Help
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
This topic is locked
I ran combofix after using malwarebyte multiple times to scan and delete the malware/virus that was in my computer. It did not work well at all. Every time I ran the scan, it came back with the same results even after it deleted it previously. I went on their forum and read up on some of the postings and found a problem similar to mine. It was suggested, on that thread that combofix be used instead. I followed the link and it led me to this website where I downloaded the program. I had to run it two different times before it worked completely. The first time, the computer crashed right after it deleted some of
the bad files but it did not get to them all. After restarting, I ran combofix again and this time it went all the way through but on the restart, it froze and I had to shutdown the computer and turn it on again. When it turned on and after I logged in, combofix was able to resume and finished the process.
Now my desktop background changed but that seems to be the only side effect of the program thus far. I have not restarted it again after combo fix because I want for somone to look at the log and let me know if there is something else that I need to do. Thanks a lot, I really appreciate the help.
Here are the logs:
ComboFix 09-06-08.05 - Charles 06/09/2009 13:05.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.958.506 [GMT -7:00]
Running from: c:\users\Charles\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\SKYNETibilobqe.sys
c:\windows\system32\SKYNETiopqcbbm.dll
c:\windows\system32\SKYNETjxvwvcyh.dll
c:\windows\system32\SKYNETneustlrp.dat
c:\windows\system32\SKYNETtbipxvof.dat
D:\Desktop.ini
.
---- Previous Run -------
.
c:\windows\system32\drivers\SKYNETibilobqe.sys
c:\windows\system32\drivers\UACpywrfncwsrrisbj.sys
c:\windows\system32\SKYNETefjyqqgy.dat
c:\windows\system32\SKYNEThcuchwmp.dll
c:\windows\system32\SKYNETqoprusnm.dll
c:\windows\system32\UACbtdofmxkepeljyt.dll
c:\windows\system32\UACfqubdpnrlortmnn.log
c:\windows\system32\UACfryyibrpxqujevy.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACipucmxmtvtfwxwd.dll
c:\windows\system32\UACleddsixfnifttwv.dll
c:\windows\system32\UAClfortpppsxpvvxc.log
c:\windows\system32\UACnxqsdwsgnurjpqb.dat
c:\windows\system32\UACpehfefbvffxuodw.db
c:\windows\system32\UACprxcbekcsiggain.dll
c:\windows\system32\UACwdtqumrkntcthvv.dll
c:\windows\system32\UACxxunpihvqqqrucb.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETihmvbntv
-------\Service_UACd.sys
-------\Service_SKYNETihmvbntv
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.
2009-06-09 20:32 . 2009-06-09 20:32 -------- d-sh--w- \$RECYCLE.BIN
2009-06-09 20:16 . 2009-06-09 20:32 -------- d-----w- c:\users\Charles\AppData\Local\temp
2009-06-09 19:51 . 2009-06-09 20:33 -------- d-s---w- \ComboFix
2009-06-09 17:46 . 2009-06-09 19:11 -------- d-----w- \Qoobox
2009-06-09 16:54 . 2009-06-09 20:29 1003106304 --sha-w- \hiberfil.sys
2009-06-09 00:40 . 2009-06-09 00:40 -------- d-----w- c:\users\Charles\AppData\Roaming\Malwarebytes
2009-06-09 00:06 . 2009-06-09 00:06 -------- d-----w- c:\program files\Trend Micro
2009-06-08 23:34 . 2009-06-09 01:04 -------- d-sh--w- \Config.Msi
2009-06-08 23:07 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 23:07 . 2009-06-08 23:07 -------- d-----w- c:\programdata\Malwarebytes
2009-06-08 23:07 . 2009-06-09 18:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 23:07 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 20:58 . 2009-06-09 20:17 1512480 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-08 20:35 . 2009-06-08 23:34 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-08 20:35 . 2009-06-08 20:35 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-06-08 20:35 . 2009-06-08 23:34 -------- d-----w- c:\programdata\ParetoLogic
2009-06-08 20:31 . 2009-06-08 20:31 -------- d-----w- c:\users\Charles\AppData\Local\Downloaded Installations
2009-06-08 06:17 . 2009-06-08 06:17 -------- d-----w- C:\44fd4b386644c78ca43742ee26
2009-06-08 06:17 . 2009-06-08 06:17 -------- d-----w- \44fd4b386644c78ca43742ee26
2009-06-08 05:39 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-08 05:39 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-08 05:39 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-08 05:39 . 2009-06-08 05:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-08 05:39 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-08 05:38 . 2009-06-08 06:48 -------- d-----w- c:\program files\Spyware Doctor
2009-06-08 05:38 . 2009-06-08 05:38 -------- d-----w- c:\users\Charles\AppData\Roaming\PC Tools
2009-06-08 05:38 . 2009-06-08 05:38 -------- d-----w- c:\programdata\PC Tools
2009-06-08 05:02 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-06-08 05:02 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-06-08 05:02 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-08 05:02 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-06-08 05:02 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-06-08 05:02 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-06-08 05:01 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-06-08 04:53 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-06-08 04:53 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-06-08 04:53 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-06-08 04:53 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-06-08 04:53 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-06-06 18:39 . 2009-06-06 18:39 -------- d-----w- C:\MGADiagToolOutput
2009-06-06 18:39 . 2009-06-06 18:39 -------- d-----w- \MGADiagToolOutput
2009-06-06 18:38 . 2009-06-06 18:38 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-06-06 16:58 . 2009-06-06 16:58 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-06 05:06 . 2009-06-08 05:38 -------- d-----w- c:\program files\Norton Security Scan
2009-06-06 04:51 . 2009-06-06 04:51 -------- d-----w- c:\users\Charles\AppData\Roaming\MSNInstaller
2009-06-06 04:38 . 2009-06-08 05:35 -------- d-----w- c:\programdata\Google Updater
2009-06-06 04:37 . 2009-06-06 04:37 217088 ----a-w- c:\users\Charles\firefox.exe
2009-06-05 23:55 . 2009-06-06 03:55 -------- d-sh--w- c:\users\Charles\'
2009-06-05 23:55 . 2009-06-06 03:15 115968 ----a-w- c:\users\Charles\a.zip
2009-06-05 23:55 . 2009-06-06 03:15 147456 ----a-w- c:\users\Charles\vbzip10.dll
2009-06-05 20:47 . 1997-04-09 03:08 299520 ----a-w- c:\windows\uninst.exe
2009-06-05 20:47 . 2009-06-05 20:47 0 --sha-r- \MSDOS.SYS
2009-06-05 20:47 . 2009-06-05 20:47 0 --sha-r- \IO.SYS
2009-06-04 23:29 . 2009-06-04 23:29 -------- d-----w- c:\programdata\NVIDIA
2009-06-04 21:49 . 2009-06-04 21:50 15196056 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\SetupGamesClient.exe
2009-06-02 01:54 . 2009-06-02 01:54 -------- d-----w- c:\programdata\AVS4YOU
2009-06-02 01:53 . 2009-06-02 01:53 -------- d-----w- c:\users\Charles\AppData\Roaming\AVS4YOU
2009-06-02 01:53 . 2009-06-02 04:54 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-06-02 01:53 . 2003-05-21 19:50 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-06-02 01:53 . 2009-06-02 04:54 -------- d-----w- c:\program files\AVS4YOU
2009-05-25 05:36 . 2009-05-25 05:36 -------- d-sh--w- C:\found.000
2009-05-25 05:36 . 2009-05-25 05:36 -------- d-sh--w- \found.000
2009-05-16 16:12 . 2009-05-16 16:12 -------- d-----w- c:\users\Charles\AppData\Roaming\vlc
2009-05-12 20:48 . 2009-05-12 20:48 127877 ----a-w- c:\users\Charles\AppData\Roaming\Move Networks\uninstall.exe
2009-05-10 23:45 . 2009-05-10 23:45 -------- d-----w- c:\programdata\WindowsSearch
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 20:29 . 2009-06-09 16:54 1003106304 --sha-w- \hiberfil.sys
2009-06-09 20:29 . 2007-07-06 12:25 1318973440 --sha-w- \pagefile.sys
2009-06-09 20:17 . 2009-06-08 20:58 18164 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-08 22:00 . 2007-08-25 06:10 1356 ----a-w- c:\users\Charles\AppData\Local\d3d9caps.dat
2009-06-06 05:07 . 2007-05-29 07:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-06 04:49 . 2007-05-29 07:33 -------- d-----w- c:\programdata\Symantec
2009-06-06 04:39 . 2007-09-15 16:00 -------- d-----w- c:\program files\Google
2009-06-06 03:15 . 2008-09-15 05:09 -------- d-----w- c:\users\Charles\AppData\Roaming\LimeWire
2009-06-05 23:32 . 2007-05-29 07:31 -------- d-----w- c:\programdata\Roxio
2009-06-05 23:23 . 2007-10-28 02:20 -------- d-----w- c:\users\Charles\AppData\Roaming\Roxio
2009-06-05 22:37 . 2007-07-29 18:42 35541 ----a-w- c:\users\Charles\AppData\Roaming\nvModes.dat
2009-06-04 22:15 . 2007-05-29 08:05 -------- d-----w- c:\programdata\WildTangent
2009-06-04 21:59 . 2007-05-29 08:05 -------- d-----w- c:\program files\HP Games
2009-06-02 01:54 . 2007-07-29 17:59 107136 ----a-w- c:\users\Charles\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-13 10:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-13 04:04 . 2008-02-08 20:29 -------- d-----w- c:\users\Charles\AppData\Roaming\Move Networks
2009-05-12 20:48 . 2009-05-01 06:30 4183416 ----a-w- c:\users\Charles\AppData\Roaming\Move Networks\plugins\npqmp071500000347.dll
2009-05-03 03:13 . 2007-08-19 14:45 -------- d-----w- c:\program files\SopCast
2009-04-22 16:23 . 2007-05-29 08:05 -------- d-----w- c:\program files\Yahoo!
2009-04-21 23:49 . 2007-05-29 08:35 -------- d-----w- c:\program files\Java
2009-03-17 03:38 . 2009-04-15 10:21 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 10:21 24064 ----a-w- c:\windows\system32\amxread.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"IS CfgWiz"="c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-13 431752]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-28 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-28 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-28 81920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-29 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
c:\users\Charles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D1A0DAED-B4D9-417E-91AA-F1CB28090FF5}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CF420997-A179-42A8-A833-07F6C1DE2F71}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FABC5D01-90B9-4323-978A-1BC9E0C4B648}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{9D839C64-DF27-43D5-9374-45F410999409}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{3E1165D4-6501-4D5C-B527-FD0719E2BFBF}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AF3360B3-52FB-47E0-B472-39F5E0A261E2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6466F7C8-9789-4F93-B00F-3F85CFE814FB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2346F100-EA86-48A7-B581-AAFCBAC9515D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9EF3943E-DCE5-480B-ADBE-BDF50FFDB414}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{118BCD34-FAA4-4805-883F-0965C17EE6F0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{251F8B15-C6B1-4FB6-8647-5F3464FB8CD1}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{4E4C03B3-6F7E-48D9-A502-D165805D7A47}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{B1E1E379-F48F-4F95-870D-452BD42FD1AE}c:\\users\\charles\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= UDP:c:\users\charles\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"UDP Query User{7D61C3E1-139B-4B2D-973F-0ED1B4E984D1}c:\\users\\charles\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= TCP:c:\users\charles\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"TCP Query User{8F65E6DF-59FA-48D1-A72E-C77380E08176}c:\\program files\\ppmate\\ppamnet.exe"= UDP:c:\program files\ppmate\ppamnet.exe:ppmnet Module
"UDP Query User{5F8669D5-B692-4A53-987D-2957CDC6D13A}c:\\program files\\ppmate\\ppamnet.exe"= TCP:c:\program files\ppmate\ppamnet.exe:ppmnet Module
"TCP Query User{FC27209A-E744-46AA-8907-3F7DCE851742}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{1B5E8F69-B721-49A4-81A9-817881E0E320}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{C73F6769-854E-4BC0-909E-F59D1BC66D5F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{677BA06E-7A2B-426B-85A5-9DE87E2AF432}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{96D7C512-0AF3-41BE-853A-CFF530783385}c:\\program files\\tvants\\tvants.exe"= UDP:c:\program files\tvants\tvants.exe:TVAnts
"UDP Query User{E64FE72F-541B-4062-974E-871E72EFC4F1}c:\\program files\\tvants\\tvants.exe"= TCP:c:\program files\tvants\tvants.exe:TVAnts
"TCP Query User{C473479E-12A9-48D5-8CEE-02317EA96F6B}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{AC269516-0C03-4C93-90B0-97949126CE71}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{58AC04B7-E3D5-44CD-8048-7702F035FA2E}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{13022989-1E15-447B-A7C2-81E210500EF4}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{C0E56952-2C87-48D4-AD67-8A2CB88FFDDB}c:\\program files\\auction client\\ringstart.exe"= UDP:c:\program files\auction client\ringstart.exe:RingStart
"UDP Query User{C9F5DFA0-7831-44B3-AA81-7CAE753B5E7E}c:\\program files\\auction client\\ringstart.exe"= TCP:c:\program files\auction client\ringstart.exe:RingStart
"TCP Query User{701A7514-1DDF-46D6-A2B0-D28ADAD88903}c:\\program files\\auction client\\auctionclient.exe"= UDP:c:\program files\auction client\auctionclient.exe:AuctionClient
"UDP Query User{22C0DF0A-8AB7-49CF-9735-7AAF418EA494}c:\\program files\\auction client\\auctionclient.exe"= TCP:c:\program files\auction client\auctionclient.exe:AuctionClient
"TCP Query User{47109F2A-77DA-46F8-8986-6A9F85EB3794}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{536FE94B-7939-4181-AF02-6B4D716D3456}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{5B66A2DB-7C41-470D-933D-DD133B6D072A}c:\\users\\charles\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= UDP:c:\users\charles\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"UDP Query User{29C39AAF-EABC-4778-B919-D4160DA5C4D8}c:\\users\\charles\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= TCP:c:\users\charles\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"TCP Query User{1F1F41EF-35D7-4AE1-8695-A426041EAC68}c:\\program files\\tvants\\tvants.exe"= UDP:c:\program files\tvants\tvants.exe:TVAnts
"UDP Query User{6C346A24-EC1D-48D0-A186-B3BED9BD9802}c:\\program files\\tvants\\tvants.exe"= TCP:c:\program files\tvants\tvants.exe:TVAnts
"TCP Query User{3E4BBEF9-5641-4F0F-91AE-0E80C5B87DA3}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{4878DEED-35D3-4720-BF6E-E5F35837A2F7}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{1D941B48-71D3-4D50-BD17-952E7A3E6FEB}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{E6AE0191-48BC-4C79-ACEE-0883FABF327E}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{7FB9F571-8A58-4463-A88C-5ED4470C4F05}c:\\westwood\\renegadempdemo\\renegadedemo.exe"= UDP:c:\westwood\renegadempdemo\renegadedemo.exe:Renegade
"UDP Query User{E21149CC-757B-40D4-A524-46B0656637C0}c:\\westwood\\renegadempdemo\\renegadedemo.exe"= TCP:c:\westwood\renegadempdemo\renegadedemo.exe:Renegade
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\PPMate\\ppmate.exe"= c:\program files\PPMate\ppmate.exe:*:Enabled:PPMate
"c:\\Program Files\\PPMate\\ppamnet.exe"= c:\program files\PPMate\ppamnet.exe:*:Enabled:PPMate
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [6/7/2009 10:39 PM 130936]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [5/29/2007 12:39 AM 212280]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/7/2009 10:38 PM 348752]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-15 04:38]
2009-06-06 c:\windows\Tasks\Norton Security Scan for Charles.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 11:18]
2009-06-09 c:\windows\Tasks\User_Feed_Synchronization-{1D8C4D96-AB81-426A-85E4-A8B1A04F9B99}.job
- c:\windows\system32\msfeedssync.exe [2009-06-09 11:31]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\users\Charles\AppData\Roaming\Mozilla\Firefox\Profiles\sjvmj9tt.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\users\Charles\AppData\Roaming\Move Networks\plugins\npqmp071500000347.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 13:32
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-06-09 13:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-09 20:43
Pre-Run: 59,072,323,584 bytes free
Post-Run: 59,724,652,544 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=8 Sets=1,4,5,6,7,8
293 --- E O F --- 2009-06-09 03:31
the bad files but it did not get to them all. After restarting, I ran combofix again and this time it went all the way through but on the restart, it froze and I had to shutdown the computer and turn it on again. When it turned on and after I logged in, combofix was able to resume and finished the process.
Now my desktop background changed but that seems to be the only side effect of the program thus far. I have not restarted it again after combo fix because I want for somone to look at the log and let me know if there is something else that I need to do. Thanks a lot, I really appreciate the help.
Here are the logs:
ComboFix 09-06-08.05 - Charles 06/09/2009 13:05.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.958.506 [GMT -7:00]
Running from: c:\users\Charles\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\SKYNETibilobqe.sys
c:\windows\system32\SKYNETiopqcbbm.dll
c:\windows\system32\SKYNETjxvwvcyh.dll
c:\windows\system32\SKYNETneustlrp.dat
c:\windows\system32\SKYNETtbipxvof.dat
D:\Desktop.ini
.
---- Previous Run -------
.
c:\windows\system32\drivers\SKYNETibilobqe.sys
c:\windows\system32\drivers\UACpywrfncwsrrisbj.sys
c:\windows\system32\SKYNETefjyqqgy.dat
c:\windows\system32\SKYNEThcuchwmp.dll
c:\windows\system32\SKYNETqoprusnm.dll
c:\windows\system32\UACbtdofmxkepeljyt.dll
c:\windows\system32\UACfqubdpnrlortmnn.log
c:\windows\system32\UACfryyibrpxqujevy.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACipucmxmtvtfwxwd.dll
c:\windows\system32\UACleddsixfnifttwv.dll
c:\windows\system32\UAClfortpppsxpvvxc.log
c:\windows\system32\UACnxqsdwsgnurjpqb.dat
c:\windows\system32\UACpehfefbvffxuodw.db
c:\windows\system32\UACprxcbekcsiggain.dll
c:\windows\system32\UACwdtqumrkntcthvv.dll
c:\windows\system32\UACxxunpihvqqqrucb.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETihmvbntv
-------\Service_UACd.sys
-------\Service_SKYNETihmvbntv
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.
2009-06-09 20:32 . 2009-06-09 20:32 -------- d-sh--w- \$RECYCLE.BIN
2009-06-09 20:16 . 2009-06-09 20:32 -------- d-----w- c:\users\Charles\AppData\Local\temp
2009-06-09 19:51 . 2009-06-09 20:33 -------- d-s---w- \ComboFix
2009-06-09 17:46 . 2009-06-09 19:11 -------- d-----w- \Qoobox
2009-06-09 16:54 . 2009-06-09 20:29 1003106304 --sha-w- \hiberfil.sys
2009-06-09 00:40 . 2009-06-09 00:40 -------- d-----w- c:\users\Charles\AppData\Roaming\Malwarebytes
2009-06-09 00:06 . 2009-06-09 00:06 -------- d-----w- c:\program files\Trend Micro
2009-06-08 23:34 . 2009-06-09 01:04 -------- d-sh--w- \Config.Msi
2009-06-08 23:07 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 23:07 . 2009-06-08 23:07 -------- d-----w- c:\programdata\Malwarebytes
2009-06-08 23:07 . 2009-06-09 18:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 23:07 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 20:58 . 2009-06-09 20:17 1512480 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-08 20:35 . 2009-06-08 23:34 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-08 20:35 . 2009-06-08 20:35 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-06-08 20:35 . 2009-06-08 23:34 -------- d-----w- c:\programdata\ParetoLogic
2009-06-08 20:31 . 2009-06-08 20:31 -------- d-----w- c:\users\Charles\AppData\Local\Downloaded Installations
2009-06-08 06:17 . 2009-06-08 06:17 -------- d-----w- C:\44fd4b386644c78ca43742ee26
2009-06-08 06:17 . 2009-06-08 06:17 -------- d-----w- \44fd4b386644c78ca43742ee26
2009-06-08 05:39 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-08 05:39 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-08 05:39 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-08 05:39 . 2009-06-08 05:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-08 05:39 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-08 05:38 . 2009-06-08 06:48 -------- d-----w- c:\program files\Spyware Doctor
2009-06-08 05:38 . 2009-06-08 05:38 -------- d-----w- c:\users\Charles\AppData\Roaming\PC Tools
2009-06-08 05:38 . 2009-06-08 05:38 -------- d-----w- c:\programdata\PC Tools
2009-06-08 05:02 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-06-08 05:02 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-06-08 05:02 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-08 05:02 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-06-08 05:02 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-06-08 05:02 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-06-08 05:01 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-06-08 04:53 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-06-08 04:53 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-06-08 04:53 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-06-08 04:53 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-06-08 04:53 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-06-06 18:39 . 2009-06-06 18:39 -------- d-----w- C:\MGADiagToolOutput
2009-06-06 18:39 . 2009-06-06 18:39 -------- d-----w- \MGADiagToolOutput
2009-06-06 18:38 . 2009-06-06 18:38 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-06-06 16:58 . 2009-06-06 16:58 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-06 05:06 . 2009-06-08 05:38 -------- d-----w- c:\program files\Norton Security Scan
2009-06-06 04:51 . 2009-06-06 04:51 -------- d-----w- c:\users\Charles\AppData\Roaming\MSNInstaller
2009-06-06 04:38 . 2009-06-08 05:35 -------- d-----w- c:\programdata\Google Updater
2009-06-06 04:37 . 2009-06-06 04:37 217088 ----a-w- c:\users\Charles\firefox.exe
2009-06-05 23:55 . 2009-06-06 03:55 -------- d-sh--w- c:\users\Charles\'
2009-06-05 23:55 . 2009-06-06 03:15 115968 ----a-w- c:\users\Charles\a.zip
2009-06-05 23:55 . 2009-06-06 03:15 147456 ----a-w- c:\users\Charles\vbzip10.dll
2009-06-05 20:47 . 1997-04-09 03:08 299520 ----a-w- c:\windows\uninst.exe
2009-06-05 20:47 . 2009-06-05 20:47 0 --sha-r- \MSDOS.SYS
2009-06-05 20:47 . 2009-06-05 20:47 0 --sha-r- \IO.SYS
2009-06-04 23:29 . 2009-06-04 23:29 -------- d-----w- c:\programdata\NVIDIA
2009-06-04 21:49 . 2009-06-04 21:50 15196056 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\Installers\SetupGamesClient.exe
2009-06-02 01:54 . 2009-06-02 01:54 -------- d-----w- c:\programdata\AVS4YOU
2009-06-02 01:53 . 2009-06-02 01:53 -------- d-----w- c:\users\Charles\AppData\Roaming\AVS4YOU
2009-06-02 01:53 . 2009-06-02 04:54 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-06-02 01:53 . 2003-05-21 19:50 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-06-02 01:53 . 2009-06-02 04:54 -------- d-----w- c:\program files\AVS4YOU
2009-05-25 05:36 . 2009-05-25 05:36 -------- d-sh--w- C:\found.000
2009-05-25 05:36 . 2009-05-25 05:36 -------- d-sh--w- \found.000
2009-05-16 16:12 . 2009-05-16 16:12 -------- d-----w- c:\users\Charles\AppData\Roaming\vlc
2009-05-12 20:48 . 2009-05-12 20:48 127877 ----a-w- c:\users\Charles\AppData\Roaming\Move Networks\uninstall.exe
2009-05-10 23:45 . 2009-05-10 23:45 -------- d-----w- c:\programdata\WindowsSearch
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 20:29 . 2009-06-09 16:54 1003106304 --sha-w- \hiberfil.sys
2009-06-09 20:29 . 2007-07-06 12:25 1318973440 --sha-w- \pagefile.sys
2009-06-09 20:17 . 2009-06-08 20:58 18164 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-08 22:00 . 2007-08-25 06:10 1356 ----a-w- c:\users\Charles\AppData\Local\d3d9caps.dat
2009-06-06 05:07 . 2007-05-29 07:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-06 04:49 . 2007-05-29 07:33 -------- d-----w- c:\programdata\Symantec
2009-06-06 04:39 . 2007-09-15 16:00 -------- d-----w- c:\program files\Google
2009-06-06 03:15 . 2008-09-15 05:09 -------- d-----w- c:\users\Charles\AppData\Roaming\LimeWire
2009-06-05 23:32 . 2007-05-29 07:31 -------- d-----w- c:\programdata\Roxio
2009-06-05 23:23 . 2007-10-28 02:20 -------- d-----w- c:\users\Charles\AppData\Roaming\Roxio
2009-06-05 22:37 . 2007-07-29 18:42 35541 ----a-w- c:\users\Charles\AppData\Roaming\nvModes.dat
2009-06-04 22:15 . 2007-05-29 08:05 -------- d-----w- c:\programdata\WildTangent
2009-06-04 21:59 . 2007-05-29 08:05 -------- d-----w- c:\program files\HP Games
2009-06-02 01:54 . 2007-07-29 17:59 107136 ----a-w- c:\users\Charles\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-13 10:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-13 04:04 . 2008-02-08 20:29 -------- d-----w- c:\users\Charles\AppData\Roaming\Move Networks
2009-05-12 20:48 . 2009-05-01 06:30 4183416 ----a-w- c:\users\Charles\AppData\Roaming\Move Networks\plugins\npqmp071500000347.dll
2009-05-03 03:13 . 2007-08-19 14:45 -------- d-----w- c:\program files\SopCast
2009-04-22 16:23 . 2007-05-29 08:05 -------- d-----w- c:\program files\Yahoo!
2009-04-21 23:49 . 2007-05-29 08:35 -------- d-----w- c:\program files\Java
2009-03-17 03:38 . 2009-04-15 10:21 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 10:21 24064 ----a-w- c:\windows\system32\amxread.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"IS CfgWiz"="c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-13 431752]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-28 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-28 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-28 81920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-29 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
c:\users\Charles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D1A0DAED-B4D9-417E-91AA-F1CB28090FF5}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CF420997-A179-42A8-A833-07F6C1DE2F71}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FABC5D01-90B9-4323-978A-1BC9E0C4B648}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{9D839C64-DF27-43D5-9374-45F410999409}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{3E1165D4-6501-4D5C-B527-FD0719E2BFBF}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AF3360B3-52FB-47E0-B472-39F5E0A261E2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6466F7C8-9789-4F93-B00F-3F85CFE814FB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2346F100-EA86-48A7-B581-AAFCBAC9515D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9EF3943E-DCE5-480B-ADBE-BDF50FFDB414}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{118BCD34-FAA4-4805-883F-0965C17EE6F0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{251F8B15-C6B1-4FB6-8647-5F3464FB8CD1}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{4E4C03B3-6F7E-48D9-A502-D165805D7A47}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{B1E1E379-F48F-4F95-870D-452BD42FD1AE}c:\\users\\charles\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= UDP:c:\users\charles\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"UDP Query User{7D61C3E1-139B-4B2D-973F-0ED1B4E984D1}c:\\users\\charles\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= TCP:c:\users\charles\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"TCP Query User{8F65E6DF-59FA-48D1-A72E-C77380E08176}c:\\program files\\ppmate\\ppamnet.exe"= UDP:c:\program files\ppmate\ppamnet.exe:ppmnet Module
"UDP Query User{5F8669D5-B692-4A53-987D-2957CDC6D13A}c:\\program files\\ppmate\\ppamnet.exe"= TCP:c:\program files\ppmate\ppamnet.exe:ppmnet Module
"TCP Query User{FC27209A-E744-46AA-8907-3F7DCE851742}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{1B5E8F69-B721-49A4-81A9-817881E0E320}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{C73F6769-854E-4BC0-909E-F59D1BC66D5F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{677BA06E-7A2B-426B-85A5-9DE87E2AF432}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{96D7C512-0AF3-41BE-853A-CFF530783385}c:\\program files\\tvants\\tvants.exe"= UDP:c:\program files\tvants\tvants.exe:TVAnts
"UDP Query User{E64FE72F-541B-4062-974E-871E72EFC4F1}c:\\program files\\tvants\\tvants.exe"= TCP:c:\program files\tvants\tvants.exe:TVAnts
"TCP Query User{C473479E-12A9-48D5-8CEE-02317EA96F6B}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{AC269516-0C03-4C93-90B0-97949126CE71}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{58AC04B7-E3D5-44CD-8048-7702F035FA2E}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{13022989-1E15-447B-A7C2-81E210500EF4}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{C0E56952-2C87-48D4-AD67-8A2CB88FFDDB}c:\\program files\\auction client\\ringstart.exe"= UDP:c:\program files\auction client\ringstart.exe:RingStart
"UDP Query User{C9F5DFA0-7831-44B3-AA81-7CAE753B5E7E}c:\\program files\\auction client\\ringstart.exe"= TCP:c:\program files\auction client\ringstart.exe:RingStart
"TCP Query User{701A7514-1DDF-46D6-A2B0-D28ADAD88903}c:\\program files\\auction client\\auctionclient.exe"= UDP:c:\program files\auction client\auctionclient.exe:AuctionClient
"UDP Query User{22C0DF0A-8AB7-49CF-9735-7AAF418EA494}c:\\program files\\auction client\\auctionclient.exe"= TCP:c:\program files\auction client\auctionclient.exe:AuctionClient
"TCP Query User{47109F2A-77DA-46F8-8986-6A9F85EB3794}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{536FE94B-7939-4181-AF02-6B4D716D3456}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{5B66A2DB-7C41-470D-933D-DD133B6D072A}c:\\users\\charles\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= UDP:c:\users\charles\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"UDP Query User{29C39AAF-EABC-4778-B919-D4160DA5C4D8}c:\\users\\charles\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= TCP:c:\users\charles\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"TCP Query User{1F1F41EF-35D7-4AE1-8695-A426041EAC68}c:\\program files\\tvants\\tvants.exe"= UDP:c:\program files\tvants\tvants.exe:TVAnts
"UDP Query User{6C346A24-EC1D-48D0-A186-B3BED9BD9802}c:\\program files\\tvants\\tvants.exe"= TCP:c:\program files\tvants\tvants.exe:TVAnts
"TCP Query User{3E4BBEF9-5641-4F0F-91AE-0E80C5B87DA3}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{4878DEED-35D3-4720-BF6E-E5F35837A2F7}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{1D941B48-71D3-4D50-BD17-952E7A3E6FEB}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{E6AE0191-48BC-4C79-ACEE-0883FABF327E}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{7FB9F571-8A58-4463-A88C-5ED4470C4F05}c:\\westwood\\renegadempdemo\\renegadedemo.exe"= UDP:c:\westwood\renegadempdemo\renegadedemo.exe:Renegade
"UDP Query User{E21149CC-757B-40D4-A524-46B0656637C0}c:\\westwood\\renegadempdemo\\renegadedemo.exe"= TCP:c:\westwood\renegadempdemo\renegadedemo.exe:Renegade
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\PPMate\\ppmate.exe"= c:\program files\PPMate\ppmate.exe:*:Enabled:PPMate
"c:\\Program Files\\PPMate\\ppamnet.exe"= c:\program files\PPMate\ppamnet.exe:*:Enabled:PPMate
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [6/7/2009 10:39 PM 130936]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [5/29/2007 12:39 AM 212280]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/7/2009 10:38 PM 348752]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-15 04:38]
2009-06-06 c:\windows\Tasks\Norton Security Scan for Charles.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 11:18]
2009-06-09 c:\windows\Tasks\User_Feed_Synchronization-{1D8C4D96-AB81-426A-85E4-A8B1A04F9B99}.job
- c:\windows\system32\msfeedssync.exe [2009-06-09 11:31]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\users\Charles\AppData\Roaming\Mozilla\Firefox\Profiles\sjvmj9tt.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\users\Charles\AppData\Roaming\Move Networks\plugins\npqmp071500000347.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 13:32
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-06-09 13:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-09 20:43
Pre-Run: 59,072,323,584 bytes free
Post-Run: 59,724,652,544 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=8 Sets=1,4,5,6,7,8
293 --- E O F --- 2009-06-09 03:31
Back to top
