Articles

Mother of all infections

HomeBuilt
November 4, 2008 at 17:54:39
Specs: Win XP, 2.10 GHz 1.00 GB RAM

Holy Moly.
I have the QQRob Trojan
coolwwwsearch.olehelp
and Vanbopt in my machine and have tried everything to get rid of them.
I've gone to Safe mode and run Spybot, which finds it and I get rid of it. Only to have it come back when I reboot.
I've tried SuperAntiSpywar, AVG, ATF Cleaner.

I ran a full scan with AVG and it showed a page if stuff detected.

Here is my Spybot log:

CoolWWWSearch.OleHelp: [SBI $F3F8B2C7] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost

Vanbot: [SBI $78E16199] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update Machine

QQRob: [SBI $A8B66BA0] Executable (File, nothing done)
F:\WINDOWS\system32\svohost.exe

User abort!: Scan was not completed successfully. ()


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-08-14 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-11-02 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-09-02 Includes\Adware.sbi (*)
2008-10-27 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-10-28 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-10-28 Includes\KeyloggersC.sbi (*)
2008-10-28 Includes\Malware.sbi (*)
2008-10-28 Includes\MalwareC.sbi (*)
2008-09-02 Includes\PUPS.sbi (*)
2008-10-28 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-10-23 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-10-28 Includes\Spyware.sbi (*)
2008-10-29 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-10-29 Includes\Trojans.sbi (*)
2008-10-29 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)


Thanks!!


See More: Mother of all infections

Report •


#1
November 4, 2008 at 18:17:03

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
November 4, 2008 at 18:46:46

OK
Here we go!

Malwarebytes' Anti-Malware 1.30
Database version: 1366
Windows 5.1.2600 Service Pack 3

11/4/2008 6:35:35 PM
mbam-log-2008-11-04 (18-35-28).txt

Scan type: Quick Scan
Objects scanned: 50834
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft update machine (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft update machine (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\microsoft update machine (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.Search) -> Bad: (http://www.iesearch.com/) Good: (http://www.google.com/) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\mdm.exe (Backdoor.Bot) -> No action taken.
F:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.
F:\WINDOWS\system32\svohost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:20 PM, on 11/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\brss01a.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\WINDOWS\system32\Brmfrmps.exe
C:\Digidesign\Drivers\MMERefresh.exe
F:\WINDOWS\system32\lxdicoms.exe
F:\Program Files\Mediafour\MacDrive 7\MacDriveServiceD.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\AVG\AVG8\avgemc.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\RTHDCPL.EXE
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Mediafour\MacDrive 7\MacDriveD.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
F:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Outlook Express\msimn.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/front...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yc...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FrontierBA BHO - {A93A3CC1-BA23-4d0d-9440-6A0148362B7E} - F:\Program Files\FrontierBA\BrowserAssistant\fbabar.dll
O4 - HKLM\..\Run: [SW24] F:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [SW20] F:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SetDefPrt] "F:\Program Files\Brother\Brmfl04b\BrStDvPt.exe"
O4 - HKLM\..\Run: [PaperPort PTD] "F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IndexSearch] "F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "F:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{FD1C41EC-B9AC-4F08-9BDB-CC8ECC8FC1B3}] "F:\Program Files\Mediafour\MacDrive 7\MacDriveD.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "F:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [lxdimon.exe] "F:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "F:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [svchost] F:\Documents and Settings\Owner\Localdir\svchost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DualCoreCenter.lnk = F:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBD0FE5C-8CF1-4AB4-9576-F04B03072D05}: Domain = domain.invalid
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - F:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - F:\WINDOWS\system32\lxdicoms.exe
O23 - Service: MacDriveServiceD - Mediafour Corporation - F:\Program Files\Mediafour\MacDrive 7\MacDriveServiceD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9900 bytes


Report •

#3
November 4, 2008 at 19:05:13

Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press fix checked:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [svchost] F:\Documents and Settings\Owner\Localdir\svchost.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present (unless you set this)


O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present (unless you set this)


O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present (unless you set this)

O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -


O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -

Exit Hijack This.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Spybot, Ad-Aware, Spyware Doctor and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

Related Solutions

#4
November 5, 2008 at 07:32:06

OK

Here are the logs. A post at a time.


[b]SDFix: Version 1.239 [/b]
Run by Administrator on Tue 11/04/2008 at 21:09

Microsoft Windows XP [Version 5.1.2600]
Running From: F:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

F:\WINDOWS\system32\lhkpkbmbdpudwxvvn.exe - Deleted

Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 21:19:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="F:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:56,bc,f0,81,09,c0,a3,8e,53,22,25,26,21,5d,c2,1e,66,aa,02,c4,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a5,4d,a3,b4,53,29,c9,2b,a5,a5,33,4d,63,55,5b,a3,5b,..
"khjeh"=hex:30,fc,ec,cf,eb,18,8b,de,a6,85,b3,52,4a,98,b7,21,3b,a4,c6,b8,6c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:88,10,0d,c5,d1,59,b9,47,8f,70,6b,c2,6a,48,8d,69,85,eb,1d,c7,dc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="F:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:56,bc,f0,81,09,c0,a3,8e,53,22,25,26,21,5d,c2,1e,66,aa,02,c4,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a5,4d,a3,b4,53,29,c9,2b,a5,a5,33,4d,63,55,5b,a3,5b,..
"khjeh"=hex:30,fc,ec,cf,eb,18,8b,de,a6,85,b3,52,4a,98,b7,21,3b,a4,c6,b8,6c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:88,10,0d,c5,d1,59,b9,47,8f,70,6b,c2,6a,48,8d,69,85,eb,1d,c7,dc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="F:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:56,bc,f0,81,09,c0,a3,8e,53,22,25,26,21,5d,c2,1e,66,aa,02,c4,72,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a5,4d,a3,b4,53,29,c9,2b,a5,a5,33,4d,63,55,5b,a3,5b,..
"khjeh"=hex:30,fc,ec,cf,eb,18,8b,de,a6,85,b3,52,4a,98,b7,21,3b,a4,c6,b8,6c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:88,10,0d,c5,d1,59,b9,47,8f,70,6b,c2,6a,48,8d,69,85,eb,1d,c7,dc,..

scanning hidden registry entries ...

source file error: F:\Documents and Settings\Owner\ntuser.dat
scanning hidden files ...

F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\MLB 07: The Show (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\MLB 08: The Show (2008) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Tycoon City: New York.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Code Lyoko: Quest for Infinity (2008) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Magic Encyclopedia: First Story.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Tem├╝jin: The Capricorn Collection.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Atlantis 3: The New World.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Everlight: Magic and Power.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Grand Theft Auto: San Andreas.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Grand Theft Auto: Vice City.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Xenus 2: White Gold.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\XIII Century: Death or Glory (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Medieval 2: Total War.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Azada: Ancient Magic.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Kickster: Online Street Soccer 2008.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Killzone: Liberation (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Prince of Persia: The Sands of Time.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Prince of Persia: Warrior Within.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Mystery Chronicles: Murder Among Friends.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Mystery PI: The Lottery Ticket.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Mystery PI: The Vegas Heist.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Myth Makers: Trixie In Toyland (Wii).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Hellboy: The Science of Evil (2008) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Galactic Civilizations II: Twilight of the Amor.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Galactic Civilizations II: Twilight of the Arnor.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Galactic Dream: Rage of War.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Bully: Scholarship Edition (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Bully: Scholarship.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Druuna: Morbis Gravis.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Race Driver: Grid (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Race Driver: GRID.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Arma: Armed Asault.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Delta Force: Black Hawk Down.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Delta Force: Task Force Dagger.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Carreras,Domingo,Pavarotti: The Three Tenors Christmas 2000.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Supreme Commander: Forged Alliance.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Pinball Hall of Fame: The Williams Collection (2008) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Penumbra: Black Plague.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Penumbra: Overture.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Black and White 2: Battle of the Gods.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Adrenalin: Extreme Show.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Ace Combat X: Skies of Deception (2006) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Spider Man: Friend or Foe (2007).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Spider-Man: Web of Shadows (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Spider-Man: Web of Shadows (Reloaded).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Spider-Man: Web of Shadows.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Spiderman: Web of Shadows.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Conflict Desert Storm II: Back to Baghdad.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\50 Cent: Bulletproof G Unit Edition (2006) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Project IGI 2: Covert Strike.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sacred 2: Fallen Angel.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\House of Wonders: Kitty Kat Wedding.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Curse of the Pharaoh: The Quest for Nefertiti.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Patriots: A Nation Under Fire.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Postal 2: Share the Pain.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Transformers: The Game (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Jewel Quest Mysteries: Curse of the Emerald Tear 1.0.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Jewel Quest Mysteries: Curse of the Emerald Tear.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Juiced: Eliminator (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Juiced 2: Hot Import Nights (2007).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Juiced 2: Hot Import Nights.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Lara Croft Tomb Raider: Anniversary (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Disney's Hercules: Action.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Mafia: The City of Lost Heaven.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Rayman: Raving Rabbids TV Party.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Rayman 2: The Great Escape.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Chocolatier 2: Secret Ingredients 1.0.2.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\CIA Operative: Solo Missions.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Gurumin: A Monstrous Adventure (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Half Life 2: Orange Box.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Halo: Combat Evolved.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\After Burner: Black Falcon (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Agatha Christie: Evil Under the Sun.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Age of Conan: Hyborian Adventures (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Rome: Total War Alexander.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Rosetta Stone Language Courses 2.0.8.1: Arabic (Modern) Levels 1+2.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Rosetta Stone Language Courses 2.0.8.1: Dutch Levels 1+2.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Rosetta Stone Language Courses 2.0.8.1: Greek Levels 1+2.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Rosetta Stone Language Courses 2.0.8.1: Latin Level 1.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Rosetta Stone Language Courses 2.0.8.1: Polish Level 1.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Home Sweet Home 2: Kitchens and Baths.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\The Lord of the Rings: The War of the Ring.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\The Settlers: Rise of an Empire.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\The Sims 2: Apartment Life.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sherlock Holmes: Nemesis.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sid Meier's Civilization 4: Beyond the Sword.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sid Meier's Civilization IV: Colonization.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sid Meiers Civilization IV: Colonization.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sudden Strike 3: Arms for Victory.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Pirates of Caribbean: At World's end.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Pirates of Carrebian: Legend of Jack Sparrow.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Crazy Chicken: Atlantis (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Evil Dead: Regeneration.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Elf Bowling 2: Hawaiian Vacation.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Enemy Territory: Quake Wars.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\ER: Medic Simulator.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\ER:Medic Simulator.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\High School Musical 3: Senior Year Dance (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\High School Musical 3: Senior Year.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Marine Heavy Gunner: Vietnam.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Marine Sharpshooter 4: Locked and Loaded.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\World War II: Prisoner of War.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Worms: Open Warfare 2 (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Monster Jam: Urban Assault (Wii).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Flowers Story: Fairy Quest.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Die Hard: Nakatomi Plaza.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Dawn of War: Soulstorm.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Dracula 3: The Path of the Dragon.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\James Bond: Quantom of Solace.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\James Bond 007: Quantum of Solace (NDS).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\James Bond 007: Quantum of Solace (Reloaded).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\James Bond 007: Quantum of Solace.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\God of War: Chains of Olympus (2008) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\GTA: San Andreas.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\GTA: Vice City Ultimate (2006).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Prison Tycoon 4: Supermax.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Need for Speed: Carbon.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Need for Speed: High Stakes.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Need for Speed: Most Wanted.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Need for Speed: Pro Street (High Compression).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Need for Speed: Pro Street.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Need for Speed: Underground 2.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Need for Speed: Underground.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Final Fantasy Tactics: The War of the Lions (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Final Fantasy Tactics: The War of the Lions (2007).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Final Fantasy VII: Crisis Core (2008) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\From the Orange Box: Team Fortress 2.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Scarface: The World Is Yours.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Avatar: Path of Zuko.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\DVDFab Platinum (Option: Mobile) 5.1.1.0.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Ben 10: Protector of Earth (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Cassandra's Journey: The Legacy of Nostradamus.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Star Wars: Empire at War Forces of Corruption.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Star Wars: Knights of the Force.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Star Wars: The Force Unleashed (2008) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Star Wars Battlefront: Renegade Squadron (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Amazing Adventures 2: Around the World.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\American Mcgee's: Bad Day L.A.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Medal of Honor: Airborne.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Combat of Giants: Dinosaurs (NDS).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Command & Conquer: Generals.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Command & Conquer: Red Alert 2.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Command & Conquer: Red Alert 3 (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Command & Conquer: Red Alert 3.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Command and Conquer: Red Alert 3 (Reloaded).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Command and Conquer: Red Alert 3.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Command and Conquer 3: Kanes Wrath.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Naruto: Ultimate Ninja Heroes (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Natalie Brooks: Secrets of Treasure House 1.0.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Happy Tree Friends: False Alarm (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Hardy Boys: The Hidden Theft.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sindbad: Return of Legend 1.0.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Thrillville: Off the Rails (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Titan Quest:Immortal Throne.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\WWII Battle Tanks: T-34 vs Tiger.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\OutRun 2006: Coast 2 Coast (PS2).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\300: March to Glory (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Deadliest Catch: Alaskan Storm.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Deer Hunter: The Season 2005.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Age of Empires III: The Asian Dynasties - Expansion.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Age of Empires III: The War Chiefs - Expansion.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Age of Empires III: The WarChiefs.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Legacy of Kain: Defiance (2007).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Lego: Indiana Jones.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Lego Indiana Jones: The Original Adventures (Xbox 360).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Guitar Hero: Aerosmith (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Guitar Hero: Aerosmith.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Tom & Jerry: Fists of Furry.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Tom Clancys: End War (Xbox).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Tomb Raider: Anniversary.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Tomb Raider: Underworld 2008.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\The History Channel: Monster Quest.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\The Legend of Zelda: Phantom Hourglass (NDS).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\The Legend of Zelda: Twilight Princess (GC).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Call of Duty: World at War (2008) Beta Multiplayer.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Call of Duty: World at War.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Call of Duty 4: Modern Warfare.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Diner Dash: Seasonal Snack Pack.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Serious Sam: Second Encounter.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Turtix 2: Rescue Adventures.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Multiwinia: Survival of the Flattest.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Windows Vista: Ultimate.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Alien Shooter: Vengeance.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Alien vs Predator: Requiem (2007) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Age of Empires II: The Age of Kings.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Age of Empires II: The Conquerors - Expansion.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Armored Core: Formula Front Extreme Battle (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Big City Adventure: Sydney, Australia.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Metal Gear Solid 2: Substance.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Counter Strike: Condition Zero Deleted Scenes.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Counter Strike:Source.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Counter-Strike: Source.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Quantum of Solace: The Game (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Forgotten Realms: Demon Stone.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Forgotten Riddles: The Moonlight Sonatas.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sniper: Art of Victory (2008).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sniper: Art of Victory.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sniper: Path of Vengeance.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Hitman: Blood Money (Reloaded).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Hitman 2: Silent Assassin.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Hitman 3: Contracts.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Hitman 4: Blood Money (PS2).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Hitman 4: Blood Money.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Castlevania: Order of Ecclesia (NDS).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Castlevania: The Dracula X Chronicles (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Silent Hill 4: The Room.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Silent Hunter 4: Wolves of the Pacific.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Moto GP 3: Ultimate Racing Technology.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Ghost In the Shell: Stand Alone Complex (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Ghost Recon: Advanced Warfighter 2.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Fable: The Lost Chapters.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\RedRum: Dead Diary.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Reflexive Games Home Sweet Home 2: Kitchens and Baths.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\James Patterson: Women's Murder Club.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Onimusha 3: Demon Siege.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\hessmaster: The Art of Learning (2008) (PSP).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Hide & Secret 2: Cliffhanger Castle.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Sword of the Stars: A Murder of Crows.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Battlestations: Midway (Xbox 360).zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Brothers in Arms: Hell's Highway.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Brothers in Arms: Hells Highway.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Power Rangers: Operation Overdrive FMV.zip 403456 bytes executable
F:\Documents and Settings\Owner\My Documents\LimeWire\Shared\share\Dragon Ball Z: Shin Budokai - Another Road (2007) (PSP).zip 403456 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 223


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\The Guild 2 - Demo\\GuildII.exe"="C:\\The Guild 2 - Demo\\GuildII.exe:*:Enabled:GuildII"
"C:\\Program Files\\The Guild 2 - Demo\\GuildII.exe"="C:\\Program Files\\The Guild 2 - Demo\\GuildII.exe:*:Enabled:GuildII"
"F:\\NovaLogic\\Delta Force Black Hawk Down\\UPDATE.EXE"="F:\\NovaLogic\\Delta Force Black Hawk Down\\UPDATE.EXE:*:Enabled:UPDATE"
"F:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"="F:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe:*:Enabled:ET"
"F:\\NovaLogic\\Delta Force Black Hawk Down\\DFBHD.EXE"="F:\\NovaLogic\\Delta Force Black Hawk Down\\DFBHD.EXE:*:Enabled:DFBHD"
"F:\\Program Files\\Blitzkrieg 2\\EXE\\bin\\Game.exe"="F:\\Program Files\\Blitzkrieg 2\\EXE\\bin\\Game.exe:*:Enabled:Game"
"F:\\WINDOWS\\system32\\dpvsetup.exe"="F:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"F:\\WINDOWS\\system32\\rundll32.exe"="F:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"F:\\Program Files\\LimeWire\\LimeWire.exe"="F:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Steam\\steamapps\\mavityre@comcast.net\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\mavityre@comcast.net\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"F:\\Program Files\\Guild Wars\\Gw.exe"="F:\\Program Files\\Guild Wars\\Gw.exe:*:Disabled:Guild Wars"
"F:\\Program Files\\Internet Explorer\\iexplore.exe"="F:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"F:\\Documents and Settings\\Owner\\Local Settings\\Temp\\empires2.EXE"="F:\\Documents and Settings\\Owner\\Local Settings\\Temp\\empires2.EXE:*:Disabled:Age of Empires II"
"F:\\AGE3\\Empire Earth.exe"="F:\\AGE3\\Empire Earth.exe:*:Disabled:Empire Earth"
"F:\\Program Files\\DNA\\btdna.exe"="F:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"F:\\Program Files\\BitTorrent\\bittorrent.exe"="F:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"F:\\Program Files\\Wyzo\\wyzo.exe"="F:\\Program Files\\Wyzo\\wyzo.exe:*:Enabled:Wyzo"
"F:\\WINDOWS\\system32\\PnkBstrA.exe"="F:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"F:\\WINDOWS\\system32\\PnkBstrB.exe"="F:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"F:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="F:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"F:\\Program Files\\Mozilla Firefox\\firefox.exe"="F:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\Warcraft III\\Warcraft III.exe"="F:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"F:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"="F:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe:*:Enabled:Rise of Nations"
"F:\\Program Files\\iTunes\\iTunes.exe"="F:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"F:\\WINDOWS\\system32\\lxdicoms.exe"="F:\\WINDOWS\\system32\\lxdicoms.exe:*:Enabled:3500-4500 Series Server"
"F:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"="F:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe:*:Enabled:Printing Application"
"F:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"="F:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe:*:Enabled:Device Monitor Application"
"F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"="F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe:*:Enabled:Lexmark Web Gateway"
"F:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"="F:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe:*:Enabled: "
"F:\\Program Files\\Bonjour\\mDNSResponder.exe"="F:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"F:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"="F:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe:*:Enabled:Device Monitor"
"F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"="F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe:*:Enabled:Printer Status Window Interface"
"F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"="F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe:*:Enabled:Lexmark Connect Time Executable"
"F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"="F:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe:*:Enabled:Job Status Window Interface"
"F:\\Program Files\\AVG\\AVG8\\avgemc.exe"="F:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"F:\\Program Files\\AVG\\AVG8\\avgupd.exe"="F:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\Lexmark 3500-4500 Series\\app4r.exe"="F:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"

[b]Remaining Files [/b]:


File Backups: - F:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sat 16 Feb 2008 4,348 ..SH. --- "F:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 28 Feb 2007 1,327 A..H. --- "F:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy\IN6apWmcDr6KdG\SW2pySZU6uP7zQN.tmp"

[b]Finished![/b]


Report •

#5
November 5, 2008 at 07:34:33

Combofix log.

ComboFix 08-11-04.02 - Owner 2008-11-04 21:43:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.549 [GMT -8:00]
Running from: f:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-04 21:08 . 2008-11-04 21:08 578,560 --a--c--- f:\windows\system32\dllcache\user32.dll
2008-11-04 21:07 . 2008-11-04 21:07 <DIR> d-------- f:\windows\ERUNT
2008-11-04 20:53 . 2008-11-04 20:53 <DIR> d-------- F:\New Folder (4)
2008-11-04 20:53 . 2008-11-04 20:53 <DIR> d-------- F:\New Folder (3)
2008-11-04 20:53 . 2008-11-04 20:53 <DIR> d-------- F:\New Folder (2)
2008-11-04 20:53 . 2008-11-04 20:53 <DIR> d-------- F:\New Folder
2008-11-04 20:48 . 2008-11-04 21:22 <DIR> d-------- F:\SDFix
2008-11-04 18:29 . 2008-11-04 18:29 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware
2008-11-04 18:29 . 2008-11-04 18:29 <DIR> d-------- f:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-04 18:29 . 2008-11-04 18:29 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-04 18:29 . 2008-10-22 16:28 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys
2008-11-04 18:29 . 2008-10-22 16:28 15,504 --a------ f:\windows\system32\drivers\mbam.sys
2008-11-04 11:22 . 2008-11-04 11:22 <DIR> d-------- f:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-11-04 08:16 . 2008-11-04 11:25 4,890 --a------ f:\windows\system32\tmp.reg
2008-11-04 07:47 . 2008-11-04 14:20 <DIR> d--h----- F:\$AVG8.VAULT$
2008-11-04 06:59 . 2008-11-04 06:59 10,520 --a------ f:\windows\system32\avgrsstx.dll
2008-11-04 06:58 . 2008-11-04 07:00 <DIR> d-------- f:\windows\system32\drivers\Avg
2008-11-04 06:58 . 2008-11-04 06:58 <DIR> d-------- f:\program files\AVG
2008-11-04 06:58 . 2008-11-04 06:58 <DIR> d-------- f:\documents and settings\All Users\Application Data\avg8
2008-11-04 06:58 . 2008-11-04 06:58 97,928 --a------ f:\windows\system32\drivers\avgldx86.sys
2008-11-04 06:58 . 2008-11-04 06:58 76,040 --a------ f:\windows\system32\drivers\avgtdix.sys
2008-11-03 21:13 . 2008-11-03 21:13 <DIR> d-------- f:\documents and settings\Owner\DoctorWeb
2008-11-03 20:44 . 2008-11-03 20:44 <DIR> d-------- f:\program files\SUPERAntiSpyware
2008-11-03 20:44 . 2008-11-03 20:44 <DIR> d-------- f:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-11-03 20:44 . 2008-11-03 20:44 <DIR> d-------- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-03 18:54 . 2006-07-31 21:53 40,960 --a------ f:\windows\system32\lxdivs.dll
2008-11-03 18:53 . 2007-03-30 06:13 344,064 --a------ f:\windows\system32\lxdicoin.dll
2008-11-03 18:52 . 2007-01-22 01:53 60 --ah----- f:\windows\system32\lxdirwrd.ini
2008-11-03 18:51 . 2008-11-03 18:53 <DIR> d-------- f:\program files\Lexmark 3500-4500 Series
2008-11-03 07:16 . 2008-11-03 07:16 <DIR> d--h----- f:\windows\PIF
2008-11-02 10:14 . 2008-11-02 10:14 <DIR> d-------- f:\windows\system32\vb
2008-11-02 10:14 . 2008-11-04 13:57 <DIR> d-------- f:\windows\system32\QI13
2008-11-02 10:14 . 2008-11-02 10:14 <DIR> d-------- f:\windows\system32\OT2
2008-11-02 10:14 . 2008-11-02 10:14 <DIR> d-------- f:\windows\system32\im
2008-11-02 10:14 . 2008-11-02 10:14 <DIR> d-------- f:\windows\system32\FPX
2008-11-02 10:14 . 2008-11-04 13:54 147,456 --a------ f:\windows\system32\vbzip10.dll
2008-11-02 10:11 . 2008-11-04 14:33 <DIR> d--hs---- f:\documents and settings\Owner\Localdir
2008-11-01 08:02 . 2008-11-01 08:02 <DIR> d-------- f:\program files\CAM Development
2008-11-01 08:02 . 2008-11-01 08:02 <DIR> d-------- f:\documents and settings\All Users\Application Data\CAM Development
2008-10-31 05:45 . 2008-10-31 05:45 365 --a------ f:\windows\SIERRA.IN~
2008-10-30 17:52 . 2008-10-30 21:01 52 --a------ f:\windows\winlemm.ini
2008-10-29 18:59 . 2008-10-29 18:59 102,190 --a------ f:\windows\system32\cont_adzgalore-remove.exe
2008-10-29 18:59 . 2008-10-29 18:59 90,891 --a------ f:\windows\system32\wiijitoeup.dll-uninst.exe
2008-10-28 16:11 . 2008-11-02 12:21 <DIR> d-------- f:\documents and settings\Owner\Application Data\skypePM
2008-10-28 16:11 . 2008-10-28 16:11 56 --ah----- f:\windows\system32\ezsidmv.dat
2008-10-28 16:09 . 2008-11-02 12:37 <DIR> d-------- f:\documents and settings\All Users\Application Data\Skype
2008-10-28 13:18 . 2008-10-28 13:18 172,544 --a------ f:\windows\system32\jgkuxyfxhmtmmnuye.dll
2008-10-24 07:13 . 2008-10-15 08:34 337,408 -----c--- f:\windows\system32\dllcache\netapi32.dll
2008-10-21 12:20 . 2008-11-04 06:46 <DIR> d-------- f:\documents and settings\Owner\Application Data\Lexmark Productivity Studio
2008-10-21 12:12 . 2008-11-04 20:58 <DIR> d-------- f:\documents and settings\All Users\lx_cats
2008-10-21 12:03 . 2008-10-21 13:01 <DIR> d-------- f:\documents and settings\Owner\Application Data\FaxCtr
2008-10-21 11:56 . 2008-10-21 11:56 <DIR> d-------- F:\logs
2008-10-21 11:55 . 2001-08-17 22:36 87,040 --a------ f:\windows\system32\wiafbdrv.dll
2008-10-21 11:55 . 2001-08-17 22:36 87,040 --a--c--- f:\windows\system32\dllcache\wiafbdrv.dll
2008-10-21 11:55 . 2008-04-13 11:45 15,104 --a------ f:\windows\system32\drivers\usbscan.sys
2008-10-21 11:55 . 2008-04-13 11:45 15,104 --a--c--- f:\windows\system32\dllcache\usbscan.sys
2008-10-21 11:54 . 2008-11-03 19:05 <DIR> d-------- f:\program files\Lexmark Fax Solutions
2008-10-21 11:54 . 2008-10-21 11:54 <DIR> d-------- f:\documents and settings\All Users\Application Data\FaxCtr
2008-10-21 11:54 . 2006-05-31 11:51 339,968 --a------ f:\windows\system32\IMGMAN32.DLL
2008-10-21 11:54 . 2006-05-31 11:51 98,345 --a------ f:\windows\system32\IMHOST32.DLL
2008-10-21 11:54 . 2006-05-31 11:51 98,304 --a------ f:\windows\system32\IM31XPNG.DEL
2008-10-21 11:54 . 2006-05-31 11:51 69,632 --a------ f:\windows\system32\IM31XTIF.DEL
2008-10-21 11:54 . 2006-05-31 11:51 49,152 --a------ f:\windows\system32\IM31IMG.DIL
2008-10-21 11:54 . 2007-02-21 23:13 45,056 --a------ f:\windows\system32\LXF3PMON.DLL
2008-10-21 11:54 . 2006-11-07 07:02 36,864 --a------ f:\windows\system32\lxf3oem.dll
2008-10-21 11:54 . 2007-02-21 23:12 32,768 --a------ f:\windows\system32\LXF3FXPU.DLL
2008-10-21 11:54 . 2007-02-21 23:15 12,288 --a------ f:\windows\system32\LXF3PMRC.DLL
2008-10-21 11:53 . 2008-10-21 11:54 <DIR> d-------- f:\program files\Abbyy FineReader 6.0 Sprint
2008-10-21 11:52 . 2008-11-03 18:54 89,682 --a------ f:\windows\system32\LexFiles.ulf
2008-10-20 10:03 . 2008-10-20 10:03 <DIR> d-------- f:\program files\iTunes
2008-10-20 10:03 . 2008-10-20 10:03 <DIR> d-------- f:\program files\iPod
2008-10-20 10:03 . 2008-10-20 10:03 <DIR> d-------- f:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-17 13:47 . 2008-10-17 13:48 <DIR> d-------- f:\program files\Common Files\Adobe
2008-10-17 13:07 . 2008-10-17 13:07 <DIR> d-------- f:\program files\Common Files\Adobe AIR
2008-10-17 12:57 . 2008-10-18 07:57 <DIR> d-------- f:\documents and settings\All Users\Application Data\NOS
2008-10-15 06:20 . 2008-08-14 02:11 2,189,184 -----c--- f:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 06:20 . 2008-08-14 01:33 2,066,048 -----c--- f:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:20 . 2008-09-15 04:12 1,846,400 -----c--- f:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 01:39 --------- d---a-w f:\documents and settings\All Users\Application Data\TEMP
2008-11-04 19:00 --------- d--h--w f:\program files\InstallShield Installation Information
2008-11-04 18:46 111,928 ----a-w f:\windows\system32\PnkBstrB.exe
2008-11-04 04:22 --------- d-----w f:\program files\Common Files\Wise Installation Wizard
2008-11-04 02:40 --------- d-----w f:\program files\WINForms Desktop
2008-11-04 02:40 --------- d-----w f:\program files\Winamp
2008-11-04 02:40 --------- d-----w f:\program files\WinAce
2008-11-04 02:40 --------- d-----w f:\program files\Spyware Doctor
2008-11-04 02:40 --------- d-----w f:\program files\QuickTime
2008-11-04 02:40 --------- d-----w f:\program files\Paint.NET
2008-11-04 02:40 --------- d-----w f:\program files\MSI
2008-11-04 02:40 --------- d-----w f:\program files\GameSpy Arcade
2008-11-04 02:40 --------- d-----w f:\program files\Family Tree Maker 2008
2008-11-04 02:40 --------- d-----w f:\program files\Ahead
2008-11-04 01:09 729,088 -c--a-w f:\windows\iun6002.exe
2008-11-04 00:48 --------- d-----w f:\program files\LimeWire
2008-11-02 23:56 --------- d-----w f:\program files\CD to MP3 Ripper
2008-11-02 23:27 --------- d-----w f:\documents and settings\Owner\Application Data\LimeWire
2008-11-02 21:40 --------- d-----w f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 21:06 --------- d-----w f:\program files\Spybot - Search & Destroy
2008-11-02 00:33 139,152 -c--a-w f:\windows\system32\drivers\PnkBstrK.sys
2008-10-18 06:51 --------- d-----w f:\documents and settings\Owner\Application Data\Digidesign
2008-09-28 05:30 43,520 -c--a-w f:\windows\system32\CmdLineExt03.dll
2008-09-27 03:59 --------- d-----w f:\program files\AGEIA Technologies
2008-09-27 03:43 --------- d-----w f:\program files\SystemRequirementsLab
2008-09-27 03:41 --------- d-----w f:\documents and settings\Owner\Application Data\SystemRequirementsLab
2008-09-18 13:12 --------- d-----w f:\program files\Apple Software Update
2008-09-18 13:10 --------- d-----w f:\program files\Bonjour
2008-09-18 13:09 --------- d-----w f:\program files\Common Files\Apple
2008-09-17 20:22 --------- d-----w f:\program files\Audacity
2008-09-17 14:32 --------- d-----w f:\documents and settings\Owner\Application Data\PC Tools
2008-09-17 04:27 453,152 -c--a-w f:\windows\system32\NVUNINST.EXE
2008-09-15 12:12 1,846,400 ----a-w f:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w f:\windows\system32\drivers\srv.sys
2008-09-08 04:26 --------- d-----w f:\documents and settings\All Users\Application Data\Samplit
2008-09-08 03:41 --------- d-----w f:\program files\Digidesign
2008-09-07 00:36 --------- d-----w f:\documents and settings\Owner\Application Data\PACE Anti-Piracy
2008-09-07 00:36 --------- d-----w f:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2008-09-07 00:31 --------- d-----w f:\documents and settings\Owner\Application Data\Propellerhead Software
2008-09-07 00:20 --------- d-----w f:\documents and settings\All Users\Application Data\Celemony Software GmbH
2008-09-07 00:11 --------- d-----w f:\documents and settings\Owner\Application Data\Ableton
2008-09-06 23:30 --------- d-----w f:\documents and settings\All Users\Application Data\Ableton
2008-09-06 06:14 --------- d-----w f:\program files\Common Files\iZotope
2008-09-06 05:43 --------- d-----w f:\documents and settings\All Users\Application Data\Propellerhead Software
2008-09-06 03:56 --------- d-----w f:\documents and settings\Owner\Application Data\DVD Flick
2008-09-06 03:31 --------- d-----w f:\documents and settings\All Users\Application Data\Structure
2008-09-06 02:53 --------- d-----w f:\documents and settings\Owner\Application Data\DNA
2008-09-06 02:52 --------- d-----w f:\program files\Mediafour
2008-09-06 02:52 --------- d-----w f:\program files\Common Files\Mediafour
2008-09-06 02:52 --------- d-----w f:\documents and settings\All Users\Application Data\Mediafour
2008-09-06 02:48 --------- d-----w f:\program files\Common Files\PACE Anti-Piracy
2008-09-06 02:47 --------- d-----w f:\program files\Common Files\Avid
2008-09-06 02:46 --------- d-----w f:\program files\Common Files\Digidesign
2008-09-06 02:45 --------- d-----w f:\documents and settings\Owner\Application Data\InstallShield
2008-09-05 23:45 --------- d-----w f:\program files\DNA
2008-09-05 21:23 --------- d-----w f:\program files\FrontierBA
2008-09-05 21:22 --------- d-----w f:\program files\FrontierSH
2008-09-05 00:07 53,248 ----a-w f:\windows\system32\unrar.dll
2008-09-04 16:31 288,024 ----a-w f:\windows\system32\PhysXCplUI.exe
2008-08-29 17:18 87,336 ----a-w f:\windows\system32\dns-sd.exe
2008-08-29 16:53 61,440 ----a-w f:\windows\system32\dnssd.dll
2008-08-29 15:57 70,936 ----a-w f:\windows\system32\PhysXLoader.dll
2008-08-20 05:30 666,112 ----a-w f:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w f:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w f:\windows\system32\ntkrnlpa.exe
2008-07-09 16:06 22,328 ----a-w f:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-04-23 12:59 56,912 ----a-w f:\documents and settings\Owner\g2mdlhlpx.exe
2007-12-21 05:49 167,645,227 ----a-w f:\documents and settings\Owner\java_ee_sdk-5_04-windows.exe
2006-11-08 01:27 13,107,200 ----a-w f:\program files\AnalogFactory.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="f:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW24"="f:\windows\System32\sw24.exe" [2006-12-15 69632]
"SW20"="f:\windows\System32\sw20.exe" [2006-12-15 208896]
"SunJavaUpdateSched"="f:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SSBkgdUpdate"="f:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-04-28 3996632]
"SetDefPrt"="f:\program files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 49152]
"PaperPort PTD"="f:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"IndexSearch"="f:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="f:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"NeroFilterCheck"="f:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-08 185896]
"{FD1C41EC-B9AC-4F08-9BDB-CC8ECC8FC1B3}"="f:\program files\Mediafour\MacDrive 7\MacDriveD.exe" [2007-04-18 159744]
"DigidesignMMERefresh"="c:\digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"FaxCenterServer"="f:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 311984]
"lxdimon.exe"="f:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="f:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"AVG8_TRAY"="f:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-04 1234712]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 f:\windows\LOGI_MWX.EXE]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-03 f:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-20 f:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2008-09-17 f:\windows\system32\nwiz.exe]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
DualCoreCenter.lnk - f:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2007-10-19 192512]
Microsoft Office.lnk - f:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 f:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave3"= Digi32.dll
"midi2"= mbx2midu.dll
"MIDI3"= diomidi.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\mavityre@comcast.net\\day of defeat source\\hl2.exe"=
"f:\\Program Files\\DNA\\btdna.exe"=
"f:\\WINDOWS\\system32\\PnkBstrA.exe"=
"f:\\WINDOWS\\system32\\PnkBstrB.exe"=
"f:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\WINDOWS\\system32\\lxdicoms.exe"=
"f:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"f:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"f:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"=
"f:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"f:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"f:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"f:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"f:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"f:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 DigiFilter;DigiFilter;f:\windows\system32\drivers\DigiFilt.sys [2006-12-08 16384]
R0 MDFSYSNT;MacDrive file system driver;f:\windows\system32\drivers\MDFSYSNT.sys [2007-04-18 274048]
R0 MDPMGRNT;MDPMGRNT;f:\windows\system32\drivers\MDPMGRNT.sys [2007-02-28 19072]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;f:\windows\system32\Drivers\avgldx86.sys [2008-11-04 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;f:\progra~1\AVG\AVG8\avgemc.exe [2008-11-04 875288]
R2 avg8wd;AVG Free8 WatchDog;f:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-04 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;f:\windows\system32\Drivers\avgtdix.sys [2008-11-04 76040]
R2 DigiNet;Digidesign Ethernet Support;f:\windows\system32\DRIVERS\diginet.sys [2007-10-31 16400]
R2 lxdi_device;lxdi_device;f:\windows\system32\lxdicoms.exe [2007-06-11 517040]
R2 MacDriveServiceD;MacDriveServiceD;f:\program files\Mediafour\MacDrive 7\MacDriveServiceD.exe [2007-04-18 143360]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;f:\windows\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 99248]
S3 adxapie;adxapie;f:\docume~1\Owner\LOCALS~1\Temp\adxapie.sys [ ]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;f:\windows\system32\Drivers\BrSerIf.sys [2004-06-12 51712]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;f:\windows\system32\Drivers\BrUsbSer.sys [2004-01-10 11648]
S3 dalwdmservice;dal service;f:\windows\system32\drivers\dalwdm.sys [2007-10-31 97808]
S3 DigiCellDriver;DigiCellDriver;f:\program files\MSI\DualCoreCenter\NTGLM7X.sys [2006-10-05 27648]
S3 iLokDrvr;iLok;f:\windows\system32\DRIVERS\iLokDrvr.sys [2008-07-02 54256]
S3 MBX2DFU;MBX2DFU;f:\windows\system32\DRIVERS\MBX2DFU.sys [2007-10-31 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;f:\windows\system32\drivers\mbx2midk.sys [2007-10-31 21904]
.
Contents of the 'Scheduled Tasks' folder

2008-11-03 f:\windows\Tasks\AppleSoftwareUpdate.job
- f:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-05 f:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\schedule.exe [2007-04-28 20:15]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - f:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\be78kheh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.com
FF -: plugin - c:\program files\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF -: plugin - c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - f:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - f:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\npImgCtl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 21:47:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-04 21:48:14
ComboFix-quarantined-files.txt 2008-11-05 05:48:09
ComboFix2.txt 2008-11-05 05:37:55

Pre-Run: 22,310,195,200 bytes free
Post-Run: 22,295,994,368 bytes free

291 --- E O F --- 2008-10-24 15:47:25


Report •

#6
November 5, 2008 at 14:50:23

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
f:\windows\system32\ezsidmv.dat
f:\windows\system32\jgkuxyfxhmtmmnuye.dll
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Post a new Combofix log following the previous directions.

Please go to Virus Total and upload the following file for analysis:

f:\windows\SIERRA.IN~

f:\windows\winlemm.ini


f:\windows\system32\cont_adzgalore-remove.exe


f:\windows\system32\wiijitoeup.dll-uninst.exe

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#7
November 5, 2008 at 16:30:04

ComboFix 08-11-04.02 - Owner 2008-11-05 16:13:57.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.603 [GMT -8:00]
Running from: f:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: f:\documents and settings\Owner\Desktop\CFSCRIPT.TXT
* Created a new restore point

FILE ::
f:\windows\SYSTEM32\EZSIDMV.DAT
f:\windows\SYSTEM32\jgkuxyfxhmtmmnuye.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\windows\SYSTEM32\EZSIDMV.DAT
f:\windows\SYSTEM32\jgkuxyfxhmtmmnuye.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-04 21:08 . 2008-11-04 21:08 578,560 --a--c--- f:\windows\system32\dllcache\user32.dll
2008-11-04 21:07 . 2008-11-04 21:07 <DIR> d-------- f:\windows\ERUNT
2008-11-04 20:53 . 2008-11-04 20:53 <DIR> d-------- F:\New Folder (4)
2008-11-04 20:53 . 2008-11-04 20:53 <DIR> d-------- F:\New Folder (3)
2008-11-04 20:53 . 2008-11-04 20:53 <DIR> d-------- F:\New Folder (2)
2008-11-04 20:53 . 2008-11-04 20:53 <DIR> d-------- F:\New Folder
2008-11-04 20:48 . 2008-11-05 15:37 <DIR> d-------- F:\SDFix
2008-11-04 18:29 . 2008-11-04 18:29 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware
2008-11-04 18:29 . 2008-11-04 18:29 <DIR> d-------- f:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-04 18:29 . 2008-11-04 18:29 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-04 18:29 . 2008-10-22 16:28 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys
2008-11-04 18:29 . 2008-10-22 16:28 15,504 --a------ f:\windows\system32\drivers\mbam.sys
2008-11-04 11:22 . 2008-11-04 11:22 <DIR> d-------- f:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-11-04 08:16 . 2008-11-04 11:25 4,890 --a------ f:\windows\system32\tmp.reg
2008-11-04 07:47 . 2008-11-04 14:20 <DIR> d--h----- F:\$AVG8.VAULT$
2008-11-04 06:59 . 2008-11-04 06:59 10,520 --a------ f:\windows\system32\avgrsstx.dll
2008-11-04 06:58 . 2008-11-05 09:57 <DIR> d-------- f:\windows\system32\drivers\Avg
2008-11-04 06:58 . 2008-11-04 06:58 <DIR> d-------- f:\program files\AVG
2008-11-04 06:58 . 2008-11-04 06:58 <DIR> d-------- f:\documents and settings\All Users\Application Data\avg8
2008-11-04 06:58 . 2008-11-04 06:58 97,928 --a------ f:\windows\system32\drivers\avgldx86.sys
2008-11-04 06:58 . 2008-11-04 06:58 76,040 --a------ f:\windows\system32\drivers\avgtdix.sys
2008-11-03 21:13 . 2008-11-03 21:13 <DIR> d-------- f:\documents and settings\Owner\DoctorWeb
2008-11-03 20:44 . 2008-11-03 20:44 <DIR> d-------- f:\program files\SUPERAntiSpyware
2008-11-03 20:44 . 2008-11-03 20:44 <DIR> d-------- f:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2008-11-03 20:44 . 2008-11-03 20:44 <DIR> d-------- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-03 18:54 . 2006-07-31 21:53 40,960 --a------ f:\windows\system32\lxdivs.dll
2008-11-03 18:53 . 2007-03-30 06:13 344,064 --a------ f:\windows\system32\lxdicoin.dll
2008-11-03 18:52 . 2007-01-22 01:53 60 --ah----- f:\windows\system32\lxdirwrd.ini
2008-11-03 18:51 . 2008-11-03 18:53 <DIR> d-------- f:\program files\Lexmark 3500-4500 Series
2008-11-03 07:16 . 2008-11-03 07:16 <DIR> d--h----- f:\windows\PIF
2008-11-02 10:14 . 2008-11-02 10:14 <DIR> d-------- f:\windows\system32\vb
2008-11-02 10:14 . 2008-11-04 13:57 <DIR> d-------- f:\windows\system32\QI13
2008-11-02 10:14 . 2008-11-02 10:14 <DIR> d-------- f:\windows\system32\OT2
2008-11-02 10:14 . 2008-11-02 10:14 <DIR> d-------- f:\windows\system32\im
2008-11-02 10:14 . 2008-11-02 10:14 <DIR> d-------- f:\windows\system32\FPX
2008-11-02 10:14 . 2008-11-04 13:54 147,456 --a------ f:\windows\system32\vbzip10.dll
2008-11-02 10:11 . 2008-11-04 14:33 <DIR> d--hs---- f:\documents and settings\Owner\Localdir
2008-11-01 08:02 . 2008-11-01 08:02 <DIR> d-------- f:\program files\CAM Development
2008-11-01 08:02 . 2008-11-01 08:02 <DIR> d-------- f:\documents and settings\All Users\Application Data\CAM Development
2008-10-31 05:45 . 2008-10-31 05:45 365 --a------ f:\windows\SIERRA.IN~
2008-10-30 17:52 . 2008-10-30 21:01 52 --a------ f:\windows\winlemm.ini
2008-10-29 18:59 . 2008-10-29 18:59 102,190 --a------ f:\windows\system32\cont_adzgalore-remove.exe
2008-10-29 18:59 . 2008-10-29 18:59 90,891 --a------ f:\windows\system32\wiijitoeup.dll-uninst.exe
2008-10-28 16:11 . 2008-11-02 12:21 <DIR> d-------- f:\documents and settings\Owner\Application Data\skypePM
2008-10-28 16:09 . 2008-11-02 12:37 <DIR> d-------- f:\documents and settings\All Users\Application Data\Skype
2008-10-24 07:13 . 2008-10-15 08:34 337,408 -----c--- f:\windows\system32\dllcache\netapi32.dll
2008-10-21 12:20 . 2008-11-04 06:46 <DIR> d-------- f:\documents and settings\Owner\Application Data\Lexmark Productivity Studio
2008-10-21 12:12 . 2008-11-05 15:20 <DIR> d-------- f:\documents and settings\All Users\lx_cats
2008-10-21 12:03 . 2008-10-21 13:01 <DIR> d-------- f:\documents and settings\Owner\Application Data\FaxCtr
2008-10-21 11:56 . 2008-10-21 11:56 <DIR> d-------- F:\logs
2008-10-21 11:55 . 2001-08-17 22:36 87,040 --a------ f:\windows\system32\wiafbdrv.dll
2008-10-21 11:55 . 2001-08-17 22:36 87,040 --a--c--- f:\windows\system32\dllcache\wiafbdrv.dll
2008-10-21 11:55 . 2008-04-13 11:45 15,104 --a------ f:\windows\system32\drivers\usbscan.sys
2008-10-21 11:55 . 2008-04-13 11:45 15,104 --a--c--- f:\windows\system32\dllcache\usbscan.sys
2008-10-21 11:54 . 2008-11-03 19:05 <DIR> d-------- f:\program files\Lexmark Fax Solutions
2008-10-21 11:54 . 2008-10-21 11:54 <DIR> d-------- f:\documents and settings\All Users\Application Data\FaxCtr
2008-10-21 11:54 . 2006-05-31 11:51 339,968 --a------ f:\windows\system32\IMGMAN32.DLL
2008-10-21 11:54 . 2006-05-31 11:51 98,345 --a------ f:\windows\system32\IMHOST32.DLL
2008-10-21 11:54 . 2006-05-31 11:51 98,304 --a------ f:\windows\system32\IM31XPNG.DEL
2008-10-21 11:54 . 2006-05-31 11:51 69,632 --a------ f:\windows\system32\IM31XTIF.DEL
2008-10-21 11:54 . 2006-05-31 11:51 49,152 --a------ f:\windows\system32\IM31IMG.DIL
2008-10-21 11:54 . 2007-02-21 23:13 45,056 --a------ f:\windows\system32\LXF3PMON.DLL
2008-10-21 11:54 . 2006-11-07 07:02 36,864 --a------ f:\windows\system32\lxf3oem.dll
2008-10-21 11:54 . 2007-02-21 23:12 32,768 --a------ f:\windows\system32\LXF3FXPU.DLL
2008-10-21 11:54 . 2007-02-21 23:15 12,288 --a------ f:\windows\system32\LXF3PMRC.DLL
2008-10-21 11:53 . 2008-10-21 11:54 <DIR> d-------- f:\program files\Abbyy FineReader 6.0 Sprint
2008-10-21 11:52 . 2008-11-03 18:54 89,682 --a------ f:\windows\system32\LexFiles.ulf
2008-10-20 10:03 . 2008-10-20 10:03 <DIR> d-------- f:\program files\iTunes
2008-10-20 10:03 . 2008-10-20 10:03 <DIR> d-------- f:\program files\iPod
2008-10-20 10:03 . 2008-10-20 10:03 <DIR> d-------- f:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-17 13:47 . 2008-10-17 13:48 <DIR> d-------- f:\program files\Common Files\Adobe
2008-10-17 13:07 . 2008-10-17 13:07 <DIR> d-------- f:\program files\Common Files\Adobe AIR
2008-10-17 12:57 . 2008-10-18 07:57 <DIR> d-------- f:\documents and settings\All Users\Application Data\NOS
2008-10-15 06:20 . 2008-08-14 02:11 2,189,184 -----c--- f:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 06:20 . 2008-08-14 01:33 2,066,048 -----c--- f:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:20 . 2008-09-15 04:12 1,846,400 -----c--- f:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 17:06 729,088 -c--a-w f:\windows\iun6002.exe
2008-11-05 17:06 --------- d--h--w f:\program files\InstallShield Installation Information
2008-11-05 01:39 --------- d---a-w f:\documents and settings\All Users\Application Data\TEMP
2008-11-04 04:22 --------- d-----w f:\program files\Common Files\Wise Installation Wizard
2008-11-04 02:40 --------- d-----w f:\program files\WINForms Desktop
2008-11-04 02:40 --------- d-----w f:\program files\Winamp
2008-11-04 02:40 --------- d-----w f:\program files\WinAce
2008-11-04 02:40 --------- d-----w f:\program files\Spyware Doctor
2008-11-04 02:40 --------- d-----w f:\program files\QuickTime
2008-11-04 02:40 --------- d-----w f:\program files\Paint.NET
2008-11-04 02:40 --------- d-----w f:\program files\MSI
2008-11-04 02:40 --------- d-----w f:\program files\GameSpy Arcade
2008-11-04 02:40 --------- d-----w f:\program files\Family Tree Maker 2008
2008-11-04 02:40 --------- d-----w f:\program files\Ahead
2008-11-04 00:48 --------- d-----w f:\program files\LimeWire
2008-11-02 23:56 --------- d-----w f:\program files\CD to MP3 Ripper
2008-11-02 23:27 --------- d-----w f:\documents and settings\Owner\Application Data\LimeWire
2008-11-02 21:40 --------- d-----w f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 21:06 --------- d-----w f:\program files\Spybot - Search & Destroy
2008-11-02 00:33 139,152 -c--a-w f:\windows\system32\drivers\PnkBstrK.sys
2008-10-18 06:51 --------- d-----w f:\documents and settings\Owner\Application Data\Digidesign
2008-09-27 03:59 --------- d-----w f:\program files\AGEIA Technologies
2008-09-27 03:43 --------- d-----w f:\program files\SystemRequirementsLab
2008-09-27 03:41 --------- d-----w f:\documents and settings\Owner\Application Data\SystemRequirementsLab
2008-09-18 13:12 --------- d-----w f:\program files\Apple Software Update
2008-09-18 13:10 --------- d-----w f:\program files\Bonjour
2008-09-18 13:09 --------- d-----w f:\program files\Common Files\Apple
2008-09-17 20:22 --------- d-----w f:\program files\Audacity
2008-09-17 16:55 6,132,576 ----a-w f:\windows\system32\drivers\nv4_mini.sys
2008-09-17 14:32 --------- d-----w f:\documents and settings\Owner\Application Data\PC Tools
2008-09-08 10:41 333,824 ----a-w f:\windows\system32\drivers\srv.sys
2008-09-08 04:26 --------- d-----w f:\documents and settings\All Users\Application Data\Samplit
2008-09-08 03:41 --------- d-----w f:\program files\Digidesign
2008-09-07 00:36 --------- d-----w f:\documents and settings\Owner\Application Data\PACE Anti-Piracy
2008-09-07 00:36 --------- d-----w f:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2008-09-07 00:31 --------- d-----w f:\documents and settings\Owner\Application Data\Propellerhead Software
2008-09-07 00:20 --------- d-----w f:\documents and settings\All Users\Application Data\Celemony Software GmbH
2008-09-07 00:11 --------- d-----w f:\documents and settings\Owner\Application Data\Ableton
2008-09-06 23:30 --------- d-----w f:\documents and settings\All Users\Application Data\Ableton
2008-09-06 06:14 --------- d-----w f:\program files\Common Files\iZotope
2008-09-06 05:43 --------- d-----w f:\documents and settings\All Users\Application Data\Propellerhead Software
2008-09-06 03:56 --------- d-----w f:\documents and settings\Owner\Application Data\DVD Flick
2008-09-06 03:31 --------- d-----w f:\documents and settings\All Users\Application Data\Structure
2008-09-06 02:53 --------- d-----w f:\documents and settings\Owner\Application Data\DNA
2008-09-06 02:52 --------- d-----w f:\program files\Mediafour
2008-09-06 02:52 --------- d-----w f:\program files\Common Files\Mediafour
2008-09-06 02:52 --------- d-----w f:\documents and settings\All Users\Application Data\Mediafour
2008-09-06 02:48 --------- d-----w f:\program files\Common Files\PACE Anti-Piracy
2008-09-06 02:47 --------- d-----w f:\program files\Common Files\Avid
2008-09-06 02:46 --------- d-----w f:\program files\Common Files\Digidesign
2008-09-06 02:45 --------- d-----w f:\documents and settings\Owner\Application Data\InstallShield
2008-07-09 16:06 22,328 ----a-w f:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-04-23 12:59 56,912 ----a-w f:\documents and settings\Owner\g2mdlhlpx.exe
2007-12-21 05:49 167,645,227 ----a-w f:\documents and settings\Owner\java_ee_sdk-5_04-windows.exe
2006-11-08 01:27 13,107,200 ----a-w f:\program files\AnalogFactory.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-04_21.36.48.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-05 05:07:20 3,686,400 ----a-w f:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-11-05 23:25:05 3,686,400 ----a-w f:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-11-05 05:07:20 8,192 ----a-w f:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-11-05 23:25:05 8,192 ----a-w f:\windows\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="f:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW24"="f:\windows\System32\sw24.exe" [2006-12-15 69632]
"SW20"="f:\windows\System32\sw20.exe" [2006-12-15 208896]
"SunJavaUpdateSched"="f:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SSBkgdUpdate"="f:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-04-28 3996632]
"SetDefPrt"="f:\program files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 49152]
"PaperPort PTD"="f:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"IndexSearch"="f:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="f:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"NeroFilterCheck"="f:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-08 185896]
"{FD1C41EC-B9AC-4F08-9BDB-CC8ECC8FC1B3}"="f:\program files\Mediafour\MacDrive 7\MacDriveD.exe" [2007-04-18 159744]
"DigidesignMMERefresh"="c:\digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"FaxCenterServer"="f:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 311984]
"lxdimon.exe"="f:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="f:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"AVG8_TRAY"="f:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-04 1234712]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 f:\windows\LOGI_MWX.EXE]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-03 f:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-20 f:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2008-09-17 f:\windows\system32\nwiz.exe]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
DualCoreCenter.lnk - f:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2007-10-19 192512]
Microsoft Office.lnk - f:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 f:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave3"= Digi32.dll
"midi2"= mbx2midu.dll
"MIDI3"= diomidi.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\mavityre@comcast.net\\day of defeat source\\hl2.exe"=
"f:\\Program Files\\DNA\\btdna.exe"=
"f:\\WINDOWS\\system32\\PnkBstrA.exe"=
"f:\\WINDOWS\\system32\\PnkBstrB.exe"=
"f:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\WINDOWS\\system32\\lxdicoms.exe"=
"f:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"f:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"f:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"=
"f:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"f:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"f:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"f:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"f:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"f:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 DigiFilter;DigiFilter;f:\windows\system32\drivers\DigiFilt.sys [2006-12-08 16384]
R0 MDFSYSNT;MacDrive file system driver;f:\windows\system32\drivers\MDFSYSNT.sys [2007-04-18 274048]
R0 MDPMGRNT;MDPMGRNT;f:\windows\system32\drivers\MDPMGRNT.sys [2007-02-28 19072]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;f:\windows\system32\Drivers\avgldx86.sys [2008-11-04 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;f:\progra~1\AVG\AVG8\avgemc.exe [2008-11-04 875288]
R2 avg8wd;AVG Free8 WatchDog;f:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-04 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;f:\windows\system32\Drivers\avgtdix.sys [2008-11-04 76040]
R2 DigiNet;Digidesign Ethernet Support;f:\windows\system32\DRIVERS\diginet.sys [2007-10-31 16400]
R2 lxdi_device;lxdi_device;f:\windows\system32\lxdicoms.exe [2007-06-11 517040]
R2 MacDriveServiceD;MacDriveServiceD;f:\program files\Mediafour\MacDrive 7\MacDriveServiceD.exe [2007-04-18 143360]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;f:\windows\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 99248]
S3 adxapie;adxapie;f:\docume~1\Owner\LOCALS~1\Temp\adxapie.sys [ ]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;f:\windows\system32\Drivers\BrSerIf.sys [2004-06-12 51712]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;f:\windows\system32\Drivers\BrUsbSer.sys [2004-01-10 11648]
S3 dalwdmservice;dal service;f:\windows\system32\drivers\dalwdm.sys [2007-10-31 97808]
S3 DigiCellDriver;DigiCellDriver;f:\program files\MSI\DualCoreCenter\NTGLM7X.sys [2006-10-05 27648]
S3 iLokDrvr;iLok;f:\windows\system32\DRIVERS\iLokDrvr.sys [2008-07-02 54256]
S3 MBX2DFU;MBX2DFU;f:\windows\system32\DRIVERS\MBX2DFU.sys [2007-10-31 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;f:\windows\system32\drivers\mbx2midk.sys [2007-10-31 21904]
.
Contents of the 'Scheduled Tasks' folder

2008-11-03 f:\windows\Tasks\AppleSoftwareUpdate.job
- f:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-06 f:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\schedule.exe [2007-04-28 20:15]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-svchost - f:\documents and settings\Owner\Localdir\svchost.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 16:18:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: f:\windows\explorer.exe
-> f:\windows\system32\nview.dll
-> ?:\windows\System32\CSCDLL.dll
.
r Running Proce
.
f:\program files\Lavasoft\Ad-Aware\aawservice.exe
f:\windows\system32\brss01a.exe
f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
f:\program files\Bonjour\mDNSResponder.exe
f:\windows\system32\Brmfrmps.exe
f:\windows\system32\nvsvc32.exe
f:\windows\system32\PnkBstrA.exe
f:\windows\system32\wdfmgr.exe
f:\program files\AVG\AVG8\avgrsx.exe
f:\windows\system32\wscntfy.exe
f:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
f:\windows\system32\rundll32.exe
f:\windows\system32\rundll32.exe
f:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-05 16:25:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-06 00:25:41
ComboFix2.txt 2008-11-06 00:04:31
ComboFix3.txt 2008-11-05 23:45:49
ComboFix4.txt 2008-11-05 05:48:16
ComboFix5.txt 2008-11-06 00:13:00

Pre-Run: 19,622,080,512 bytes free
Post-Run: 19,610,583,040 bytes free

307 --- E O F --- 2008-10-24 15:47:25


Report •

#8
November 5, 2008 at 16:38:26

Log for f:\windows\Sierra.in~

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - ADSPY/AdSpy.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - AdWare.AdSpy
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32 - - -
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - Cloaked Malware
Rising - - -
SecureWeb-Gateway - - Ad-Spyware.AdSpy.Gen
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Additional information
MD5: 6f5c65ae235fa40ce490d556991082c2
SHA1: 67fd6a440d6efb43a0c7bfedc0c62735d227d2c0
SHA256: 1cd9c863bdcbf143da163267212d1e91118aec37020916ba04d21e371a444edb
SHA512: 0f01cf514e7bc7e333e7b3622370dc1b95f06781f9335073fd54d3cc2623babc4b0071562c689e7d184f32692938ad0f02e6cdaca602c1609ef621c42d749427


Report •

#9
November 5, 2008 at 16:40:55

EDIT
The first log was for f:windows\winlemm.ini

Log for Sierra.in~

Antivirus Version Last Update Result
AhnLab-V3 2008.11.5.3 2008.11.06 -
AntiVir 7.9.0.26 2008.11.05 -
Authentium 5.1.0.4 2008.11.06 -
Avast 4.8.1248.0 2008.11.05 -
AVG 8.0.0.161 2008.11.05 -
BitDefender 7.2 2008.11.06 -
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.05 -
DrWeb 4.44.0.09170 2008.11.05 -
eSafe 7.0.17.0 2008.11.05 -
eTrust-Vet 31.6.6193 2008.11.05 -
Ewido 4.0 2008.11.05 -
F-Prot 4.4.4.56 2008.11.05 -
F-Secure 8.0.14332.0 2008.11.05 -
Fortinet 3.117.0.0 2008.11.05 -
GData 19 2008.11.06 -
Ikarus T3.1.1.45.0 2008.11.05 -
K7AntiVirus 7.10.517 2008.11.05 -
Kaspersky 7.0.0.125 2008.11.06 -
McAfee 5425 2008.11.05 -
Microsoft 1.4005 2008.11.06 -
NOD32 3588 2008.11.05 -
Norman 5.80.02 2008.11.05 -
Panda 9.0.0.4 2008.11.05 -
PCTools 4.4.2.0 2008.11.05 -
Prevx1 V2 2008.11.06 -
Rising 21.02.22.00 2008.11.05 -
SecureWeb-Gateway 6.7.6 2008.11.05 -
Sophos 4.35.0 2008.11.06 -
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.05 -
TheHacker 6.3.1.1.141 2008.11.05 -
TrendMicro 8.700.0.1004 2008.11.06 -
VBA32 3.12.8.9 2008.11.05 -
ViRobot 2008.11.5.1453 2008.11.05 -
VirusBuster 4.5.11.0 2008.11.05 -
Additional information
File size: 365 bytes
MD5...: c99851ca7762755ec2df70a83108dad7
SHA1..: 23909a8cbbcbc80992219e37a7048327a864f84c
SHA256: 15f507a3bce03321c97c5d0d3bd551c408c37d1d26d0c7d880a425bfea4235f5
SHA512: f9bb4631907ece294559f96663b7dd569e168c9af2de795faf32b112dd84b695
0504b522dd1595b5a068e3acc560f913623933d480c2ffde27e8f4427a6db12d
PEiD..: -
TrID..: File type identification
Generic INI configuration (100.0%)
PEInfo: -


Report •

#10
November 5, 2008 at 16:42:03

Log for wiijitoeup.dll

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - ADSPY/AdSpy.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - AdWare.AdSpy
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32 - - -
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - Cloaked Malware
Rising - - -
SecureWeb-Gateway - - Ad-Spyware.AdSpy.Gen
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Additional information
MD5: 6f5c65ae235fa40ce490d556991082c2
SHA1: 67fd6a440d6efb43a0c7bfedc0c62735d227d2c0
SHA256: 1cd9c863bdcbf143da163267212d1e91118aec37020916ba04d21e371a444edb
SHA512: 0f01cf514e7bc7e333e7b3622370dc1b95f06781f9335073fd54d3cc2623babc4b0071562c689e7d184f32692938ad0f02e6cdaca602c1609ef621c42d749427


Report •

#11
November 5, 2008 at 19:16:56

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
f:\windows\SIERRA.IN~
f:\windows\system32\cont_adzgalore-remove.exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


Report •

#12
November 6, 2008 at 07:37:40

It won't let me post the log. I'm guessing it's too big. That program found over 4000 threats.

Report •

#13
November 6, 2008 at 16:49:36

Post it is sections please, even it it take several post.

Report •


Ask Question