Hope I am doing this right, if not I apologize as it's been a long and frustrating day.
**Update--ever since I did the guide, I haven't gotten one pop-up or anything. Wonder if it's gone?**
SmitFraudFix v2.385
Scan done at 13:47:46.10, Sun 12/14/2008
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5636334A-7941-42FD-A4D9-914D206C157C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5636334A-7941-42FD-A4D9-914D206C157C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5636334A-7941-42FD-A4D9-914D206C157C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5636334A-7941-42FD-A4D9-914D206C157C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
ComboFix 08-12-14.01 - Nick 2008-12-14 14:23:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.776 [GMT -5:00]
Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Nick\Application Data\gadcom
c:\documents and settings\Nick\Application Data\GetModule
c:\documents and settings\Nick\Application Data\GetModule\dicik.gz
c:\documents and settings\Nick\Application Data\GetModule\kwdik.gz
c:\documents and settings\Nick\Application Data\GetModule\ofadik.gz
c:\program files\GetModule
c:\program files\GetModule\GetModule32.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\system32\NnXyxyay.ini
c:\windows\system32\NnXyxyay.ini2
c:\windows\system32\wpv261229210935.cpx
c:\windows\Tasks\ltymeeuk.job
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.
2008-12-14 12:39 . 2008-12-14 12:39 <DIR> d-------- C:\VundoFix Backups
2008-12-14 12:36 . 2008-12-14 12:36 <DIR> d-------- c:\program files\Trend Micro
2008-12-14 12:23 . 2008-12-14 12:23 <DIR> d-------- c:\program files\CleanUp!
2008-12-14 12:16 . 2008-12-14 12:16 <DIR> d-------- c:\program files\MSConfig CleanUp
2008-12-14 02:13 . 2008-12-14 02:14 1,647,120 --ahs---- c:\windows\system32\leyepgue.ini
2008-12-13 08:28 . 2008-12-13 08:28 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-13 08:28 . 2008-12-13 08:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-13 08:24 . 2008-12-13 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-08 19:36 . 2008-12-08 19:36 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-07 02:10 . 2008-12-07 02:10 <DIR> d-------- c:\documents and settings\Nick\Application Data\dvdcss
2008-11-28 19:58 . 2008-12-10 13:56 76,056 --a------ C:\img2-001.raw
2008-11-28 19:50 . 2008-11-28 19:50 <DIR> d-------- c:\program files\ooVoo
2008-11-28 19:50 . 2008-11-28 19:50 <DIR> d-------- c:\documents and settings\Nick\Application Data\ooVoo Details
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 16:29 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-14 16:20 --------- d-----w c:\documents and settings\Nick\Application Data\Skype
2008-12-14 07:11 --------- d-----w c:\documents and settings\Nick\Application Data\skypePM
2008-12-14 00:01 --------- d-----w c:\documents and settings\Nick\Application Data\AVG7
2008-12-13 23:45 --------- d-----w c:\program files\Soulseek
2008-12-13 23:34 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-13 23:28 --------- d-----w c:\documents and settings\Nick\Application Data\ZoomBrowser EX
2008-12-13 23:28 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-13 13:29 --------- d-----w c:\program files\AIM6
2008-12-13 13:28 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-13 04:51 --------- d-----w c:\documents and settings\Nick\Application Data\uTorrent
2008-12-09 00:36 --------- d-----w c:\program files\Java
2008-11-29 00:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-15 15:11 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-15 15:10 --------- d-----w c:\documents and settings\Nick\Application Data\SystemRequirementsLab
2008-11-09 22:27 --------- d-----w c:\program files\Microsoft LifeCam
2008-11-09 22:12 --------- d-----w c:\program files\MSBuild
2008-11-09 22:05 --------- d-----w c:\program files\Reference Assemblies
2008-11-02 21:14 --------- d-----w c:\documents and settings\Nick\Application Data\mIRC
2008-11-02 19:57 --------- d-----w c:\program files\mIRC
2008-10-31 22:37 --------- d-----w c:\program files\Skype
2008-10-31 22:37 --------- d-----w c:\program files\Common Files\Skype
2008-10-31 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-24 20:13 --------- d-----w c:\program files\iTunes
2008-10-24 20:13 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-24 20:12 --------- d-----w c:\program files\iPod
2008-10-24 20:11 --------- d-----w c:\program files\QuickTime
2008-10-24 20:05 --------- d-----w c:\program files\Bonjour
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-06-14 22:43 382,352 ----a-w c:\documents and settings\Nick\jre-6u6-windows-i586-p-iftw.exe
2008-02-12 18:45 48 ----a-w c:\documents and settings\Nick\readme.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"symPCCheckup"="c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe" [2008-09-22 234872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-04-06 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-09-23 09:10 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll jvqddb.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*isabledoVoo TCP port 443
"443:UDP"= 443:UDP:*isabledoVoo UDP port 443
"37674:TCP"= 37674:TCP:*isabledoVoo TCP port 37674
"37674:UDP"= 37674:UDP:*isabledoVoo UDP port 37674
"37675:UDP"= 37675:UDP:*isabledoVoo UDP port 37675
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-04-01 24652]
.
Contents of the 'Scheduled Tasks' folder
2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-12-14 c:\windows\Tasks\Norton PC Checkup Setup.job
- c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe [2008-09-22 18:19]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0094679e-ce80-4612-be47-43635ac7efbd} - (no file)
BHO-{49B722E1-C17C-4371-BF35-922421CB71DA} - (no file)
HKCU-Run-GetModule32 - c:\program files\GetModule\GetModule32.exe
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Notify-nnnkkjhI - nnnkkjhI.dll
.------- Supplementary Scan -------
.uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\5b3dgblk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFF12.DLL
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPSWF32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 14:27:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-14 14:32:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 19:32:39
Pre-Run: 46,909,882,368 bytes free
Post-Run: 46,813,163,520 bytes free
205 --- E O F --- 2008-12-11 19:24:01
**Update--ever since I did the guide, I haven't gotten one pop-up or anything. Wonder if it's gone?**
SmitFraudFix v2.385
Scan done at 13:47:46.10, Sun 12/14/2008
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5636334A-7941-42FD-A4D9-914D206C157C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5636334A-7941-42FD-A4D9-914D206C157C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5636334A-7941-42FD-A4D9-914D206C157C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5636334A-7941-42FD-A4D9-914D206C157C}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
ComboFix 08-12-14.01 - Nick 2008-12-14 14:23:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.776 [GMT -5:00]
Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Nick\Application Data\gadcom
c:\documents and settings\Nick\Application Data\GetModule
c:\documents and settings\Nick\Application Data\GetModule\dicik.gz
c:\documents and settings\Nick\Application Data\GetModule\kwdik.gz
c:\documents and settings\Nick\Application Data\GetModule\ofadik.gz
c:\program files\GetModule
c:\program files\GetModule\GetModule32.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\system32\NnXyxyay.ini
c:\windows\system32\NnXyxyay.ini2
c:\windows\system32\wpv261229210935.cpx
c:\windows\Tasks\ltymeeuk.job
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.
2008-12-14 12:39 . 2008-12-14 12:39 <DIR> d-------- C:\VundoFix Backups
2008-12-14 12:36 . 2008-12-14 12:36 <DIR> d-------- c:\program files\Trend Micro
2008-12-14 12:23 . 2008-12-14 12:23 <DIR> d-------- c:\program files\CleanUp!
2008-12-14 12:16 . 2008-12-14 12:16 <DIR> d-------- c:\program files\MSConfig CleanUp
2008-12-14 02:13 . 2008-12-14 02:14 1,647,120 --ahs---- c:\windows\system32\leyepgue.ini
2008-12-13 08:28 . 2008-12-13 08:28 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-13 08:28 . 2008-12-13 08:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-13 08:24 . 2008-12-13 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-08 19:36 . 2008-12-08 19:36 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-07 02:10 . 2008-12-07 02:10 <DIR> d-------- c:\documents and settings\Nick\Application Data\dvdcss
2008-11-28 19:58 . 2008-12-10 13:56 76,056 --a------ C:\img2-001.raw
2008-11-28 19:50 . 2008-11-28 19:50 <DIR> d-------- c:\program files\ooVoo
2008-11-28 19:50 . 2008-11-28 19:50 <DIR> d-------- c:\documents and settings\Nick\Application Data\ooVoo Details
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 16:29 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-14 16:20 --------- d-----w c:\documents and settings\Nick\Application Data\Skype
2008-12-14 07:11 --------- d-----w c:\documents and settings\Nick\Application Data\skypePM
2008-12-14 00:01 --------- d-----w c:\documents and settings\Nick\Application Data\AVG7
2008-12-13 23:45 --------- d-----w c:\program files\Soulseek
2008-12-13 23:34 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-13 23:28 --------- d-----w c:\documents and settings\Nick\Application Data\ZoomBrowser EX
2008-12-13 23:28 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-13 13:29 --------- d-----w c:\program files\AIM6
2008-12-13 13:28 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-13 04:51 --------- d-----w c:\documents and settings\Nick\Application Data\uTorrent
2008-12-09 00:36 --------- d-----w c:\program files\Java
2008-11-29 00:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-15 15:11 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-15 15:10 --------- d-----w c:\documents and settings\Nick\Application Data\SystemRequirementsLab
2008-11-09 22:27 --------- d-----w c:\program files\Microsoft LifeCam
2008-11-09 22:12 --------- d-----w c:\program files\MSBuild
2008-11-09 22:05 --------- d-----w c:\program files\Reference Assemblies
2008-11-02 21:14 --------- d-----w c:\documents and settings\Nick\Application Data\mIRC
2008-11-02 19:57 --------- d-----w c:\program files\mIRC
2008-10-31 22:37 --------- d-----w c:\program files\Skype
2008-10-31 22:37 --------- d-----w c:\program files\Common Files\Skype
2008-10-31 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-24 20:13 --------- d-----w c:\program files\iTunes
2008-10-24 20:13 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-24 20:12 --------- d-----w c:\program files\iPod
2008-10-24 20:11 --------- d-----w c:\program files\QuickTime
2008-10-24 20:05 --------- d-----w c:\program files\Bonjour
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-06-14 22:43 382,352 ----a-w c:\documents and settings\Nick\jre-6u6-windows-i586-p-iftw.exe
2008-02-12 18:45 48 ----a-w c:\documents and settings\Nick\readme.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"symPCCheckup"="c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe" [2008-09-22 234872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-04-06 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-09-23 09:10 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll jvqddb.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*isabledoVoo TCP port 443
"443:UDP"= 443:UDP:*isabledoVoo UDP port 443
"37674:TCP"= 37674:TCP:*isabledoVoo TCP port 37674
"37674:UDP"= 37674:UDP:*isabledoVoo UDP port 37674
"37675:UDP"= 37675:UDP:*isabledoVoo UDP port 37675
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-04-01 24652]
.
Contents of the 'Scheduled Tasks' folder
2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-12-14 c:\windows\Tasks\Norton PC Checkup Setup.job
- c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe [2008-09-22 18:19]
.
- - - - ORPHANS REMOVED - - - -
BHO-{0094679e-ce80-4612-be47-43635ac7efbd} - (no file)
BHO-{49B722E1-C17C-4371-BF35-922421CB71DA} - (no file)
HKCU-Run-GetModule32 - c:\program files\GetModule\GetModule32.exe
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Notify-nnnkkjhI - nnnkkjhI.dll
.------- Supplementary Scan -------
.uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\5b3dgblk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFF12.DLL
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPSWF32.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 14:27:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-14 14:32:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 19:32:39
Pre-Run: 46,909,882,368 bytes free
Post-Run: 46,813,163,520 bytes free
205 --- E O F --- 2008-12-11 19:24:01