2008-12-20 11:04 . 2006-12-18 19:44 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 11:04 . 2006-12-18 19:44 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 11:04 . 2006-12-18 19:44 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-11-20 08:36 . 2008-11-20 08:36 56 --sh--r- c:\windows\system32\17A98B4007.sys
2009-02-01 18:05 . 2008-11-20 08:36 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim6"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-03-15 2652056]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-25 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
c:\documents and settings\ili\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Winter Fun Wallpaper Changer.lnk
backup=c:\windows\pss\Winter Fun Wallpaper Changer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^ili^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\ili\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^ili^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\ili\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Bonjour Service"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US
ee://aol/imApp[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/15/2009 3:16 AM 159600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/1/2009 12:43 AM 108289]
R2 GTWPSService;GTWPSSRV;c:\program files\Linksys\WMP110\gtwpssrv.exe [7/23/2009 9:44 PM 34816]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [1/15/2009 3:16 AM 73840]
R2 WLSng Service;WLSng Service;c:\program files\Linksys\WMP110\WLSngS.exe [7/23/2009 9:44 PM 233472]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [7/23/2009 9:44 PM 57344]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [5/12/2006 10:49 PM 36224]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S3 cpuz131;cpuz131;\??\c:\docume~1\ili\LOCALS~1\Temp\cpuz131\cpuz_x32.sys --> c:\docume~1\ili\LOCALS~1\Temp\cpuz131\cpuz_x32.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\gpotato\Luna Online\GameGuard\dump_wmimmc.sys --> c:\gpotato\Luna Online\GameGuard\dump_wmimmc.sys [?]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Linksys\WMP110\jswpsapi.exe [7/23/2009 9:44 PM 352338]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/26/2009 6:14 AM 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/26/2009 6:14 AM 79104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [1/15/2009 3:15 AM 95640]
S3 ProDefense;ProDefense;\??\c:\windows\system32\drivers\ProDefense.sys --> c:\windows\system32\drivers\ProDefense.sys [?]
S3 WMP110;Linksys WMP110 RangePlus Wireless PCI Adapter Service;c:\windows\system32\drivers\WMP110.sys [7/23/2009 9:44 PM 1299520]
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva262;XDva262;\??\c:\windows\system32\XDva262.sys --> c:\windows\system32\XDva262.sys [?]
S3 XDva269;XDva269;\??\c:\windows\system32\XDva269.sys --> c:\windows\system32\XDva269.sys [?]
S3 XDva275;XDva275;\??\c:\windows\system32\XDva275.sys --> c:\windows\system32\XDva275.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\XDva277.sys --> c:\windows\system32\XDva277.sys [?]
S3 XDva280;XDva280;\??\c:\windows\system32\XDva280.sys --> c:\windows\system32\XDva280.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
TermService
wuauserv
BITS
ShellHWDetection
helpsvc
xmlprov
wscsvc
napagent
hkmsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.comIE: &AIM Search
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: &Google Search
IE: &Translate English Word
IE: &Windows Live Search
IE: &Yahoo! Search -
file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Similar Pages
IE: Translate Page into English
IE: Yahoo! &Dictionary -
file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps -
file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS -
file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\ili\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} -
hxxp://login.hanbiton.com/cab/NLSnSSO.cabDPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} -
hxxp://kings.nefficient.co.kr/kings/kdfx/kdfx321/kdfense8.cabDPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} -
hxxp://114.31.32.13/download/hsloadset_20080115.cabDPF: {D6440B15-8FD8-455C-AE55-8D3198F49638} -
hxxp://audition.hanbiton.com/game/ExHbsAudition.cabFF - ProfilePath - c:\documents and settings\ili\Application Data\Mozilla\Firefox\Profiles\63q60lpc.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
hxxp://yahoo.com/FF - prefs.js: keyword.URL -
hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=FF - component: c:\documents and settings\ili\Application Data\Mozilla\Firefox\Profiles\63q60lpc.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-09-01 16:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-01 16:14
ComboFix-quarantined-files.txt 2009-09-01 20:14
ComboFix2.txt 2008-12-30 00:20
ComboFix3.txt 2008-12-29 23:51
ComboFix4.txt 2008-12-29 22:06
Pre-Run: 22,038,900,736 bytes free
Post-Run: 22,249,758,720 bytes free
Current=2 Default=2 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
347 --- E O F --- 2009-08-26 17:00