Page 1 of 7 12345 ... LastLast
Results 1 to 10 of 64

Thread: ***3 types of Virtumonde***

  1. #1
    Member
    Join Date
    May 2008
    Posts
    42

    Exclamation ***3 types of Virtumonde***

    When I ran spybot it came up with3 kinds of virtumonde and about 5 other things. WHen I selected fix problems spybot locked up.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:11:11 PM, on 8/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\DVDRAMSV.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\lphcjv0j0etdv.exe
    C:\Program Files\rhcnv0j0etdv\rhcnv0j0etdv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\DualCoreCenter.exe
    C:\WINDOWS\system32\pphcjv0j0etdv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [lphcjv0j0etdv] C:\WINDOWS\system32\lphcjv0j0etdv.exe
    O4 - HKLM\..\Run: [SMrhcnv0j0etdv] C:\Program Files\rhcnv0j0etdv\rhcnv0j0etdv.exe
    O4 - HKLM\..\Run: [3cde9347] rundll32.exe "C:\WINDOWS\system32\ohwfnbnf.dll",b
    O4 - HKLM\..\Run: [BM3feda0db] Rundll32.exe "C:\WINDOWS\system32\vfibkunx.dll",s
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [SpybotDeletingA3578] command /c del "C:\WINDOWS\system32\blphcjv0j0etdv.scr_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC3423] cmd /c del "C:\WINDOWS\system32\blphcjv0j0etdv.scr_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA5428] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC8866] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA7066] command /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC3676] cmd /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA6107] command /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC6620] cmd /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\RunOnce: [SpybotDeletingB6761] command /c del "C:\WINDOWS\system32\blphcjv0j0etdv.scr_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD7939] cmd /c del "C:\WINDOWS\system32\blphcjv0j0etdv.scr_old"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB8844] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD2078] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB709] command /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD9188] cmd /c del "C:\Program Files\webHancer\Programs\readme.txt"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB5890] command /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD9943] cmd /c del "C:\Program Files\webHancer\Programs\whagent.exe"
    O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188352149406
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210914041995
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...96/mcfscan.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe

    --
    End of file - 8397 bytes

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi Slavik

    Looking over your log, it seems you don't have any evidence of a third party firewall.

    As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

    1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
    2) Online Armor
    3) Sunbelt/Kerio
    4) Agnitum
    5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

    If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

    After that, rename HijackThis.exe to Slavik.exe and post back a fresh HijackThis log, please
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:01:36 PM, on 8/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\DVDRAMSV.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\lphcjv0j0etdv.exe
    C:\Program Files\rhcnv0j0etdv\rhcnv0j0etdv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\pphcjv0j0etdv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\DualCoreCenter.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [lphcjv0j0etdv] C:\WINDOWS\system32\lphcjv0j0etdv.exe
    O4 - HKLM\..\Run: [SMrhcnv0j0etdv] C:\Program Files\rhcnv0j0etdv\rhcnv0j0etdv.exe
    O4 - HKLM\..\Run: [3cde9347] rundll32.exe "C:\WINDOWS\system32\ohwfnbnf.dll",b
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\RunOnce: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfpconfg.exe" -z -o
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188352149406
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210914041995
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...96/mcfscan.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe

    --
    End of file - 7050 bytes

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Unfortunately it didn't go right:

    Rename HijackThis.exe to Slavik.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to Slavik.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:32:28 PM, on 8/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\lphcjv0j0etdv.exe
    C:\Program Files\rhcnv0j0etdv\rhcnv0j0etdv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\sysrest32.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\pphcjv0j0etdv.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\Slavik.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {0583DA6A-F576-40B6-A08A-490E177E15A2} - C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OTGYUA05\3077htsbdjyf[1].dll
    O2 - BHO: (no name) - {109BE732-8F8C-49D4-A3F4-FEDCAC7F0A25} - C:\WINDOWS\system32\tuvUlKCt.dll (file missing)
    O2 - BHO: (no name) - {50239d56-3e34-4c95-a1c3-7836f655672d} - C:\WINDOWS\system32\ssqPghgg.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: {b5c1ebd0-fb5c-547b-bde4-a81ba890fc9e} - {e9cf098a-b18a-4edb-b745-c5bf0dbe1c5b} - C:\WINDOWS\system32\zbljwo.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [lphcjv0j0etdv] C:\WINDOWS\system32\lphcjv0j0etdv.exe
    O4 - HKLM\..\Run: [SMrhcnv0j0etdv] C:\Program Files\rhcnv0j0etdv\rhcnv0j0etdv.exe
    O4 - HKLM\..\Run: [3cde9347] rundll32.exe "C:\WINDOWS\system32\ohwfnbnf.dll",b
    O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188352149406
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210914041995
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...96/mcfscan.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll zbljwo.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe

    --
    End of file - 7761 bytes

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes know it's correct

    We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New HijackThis log.


    A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    I did everything you asked and followed all the instructions. When I clicked on ComboFix to run the program this is what I get.
    Error
    You can not rename ComboFix as ComboFix
    Please use another name preferable made up of alphanumeric characters


    I never changed the name of it. I have my firewall down and all anti-spyware off.

    I went to go run a HighJackThis again to post it up here for you it tells me
    Windows cannot access the specified device, path, or file. You may not hav the approporiate permission to access the item.

    What do I do?

  8. #8
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    I got CombFix running
    The only way I could get HiJackThis running was to reinstall it.



    ComboFix 08-08-19.06 - Owner 2008-08-20 20:31:16.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.516 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Application Data\rhcnv0j0etdv
    C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\JR3LUJ8K\interclick.com
    C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\JR3LUJ8K\interclick.com\ud.sol
    C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc
    C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\2586.exe
    C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\s
    C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Xilisoft Video Converter 2.1 crack by Metroid.torrent
    C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Xilisoft Video Converter 2.1 crack by Metroid.zip
    C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
    C:\Documents and Settings\Owner\Application Data\rhcnv0j0etdv
    C:\Documents and Settings\Owner\Cookies\owner@CA0EN8T6.txt
    C:\Documents and Settings\Owner\Cookies\owner@CA15S96N.txt
    C:\Documents and Settings\Owner\Cookies\owner@CA2BMNEA.txt
    C:\Documents and Settings\Owner\Cookies\owner@CA3OCSUH.txt
    C:\Documents and Settings\Owner\Cookies\owner@CA41PM0D.txt
    C:\Documents and Settings\Owner\Cookies\owner@CAFKC1YX.txt
    C:\Documents and Settings\Owner\Cookies\owner@CAINRYP0.txt
    C:\Documents and Settings\Owner\Cookies\owner@CAL5UO7C.txt
    C:\Documents and Settings\Owner\Cookies\owner@CALOY936.txt
    C:\Documents and Settings\Owner\Cookies\owner@CAMAT0NO.txt
    C:\Documents and Settings\Owner\Cookies\owner@CAN357WI.txt
    C:\Documents and Settings\Owner\Cookies\owner@CAUIFQED.txt
    C:\Documents and Settings\Owner\Cookies\owner@CAVZRIP0.txt
    C:\Program Files\rhcnv0j0etdv
    C:\Program Files\webhancer
    C:\Program Files\webhancer\Programs\webhdll.dll
    C:\WINDOWS\BM3feda0db.txt
    C:\WINDOWS\BM3feda0db.xml
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\8.tmp
    C:\WINDOWS\system32\9.tmp
    C:\WINDOWS\system32\blackster.scr
    C:\WINDOWS\system32\blphcjv0j0etdv.scr
    C:\WINDOWS\system32\eqzkpy.dll
    C:\WINDOWS\system32\fnbnfwho.ini
    C:\WINDOWS\system32\gghgPqss.ini
    C:\WINDOWS\system32\gghgPqss.ini2
    C:\WINDOWS\system32\lphcjv0j0etdv.exe
    C:\WINDOWS\system32\ohwfnbnf.dll
    C:\WINDOWS\system32\shsshpdy.exe
    C:\WINDOWS\system32\ssqPghgg.dll
    C:\WINDOWS\system32\svmtvxfw.dll
    C:\WINDOWS\system32\sysrest32.exe
    C:\WINDOWS\system32\tapadepo.dll
    C:\WINDOWS\system32\wzzuya.dll
    C:\WINDOWS\system32\yracujkl.dll
    C:\WINDOWS\system32\zbljwo.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SYSREST.SYS
    -------\Service_sysrest.sys


    ((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
    .

    2008-08-18 22:41 . 2008-08-18 22:41 0 --a------ C:\WINDOWS\system32\2A.tmp
    2008-08-18 22:40 . 2008-08-18 22:40 0 --a------ C:\WINDOWS\system32\29.tmp
    2008-08-18 22:38 . 2008-08-18 22:38 0 --a------ C:\WINDOWS\system32\28.tmp
    2008-08-18 22:08 . 2008-08-18 22:08 0 --a------ C:\WINDOWS\system32\27.tmp
    2008-08-18 22:03 . 2008-08-18 22:03 0 --a------ C:\WINDOWS\system32\26.tmp
    2008-08-18 21:52 . 2008-08-18 21:52 0 --a------ C:\WINDOWS\system32\25.tmp
    2008-08-18 21:52 . 2008-08-18 21:52 0 --a------ C:\WINDOWS\system32\24.tmp
    2008-08-18 21:51 . 2008-08-18 21:51 0 --a------ C:\WINDOWS\system32\23.tmp
    2008-08-18 21:51 . 2008-08-18 21:51 0 --a------ C:\WINDOWS\system32\22.tmp
    2008-08-18 21:50 . 2008-08-18 21:50 0 --a------ C:\WINDOWS\system32\21.tmp
    2008-08-18 21:50 . 2008-08-18 21:50 0 --a------ C:\WINDOWS\system32\20.tmp
    2008-08-18 21:50 . 2008-08-18 21:50 0 --a------ C:\WINDOWS\system32\1F.tmp
    2008-08-18 21:49 . 2008-08-18 21:49 0 --a------ C:\WINDOWS\system32\1E.tmp
    2008-08-18 21:49 . 2008-08-18 21:49 0 --a------ C:\WINDOWS\system32\1D.tmp
    2008-08-18 21:48 . 2008-08-18 21:48 0 --a------ C:\WINDOWS\system32\1C.tmp
    2008-08-18 21:48 . 2008-08-18 21:48 0 --a------ C:\WINDOWS\system32\1B.tmp
    2008-08-17 19:40 . 2008-08-17 19:40 <DIR> d-------- C:\Program Files\COMODO
    2008-08-17 19:40 . 2008-08-17 19:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Comodo
    2008-08-17 19:40 . 2008-08-17 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
    2008-08-17 19:40 . 2008-08-17 19:40 143,104 --a------ C:\WINDOWS\system32\guard32.dll
    2008-08-17 19:40 . 2008-08-17 19:40 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
    2008-08-17 19:40 . 2008-08-17 19:40 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
    2008-08-17 12:20 . 2008-08-20 20:35 109,150 --a------ C:\WINDOWS\system32\drivers\51a3f7fb.sys
    2008-08-15 17:07 . 2004-08-03 22:58 23,040 --a------ C:\WINDOWS\system32\drivers\SETC.tmp
    2008-08-15 16:36 . 2004-08-03 22:58 23,040 --a------ C:\WINDOWS\system32\drivers\SET5.tmp
    2008-08-14 23:04 . 2008-08-14 23:04 <DIR> d-------- C:\Program Files\uTorrent
    2008-08-14 22:41 . 2008-08-14 22:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Corel
    2008-08-14 22:41 . 2008-08-14 22:41 2,516 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
    2008-08-14 22:41 . 2008-08-14 22:41 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\8D50F928AC.sys
    2008-08-14 22:35 . 2008-08-14 22:35 <DIR> d-------- C:\Program Files\Common Files\Protexis
    2008-08-14 22:35 . 2008-08-14 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
    2008-08-14 22:34 . 2008-08-14 22:34 <DIR> d-------- C:\Program Files\Common Files\Corel
    2008-08-14 22:33 . 2008-08-14 22:33 <DIR> d-------- C:\Program Files\Corel
    2008-08-06 08:05 . 2008-08-06 08:05 <DIR> d-------- C:\Program Files\Razor

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-21 00:17 --------- d-----w C:\Program Files\Downloads
    2008-08-14 02:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-06 12:42 --------- d-----w C:\Program Files\EA Games
    2008-07-15 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ubisoft
    2008-07-15 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
    2008-07-15 02:02 --------- d-----w C:\Program Files\Ubisoft
    2008-07-07 05:13 --------- d-----w C:\Program Files\Bodog Poker
    .

    ------- Sigcheck -------

    2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
    2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

    2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
    2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
    2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
    2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
    2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
    2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

    2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
    2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

    2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
    2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

    2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
    2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

    2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
    2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

    2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
    2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
    2004-08-04 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
    2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
    2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
    2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
    2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

    2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
    2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
    2004-08-04 07:00 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
    2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
    2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
    2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
    2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

    2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
    2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
    2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

    2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
    2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

    2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
    2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

    2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
    2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe

    2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
    2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe
    2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\dllcache\spoolsv.exe

    2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\userinit.exe
    2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\dllcache\userinit.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 06:24 167368]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
    "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
    "COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-08-17 19:40 1655552]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 16380416 C:\WINDOWS\RTHDCPL.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    DualCoreCenter.lnk - C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe [2007-08-28 22:14:02 192512]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\puD00.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qmu81.sys]
    @="Driver"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SMrhcnv0j0etdv"=C:\Program Files\rhcnv0j0etdv\rhcnv0j0etdv.exe
    "lphcjv0j0etdv"=C:\WINDOWS\system32\lphcjv0j0etdv.exe
    "SecurDisc"=C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    "BM3feda0db"=Rundll32.exe "C:\WINDOWS\system32\hosydagy.dll",s

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
    "C:\\Program Files\\Starcraft\\StarCraft.exe"=
    "C:\\Program Files\\HeroesOfAE\\Data\\engine.exe"=
    "C:\\Program Files\\BitLord\\BitLord.exe"=
    "C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
    "C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
    "C:\\Tri Synergy\\UFO Extraterrestrials\\TrueUpdate.exe"=
    "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
    "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
    "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
    "C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe"=
    "C:\\Program Files\\Ubisoft\\Heroes of Might and Magic V Collector Edition\\bin\\H5_Game.exe"=
    "C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
    "C:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe"=
    "C:\\Program Files\\BitLord\\Downloads\\Magic\\Magic\\Manalink.exe"=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
    "C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
    "C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
    "C:\\Program Files\\EA Games\\Ultima Online Mondain's Legacy\\client.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 psdrv01a;CD Guard Environment Driver (v1a);C:\WINDOWS\system32\drivers\psdrv01a.sys [2006-07-05 07:55]
    R0 pshlp02;CD Guard Helper Driver (v2);C:\WINDOWS\system32\drivers\pshlp02.sys [2006-06-14 09:59]
    R0 pssync04;CD Guard Synchronization Driver (v4);C:\WINDOWS\system32\drivers\pssync04.sys [2006-08-11 08:52]
    R1 cmdguard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-17 19:40]
    R1 cmdhlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-17 19:40]
    R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-07 03:57]
    R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 11:15]
    S2 psrem01;CD Guard Drivers Auto Removal (v1);C:\WINDOWS\system32\psrem01.exe svc []
    S3 DualCoreCenter;DualCoreCenter;C:\Program Files\ATI Technologies\ATI.ACE\NTGLM7X.sys [2007-01-22 13:58]
    S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
    S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
    S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
    S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
    S3 RushTopDevice2;RushTopDevice2;C:\Program Files\ATI Technologies\ATI.ACE\RushTop.sys [2007-03-22 13:39]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a5ac468-55c7-11dc-8c9e-97a3e74b0bc5}]
    \Shell\AutoRun\command - F:\LaunchU3.exe
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{0583DA6A-F576-40B6-A08A-490E177E15A2} - C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OTGYUA05\3077htsbdjyf[1].dll
    HKLM-Run-NeroFilterCheck - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    HKLM-Run-sysrest32.exe - C:\WINDOWS\system32\sysrest32.exe
    HKLM-Run-3cde9347 - C:\WINDOWS\system32\ohwfnbnf.dll
    HKLM-Run-BM3feda0db - C:\WINDOWS\system32\hosydagy.dll


    .
    ------- Supplementary Scan -------
    .
    R1 -: HKCU-Internet Settings,ProxyOverride = *.local
    O9 -: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-20 20:35:34
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\51a3f7fb]
    "ImagePath"="\SystemRoot\System32\drivers\51a3f7fb.sys"
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\system32\snmp.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-20 20:38:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-21 01:37:57

    Pre-Run: 58,434,879,488 bytes free
    Post-Run: 58,599,309,312 bytes free

    279 --- E O F --- 2008-07-12 18:17:17




    HijackThis log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:49:42 PM, on 8/20/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188352149406
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210914041995
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...96/mcfscan.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe

    --
    End of file - 6011 bytes

  9. #9
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    Sorry, sorry, sorry, when I got ComboFix running I didnt do the Recovery first

    Here is the new Combo:



    ComboFix 08-08-19.06 - Owner 2008-08-20 20:54:53.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.598 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SYSREST.SYS


    ((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
    .

    2008-08-18 22:41 . 2008-08-18 22:41 0 --a------ C:\WINDOWS\system32\2A.tmp
    2008-08-18 22:40 . 2008-08-18 22:40 0 --a------ C:\WINDOWS\system32\29.tmp
    2008-08-18 22:38 . 2008-08-18 22:38 0 --a------ C:\WINDOWS\system32\28.tmp
    2008-08-18 22:08 . 2008-08-18 22:08 0 --a------ C:\WINDOWS\system32\27.tmp
    2008-08-18 22:03 . 2008-08-18 22:03 0 --a------ C:\WINDOWS\system32\26.tmp
    2008-08-18 21:52 . 2008-08-18 21:52 0 --a------ C:\WINDOWS\system32\25.tmp
    2008-08-18 21:52 . 2008-08-18 21:52 0 --a------ C:\WINDOWS\system32\24.tmp
    2008-08-18 21:51 . 2008-08-18 21:51 0 --a------ C:\WINDOWS\system32\23.tmp
    2008-08-18 21:51 . 2008-08-18 21:51 0 --a------ C:\WINDOWS\system32\22.tmp
    2008-08-18 21:50 . 2008-08-18 21:50 0 --a------ C:\WINDOWS\system32\21.tmp
    2008-08-18 21:50 . 2008-08-18 21:50 0 --a------ C:\WINDOWS\system32\20.tmp
    2008-08-18 21:50 . 2008-08-18 21:50 0 --a------ C:\WINDOWS\system32\1F.tmp
    2008-08-18 21:49 . 2008-08-18 21:49 0 --a------ C:\WINDOWS\system32\1E.tmp
    2008-08-18 21:49 . 2008-08-18 21:49 0 --a------ C:\WINDOWS\system32\1D.tmp
    2008-08-18 21:48 . 2008-08-18 21:48 0 --a------ C:\WINDOWS\system32\1C.tmp
    2008-08-18 21:48 . 2008-08-18 21:48 0 --a------ C:\WINDOWS\system32\1B.tmp
    2008-08-17 19:40 . 2008-08-17 19:40 <DIR> d-------- C:\Program Files\COMODO
    2008-08-17 19:40 . 2008-08-17 19:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Comodo
    2008-08-17 19:40 . 2008-08-17 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
    2008-08-17 19:40 . 2008-08-17 19:40 143,104 --a------ C:\WINDOWS\system32\guard32.dll
    2008-08-17 19:40 . 2008-08-17 19:40 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
    2008-08-17 19:40 . 2008-08-17 19:40 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
    2008-08-17 12:20 . 2008-08-20 20:58 109,150 --a------ C:\WINDOWS\system32\drivers\51a3f7fb.sys
    2008-08-15 17:07 . 2004-08-03 22:58 23,040 --a------ C:\WINDOWS\system32\drivers\SETC.tmp
    2008-08-15 16:36 . 2004-08-03 22:58 23,040 --a------ C:\WINDOWS\system32\drivers\SET5.tmp
    2008-08-14 23:04 . 2008-08-14 23:04 <DIR> d-------- C:\Program Files\uTorrent
    2008-08-14 22:41 . 2008-08-14 22:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Corel
    2008-08-14 22:41 . 2008-08-14 22:41 2,516 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
    2008-08-14 22:41 . 2008-08-14 22:41 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\8D50F928AC.sys
    2008-08-14 22:35 . 2008-08-14 22:35 <DIR> d-------- C:\Program Files\Common Files\Protexis
    2008-08-14 22:35 . 2008-08-14 22:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
    2008-08-14 22:34 . 2008-08-14 22:34 <DIR> d-------- C:\Program Files\Common Files\Corel
    2008-08-14 22:33 . 2008-08-14 22:33 <DIR> d-------- C:\Program Files\Corel
    2008-08-06 08:05 . 2008-08-06 08:05 <DIR> d-------- C:\Program Files\Razor

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-21 01:46 --------- d-----w C:\Program Files\Trend Micro
    2008-08-21 00:17 --------- d-----w C:\Program Files\Downloads
    2008-08-14 02:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-06 12:42 --------- d-----w C:\Program Files\EA Games
    2008-07-15 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ubisoft
    2008-07-15 02:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
    2008-07-15 02:02 --------- d-----w C:\Program Files\Ubisoft
    2008-07-07 05:13 --------- d-----w C:\Program Files\Bodog Poker
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-05-24 05:53 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
    2008-05-24 05:53 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
    2008-05-24 05:53 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
    .

    ------- Sigcheck -------

    2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
    2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

    2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
    2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
    2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
    2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
    2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
    2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

    2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
    2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

    2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
    2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

    2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
    2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

    2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
    2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

    2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
    2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
    2004-08-04 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
    2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
    2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
    2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
    2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

    2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
    2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
    2004-08-04 07:00 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
    2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
    2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
    2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
    2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe

    2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
    2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
    2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

    2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
    2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

    2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
    2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

    2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
    2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe

    2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
    2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe
    2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\dllcache\spoolsv.exe

    2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\userinit.exe
    2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\dllcache\userinit.exe
    .
    ((((((((((((((((((((((((((((( snapshot@2008-08-20_20.37.41.70 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-21 01:57:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_864.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 06:24 167368]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
    "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
    "COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-08-17 19:40 1655552]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 16380416 C:\WINDOWS\RTHDCPL.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    DualCoreCenter.lnk - C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe [2007-08-28 22:14:02 192512]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\puD00.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qmu81.sys]
    @="Driver"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SMrhcnv0j0etdv"=C:\Program Files\rhcnv0j0etdv\rhcnv0j0etdv.exe
    "lphcjv0j0etdv"=C:\WINDOWS\system32\lphcjv0j0etdv.exe
    "SecurDisc"=C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    "BM3feda0db"=Rundll32.exe "C:\WINDOWS\system32\hosydagy.dll",s

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
    "C:\\Program Files\\Starcraft\\StarCraft.exe"=
    "C:\\Program Files\\HeroesOfAE\\Data\\engine.exe"=
    "C:\\Program Files\\BitLord\\BitLord.exe"=
    "C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
    "C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
    "C:\\Tri Synergy\\UFO Extraterrestrials\\TrueUpdate.exe"=
    "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
    "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
    "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
    "C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe"=
    "C:\\Program Files\\Ubisoft\\Heroes of Might and Magic V Collector Edition\\bin\\H5_Game.exe"=
    "C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
    "C:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe"=
    "C:\\Program Files\\BitLord\\Downloads\\Magic\\Magic\\Manalink.exe"=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
    "C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
    "C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
    "C:\\Program Files\\EA Games\\Ultima Online Mondain's Legacy\\client.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
    "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 psdrv01a;CD Guard Environment Driver (v1a);C:\WINDOWS\system32\drivers\psdrv01a.sys [2006-07-05 07:55]
    R0 pshlp02;CD Guard Helper Driver (v2);C:\WINDOWS\system32\drivers\pshlp02.sys [2006-06-14 09:59]
    R0 pssync04;CD Guard Synchronization Driver (v4);C:\WINDOWS\system32\drivers\pssync04.sys [2006-08-11 08:52]
    R1 cmdguard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-08-17 19:40]
    R1 cmdhlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-08-17 19:40]
    R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-07 03:57]
    R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 11:15]
    S2 psrem01;CD Guard Drivers Auto Removal (v1);C:\WINDOWS\system32\psrem01.exe svc []
    S3 DualCoreCenter;DualCoreCenter;C:\Program Files\ATI Technologies\ATI.ACE\NTGLM7X.sys [2007-01-22 13:58]
    S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
    S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
    S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
    S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
    S3 RushTopDevice2;RushTopDevice2;C:\Program Files\ATI Technologies\ATI.ACE\RushTop.sys [2007-03-22 13:39]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a5ac468-55c7-11dc-8c9e-97a3e74b0bc5}]
    \Shell\AutoRun\command - F:\LaunchU3.exe
    .
    .
    ------- Supplementary Scan -------
    .
    R1 -: HKCU-Internet Settings,ProxyOverride = *.local
    O9 -: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-20 20:57:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\51a3f7fb]
    "ImagePath"="\SystemRoot\System32\drivers\51a3f7fb.sys"
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\system32\snmp.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-20 20:59:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-21 01:59:32
    ComboFix2.txt 2008-08-21 01:38:00

    Pre-Run: 58,584,485,888 bytes free
    Post-Run: 58,556,223,488 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    240 --- E O F --- 2008-07-12 18:17:17

  10. #10
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    About 5 mins after I posted my last reply I was unable to do anything
    Anything I click on, desktop icons, trying to open stuff through my computer, even going to start,run trying to run an application I was unable too.
    Was this an effect of ComboFix?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •