abdf File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40000\5AF597D3.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.aciw File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40001\5AF597E8.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.zem File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40002\5AF597FE.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.aclr File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40003\5AF59811.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.abaw File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40004\5AF59825.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.acmq File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40005\5AF59833.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.aamh File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40006\5AF59843.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.adfl File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40007\5AF59853.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.adjn File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40008\5AF59863.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.acim File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F40009\5AF59873.VBN//CryptZ
detected: Trojan program Trojan.Win32.Agent.abay File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12F4000A\5AF59882.VBN//CryptZ
not found: Trojan program Trojan-Downloader.Win32.Delf.pgg File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680001\5F69FA2D.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.aqfq File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680002\5F69FA38.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.aqfq File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680003\5F69FA42.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.amek File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680004\5F69FA4C.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.aqfq File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680005\5F69FA57.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.aqfq File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680006\5F69FA62.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.aqfq File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680007\5F69FA6C.VBN//CryptZ
not found: Trojan program Trojan.Win32.Agent.aqfq File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\16680008\5F69FA78.VBN//CryptZ
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_132858402114.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_140987208813.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_1586577027.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_166685560588.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_391755609967.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_434613548060.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_44534835079.bk
deleted: Trojan program Trojan.Win32.Agent.aomo File: C:\Windows\System32\tmpxr_497535700406.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_503242189997.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_552550445083.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_598641732382.bk
deleted: Trojan program Trojan.Win32.Agent.aqfq File: C:\Windows\System32\tmpxr_698875827316.bk
Post by: guestolo on November 28, 2008, 04:40:57 PM
Does the log open in Notepad?
Post the log if it does
How's things running now?
Post by: HTPConvert on November 28, 2008, 07:12:28 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:54 AM, on 29/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Windows\system32\dllhost.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\Nero\Nero8\Nero Toolkit\DriveSpeed.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Pegasys Inc\TMPGEnc 4.0 XPress\TMPGEnc4XP.exe
C:\Program Files\Pegasys Inc\TMPGEnc 4.0 XPress\TMPGEnc4XP.exe
C:\Windows\ehome\EHShell.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MagicTuneEngine] C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [Nero DriveSpeed] "C:\PROGRA~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: is-D15N9.lnk = C:\Users\Media Centre\Desktop\Virus Removal Tool\is-D15N9\startup.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O13 - Gopher Prefix:
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab (http://\"http://ax.emsisoft.com/asquared.cab\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UltiDev Cassini Web Server for ASP.NET 2.0 - UltiDev LLC - C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe
O23 - Service: WebGuideTranscode - WebGuide LLC - D:\Program Files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe
O23 - Service: Windows Media Center Guide Service Proxy (wmcGuideServiceProxy) - epgStream.net - C:\Program Files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe
O23 - Service: XMLTV Download Schedule Service (xmltvDownload) - epgStream.net - C:\Program Files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe
--
End of file - 8278 bytes
Symantec isn't going crazy and RAM usage seems better - haven't heard the crazy audio but i'll wait and see with that one
Are things looking clean?
Post by: guestolo on November 30, 2008, 02:35:13 PM
Just for a double check, as things seem to be running good, let's make sure a couple scanners come clean
Can you again, delete your copy of ComboFix and download a fresh copy
Run it and post it's new log
Also, again, update MalwareByte's Anti-malware, run a Scan and post it's new log too
Post by: HTPConvert on December 07, 2008, 09:23:59 PM
Malwarebytes' Anti-Malware 1.31
Database version: 1472
Windows 6.0.6001 Service Pack 1
8/12/2008 1:21:25 PM
mbam-log-2008-12-08 (13-21-25).txt
Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 148210
Time elapsed: 1 hour(s), 4 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\Windows\System32\tmp0_62837460417.bk.vir (Trojan.Agent) -> Quarantined and deleted successfully.
D:\tmp\Qucik Time Pro 7\Apple.QuickTime.Pro.v7.3.0.70.Multilingual.Regged-CORE\CORE10k.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\tmp\EncoreCS3\Adobe Creative Master Collection Cracks, Launchers and KeyGens\Adobe Creative CS3 KeyGens Collection\SoundBooth CS3.exe (Trojan.Horst) -> Quarantined and deleted successfully.
Post by: HTPConvert on December 07, 2008, 09:31:05 PM
ComboFix 08-12-06.06 - Media Centre 2008-12-08 13:26:13.4 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1661 [GMT 11:00]
Running from: c:\users\Media Centre\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.
2008-11-27 18:18 . 2008-11-27 18:18 <DIR> d-------- c:\users\All Users\is-D15N9
2008-11-27 18:18 . 2008-11-27 18:18 <DIR> d-------- c:\programdata\is-D15N9
2008-11-27 18:18 . 2008-11-30 07:30 4,599,840 --ahs---- c:\windows\System32\drivers\fidbox.dat
2008-11-27 18:18 . 2008-11-30 07:30 58,112 --ahs---- c:\windows\System32\drivers\fidbox.idx
2008-11-24 15:45 . 2008-11-24 15:50 19 --a------ C:\videos.vf
2008-11-23 14:52 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-23 14:52 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-23 12:40 . 2008-11-23 12:40 <DIR> d-------- C:\rsit
2008-11-23 12:01 . 2008-11-23 12:01 <DIR> d-------- c:\program files\Panda Security
2008-11-23 12:01 . 2008-06-19 17:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2008-11-23 11:58 . 2008-11-23 12:00 <DIR> d-------- c:\users\Media Centre\.housecall6.6
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\users\All Users\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\programdata\MC Menu Mender BETA
2008-11-23 11:19 . 2008-11-23 11:19 <DIR> d-------- c:\program files\MC Menu Mender
2008-11-23 11:16 . 2008-11-25 20:55 <DIR> d-------- c:\program files\SamSoft
2008-11-16 20:17 . 2008-11-16 20:17 <DIR> d-------- c:\program files\Xvid
2008-11-16 20:17 . 2007-06-28 18:52 765,952 --a------ c:\windows\System32\xvidcore.dll
2008-11-16 20:17 . 2007-06-28 18:54 180,224 --a------ c:\windows\System32\xvidvfw.dll
2008-11-16 19:28 . 2008-11-16 19:28 <DIR> d-------- c:\program files\avi.NET
2008-11-16 17:58 . 2008-11-16 17:58 <DIR> d-------- c:\users\All Users\VistaCodecs
2008-11-16 17:58 . 2008-11-16 17:58 <DIR> d-------- c:\programdata\VistaCodecs
2008-11-15 12:21 . 2008-11-15 12:23 <DIR> d-------- c:\users\All Users\OpenMediaLibrary
2008-11-15 12:21 . 2008-11-15 12:23 <DIR> d-------- c:\programdata\OpenMediaLibrary
2008-11-15 12:20 . 2008-11-29 08:45 <DIR> d-------- c:\program files\OpenMediaLibrary
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 01:45 --------- d-----w c:\users\Media Centre\AppData\Roaming\uTorrent
2008-12-08 01:03 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-06 00:28 --------- d-----w c:\users\Media Centre\AppData\Roaming\VideoReDoPlus
2008-12-06 00:22 --------- d---a-w c:\programdata\TEMP
2008-11-17 07:29 --------- d-----w c:\program files\AviSynth 2.5
2008-11-16 22:03 --------- d-----w c:\programdata\VideoBrowser
2008-11-16 09:15 --------- d-----w c:\program files\DivX
2008-11-16 09:13 --------- d-----w c:\program files\Winnydows
2008-11-16 07:00 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-10-19 03:24 --------- d-----w c:\programdata\IsolatedStorage
2008-10-19 03:24 --------- d-----w c:\programdata\epgStream.net
2008-10-19 03:24 --------- d-----w c:\program files\epgStream.net
2008-07-24 01:07 47,360 ----a-w c:\users\Media Centre\AppData\Roaming\pcouffin.sys
2008-03-21 09:33 174 --sha-w c:\program files\desktop.ini
2008-02-14 03:28 29 ----a-w c:\program files\version.ini
2008-02-14 03:23 231,944 ----a-w c:\program files\gwflash.exe
2007-10-16 07:19 245,248 ----a-w c:\windows\inf\WG311v3\Vista64\MRVW13C.sys
2007-10-16 07:14 256,512 ----a-w c:\windows\inf\WG311v3\Vista32\MRVW13B.sys
2007-09-21 08:42 19,008 ----a-w c:\program files\markfun.a64
2007-08-21 08:49 17,912 ----a-w c:\program files\markfun.w32
2007-08-21 08:49 125,504 ----a-w c:\program files\MarkFunDrv.dll
2007-05-24 04:58 249,856 ----a-w c:\windows\inf\WG311v3\Vista32\InsDrv2k.exe
2007-04-04 07:35 207,680 ----a-w c:\program files\updateutility.exe
2007-03-29 17:36 301 ----a-w c:\program files\update.ini
2007-03-01 17:48 240,448 ----a-w c:\program files\gwf32.exe
2006-11-23 12:47 207,680 ----a-w c:\program files\BIOS_Run.exe
2006-11-23 12:40 60,224 ----a-w c:\program files\HUADRV.DLL
2006-11-03 07:09 528 ----a-w c:\program files\CONFIG.INI
2005-11-17 05:46 845,736 ----a-w c:\windows\inf\WG311v3\Vista64\DPInst.exe
2005-04-27 08:40 6,800 ----a-w c:\program files\W95_HUA.vxd
2008-05-07 08:37 16,496 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows NT\DiskQuota\NTDiskQuotaSidCache.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-23_14.04.12.94 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-23 02:59:10 1,143,664 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-12-07 09:17:13 1,143,664 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-12-07 09:18:42 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-07 09:18:42 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-11-23 03:01:08 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-07 09:20:18 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-11-23 03:01:09 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-08 00:58:37 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-08 00:58:37 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-11-23 03:01:46 1,425,408 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-03 01:39:21 1,425,408 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-23 03:01:46 5,865,472 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-03 01:39:21 5,865,472 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-23 03:01:46 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-03 01:39:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-23 02:57:00 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-08 02:26:05 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-08 02:26:05 262,144 ---ha-w c:\windows\System32\config\systemprofile\ntuser.dat.LOG1
- 2008-11-23 00:15:27 105,448 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-07 09:25:48 105,448 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-23 00:15:27 599,942 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-07 09:25:48 599,942 ----a-w c:\windows\System32\perfh009.dat
- 2008-11-23 00:10:17 12,182 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-220370344-2337913255-810275737-1000_UserData.bin
+ 2008-12-07 09:20:28 12,434 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-220370344-2337913255-810275737-1000_UserData.bin
- 2008-11-23 00:10:16 72,060 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-07 09:20:27 72,526 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-09 04:05:50 3,028 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-12-07 09:17:14 3,028 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-11-23 00:10:14 78,702 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-07 09:20:24 79,162 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-11-22 22:06:22 260,436 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-12-06 09:00:15 261,390 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2007-02-23 139816]
"Windows Media Center"="c:\windows\ehome\ehuihlp.dll" [2008-01-18 1499136]
"Nero DriveSpeed"="c:\progra~1\Nero\Nero8\NEROTO~1\DRIVES~1.EXE" [2007-09-20 1975592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"MagicTuneEngine"="c:\program files\MagicTune Premium\MagicTuneEngine.exe" [2007-06-14 69632]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-04-03 136080]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-19 c:\windows\RtHDVCpl.exe]
c:\users\Media Centre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [5/10/2008 7:27:33 PM 1172992]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [4/22/2008 11:42:26 AM 36864]
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\WG311v3.exe [8/31/2005 11:46:50 AM 1691648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.CDVC"= cdvccodc.dll
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{AEAB85D1-5BDF-44BE-B1E5-0AFE137237E9}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{88B75BFA-0E87-48C8-ACCC-64504BDBAA65}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{651256BB-6D67-49C0-90DB-1174C4F5FEDF}c:\\program files\\gigabyte\\gest\\run.exe"= UDP:c:\program files\gigabyte\gest\run.exe:update
"UDP Query User{8F5BE7E9-D5F4-4D35-BE47-F8CAD9CA4644}c:\\program files\\gigabyte\\gest\\run.exe"= TCP:c:\program files\gigabyte\gest\run.exe:update
"TCP Query User{3176DAF5-F46E-43E0-B540-13A846A82E04}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= UDP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"UDP Query User{70F4429B-2439-419B-83FF-DA766D263D61}c:\\program files\\gigabyte\\@bios\\gwflash.exe"= TCP:c:\program files\gigabyte\@bios\gwflash.exe:gwflash
"TCP Query User{43FAAC04-9451-4360-9EAA-1F1B364B3CD1}c:\\program files\\gwflash.exe"= UDP:c:\program files\gwflash.exe:gwflash
"UDP Query User{FDB4E5B5-5285-415F-9806-B389D2B09A13}c:\\program files\\gwflash.exe"= TCP:c:\program files\gwflash.exe:gwflash
"TCP Query User{F204A39D-B297-49FF-B63B-C4D9F639D8EB}c:\\program files\\gigabyte\\@bios\\update.exe"= UDP:c:\program files\gigabyte\@bios\update.exe:update
"UDP Query User{BE296ADA-9CC5-46D0-87F5-A7E18186440F}c:\\program files\\gigabyte\\@bios\\update.exe"= TCP:c:\program files\gigabyte\@bios\update.exe:update
"TCP Query User{3367E75B-FFF5-4413-BF67-C7D933706696}d:\\program files\\tmnationsforever\\tmforever.exe"= UDP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{C2630B7A-93F5-4D51-9450-CD343A773C42}d:\\program files\\tmnationsforever\\tmforever.exe"= TCP:d:\program files\tmnationsforever\tmforever.exe:TmForever
"{8A86151E-16AA-4308-A077-9FE605C9F5C0}"= UDP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"{DA808245-DD19-4E61-85A7-AC37F31800E9}"= TCP:c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe:UltiDev Cassini Web Server for ASP.NET 2.0
"TCP Query User{B61B2908-E781-4FD2-9214-29C99ED0E153}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= UDP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"UDP Query User{8BAF1DF4-D050-4971-A25B-7C2AF68A5C09}d:\\program files\\webguide\\webguide4\\bin\\webguide_configuration.exe"= TCP:d:\program files\webguide\webguide4\bin\webguide_configuration.exe:WebGuide_Configuration
"{963CC70A-5B6D-4869-AA0A-89C5C268AB98}"= UDP:56484:WebGuide
"{AAA7EFBE-C8E3-4590-A219-47EBEDF338FF}"= UDP:56485:WebGuide
"TCP Query User{4F3FFA99-7D4E-4E2A-9D3A-6ADAD9A3EFC3}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= UDP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"UDP Query User{A51263EA-0DD2-44DC-875A-B59D3AD8D540}c:\\program files\\nero\\nero8\\nero showtime\\showtime.exe"= TCP:c:\program files\nero\nero8\nero showtime\showtime.exe:Nero ShowTime Essentials
"{46A11C06-2E57-436B-BFAE-FF65419BF063}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{236B0E50-A09C-4E5D-91B1-4A1FBDB104F0}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{90C63744-6260-4009-ABFF-89AD6FD2957B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{54A692D9-818D-481C-8529-E4F1241206A9}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{70C45649-7952-4C31-8A2A-4012C8E0FF9B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BCC11C71-76AF-45D3-BBB3-F5484424EA8C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BB4C64AA-3F0B-4B51-8ED8-37CC961C3510}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{738A84E1-918C-44C9-8E93-46DB1240ECC2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{F3249610-7B2E-40F7-8041-3CCD410FE6A6}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{B3FE81E3-AE8F-47B7-851D-AA106865D45C}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{7B11553E-036F-4874-8B07-255A7C74072B}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{E1E98ED7-CB38-4670-8360-65953A030A3D}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/23/2008 12:01:42 PM 28544]
R2 EZSERVICE;EZSERVICE;c:\program files\ASUS\EZVCR\EZSERVICE.exe [3/27/2007 6:32:10 PM 61440]
R2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2/28/2008 10:44:58 AM 668936]
R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [4/3/2008 1:33:24 PM 121744]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;"c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe" [2/8/2007 1:06:10 AM 49152]
R2 WebGuideTranscode;WebGuideTranscode;"d:\program files\WebGuide\WebGuide4\bin\WebGuideTranscodeService.exe" [8/8/2007 8:28:42 PM 40960]
R2 wmcGuideServiceProxy;Windows Media Center Guide Service Proxy;"c:\program files\epgStream.net\wmcGuideServiceProxy\wmcGuideServiceProxyHost.exe" [9/28/2008 1:20:32 AM 22016]
R2 xmltvDownload;XMLTV Download Schedule Service;"c:\program files\epgStream.net\xmltvDownload\xmltvDownloadHost.exe" [9/28/2008 1:12:00 AM 40960]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2008 3:19:39 PM 99376]
R3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\Drivers\u3kmini.sys [10/16/2006 5:15:58 PM 350720]
S3 GEST Service;GEST Service for program management.;"c:\program files\GIGABYTE\GEST\GSvr.exe" [3/21/2008 7:34:26 PM 47624]
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2/29/2008 2:08:14 PM 894216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22889c13-bf7a-11dd-a55a-001d7daf31dc}]
\shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e61a0ef-f72b-11dc-8675-001b2f2ce128}]
\shell\AutoRun\command - setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47fee477-fcae-11dc-a19d-001d7daf31dc}]
\shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FireFox -: Profile - c:\users\Media Centre\AppData\Roaming\Mozilla\Firefox\Profiles\dwft2yz6.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-12-08 13:27:47
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\users\MEDIAC~1\AppData\Local\Temp\catchme.dll 53248 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-12-08 13:28:48
ComboFix-quarantined-files.txt 2008-12-08 02:28:46
ComboFix2.txt 2008-11-25 09:07:59
ComboFix3.txt 2008-11-23 04:02:00
ComboFix4.txt 2008-11-23 03:05:08
Pre-Run: 6,128,500,736 bytes free
Post-Run: 5,931,577,344 bytes free
234
Post by: HTPConvert on December 07, 2008, 11:29:07 PM
Post by: guestolo on December 08, 2008, 01:31:52 AM
C:\rsit
Go to START>>RUN>>copy and paste the following then click OK
ComboFix /u
This will uninstall ComboFix and it's components
Take a look at miekiemoes site with other ideas on How to prevent Malware: (http://\"http://users.telenet.be/bluepatchy/miekiemoes/prevention.html\")
I would choose to Hold onto Malwarebytes' Anti-Malware
Occassionaly, check for updates and run a quick scan
Post by: HTPConvert on December 08, 2008, 07:23:02 PM
Post by: guestolo on December 08, 2008, 11:18:25 PM
I'll lock this topic as your problems are resolved
Take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />