View Full Version : problem with core.cache.dsk.....
Hi , I have tried to remove this nasty and so far i have had no luck.I have tried one method via safemode, but like everyone else,it always reppears.Again ,I have tried spybot, avast all to no avail.B##ger....I hope you can help me out... I have run Hijack this and the log is posted below. Cheers . Appreciate any help. Mike D.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:14 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183571294156
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183571280281
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8263 bytes
Hi Mike D
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
Ok , Thanks for helping me out with this shaba!
both combo fix and hjt run with no probs so here are both the logs, again thanks for help.Cheers, Mike D
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:19 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183571294156
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183571280281
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8143 bytes
hey sorry didnt realise that both logs will not fit in one post , My bad
Here is the combo fix log
ComboFix 08-02.03.1 - Apple 2008-02-04 17:22:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.211 [GMT 2:00]
Running from: C:\Documents and Settings\Apple\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.
2008-02-03 19:08 . 2008-02-03 19:08 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-02-03 16:34 . 2008-02-03 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 13:54 . 2008-02-03 13:54 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\Leadertech
2008-02-02 13:55 . 2008-02-02 13:55 <DIR> d-------- C:\Program Files\Eidos Interactive
2008-02-02 13:07 . 2008-02-02 13:07 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\CyberLink
2008-02-02 13:06 . 2008-02-02 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-01 23:31 . 2008-02-01 23:31 126,976 --a------ C:\WINDOWS\system32\UAService7.exe
2008-02-01 23:24 . 2008-02-01 23:45 <DIR> d-------- C:\Program Files\Giant
2008-02-01 21:14 . 2008-02-01 21:14 632 --a------ C:\WINDOWS\Qiii.INI
2008-02-01 21:05 . 2008-02-01 21:06 <DIR> d-------- C:\Quake III Arena
2008-02-01 15:21 . 2008-02-01 15:21 <DIR> d-------- C:\Program Files\uTorrent
2008-02-01 15:20 . 2008-02-02 15:09 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\uTorrent
2008-01-29 22:23 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-29 22:23 . 2008-01-29 22:23 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-01-29 22:17 . 2008-01-29 22:17 <DIR> d-------- C:\Program Files\Eidos
2008-01-29 22:04 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-01-29 22:04 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-01-29 22:04 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-01-29 22:04 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-01-29 22:04 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-01-29 22:04 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-29 22:04 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-29 22:03 . 2005-07-12 18:06 2,973,696 --------- C:\WINDOWS\NuNinst.exe
2008-01-29 22:03 . 2005-08-15 18:32 59,483 --------- C:\WINDOWS\NuNinst.cfg
2008-01-29 22:02 . 2008-01-29 22:02 <DIR> d-------- C:\WINDOWS\InCD
2008-01-29 22:02 . 2008-01-29 22:03 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-29 22:02 . 2008-01-29 22:04 <DIR> d-------- C:\Program Files\Ahead
2008-01-29 22:02 . 2005-07-08 17:17 99,584 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2008-01-29 22:02 . 2005-07-08 17:17 29,696 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2008-01-29 22:02 . 2005-07-08 16:17 28,672 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2008-01-29 22:02 . 2005-07-08 17:17 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2008-01-29 22:00 . 2008-01-29 22:00 <DIR> d-------- C:\Program Files\CyberLink
2008-01-29 21:59 . 2008-01-29 22:02 <DIR> d-------- C:\Program Files\CyberLink DVD Solution
2008-01-29 21:59 . 2008-01-29 21:59 <DIR> d-------- C:\MyWorks
2008-01-29 21:59 . 2004-10-01 15:00 40,960 --a------ C:\Program Files\Uninstall_CDS.exe
2008-01-28 22:13 . 2008-01-28 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-28 21:29 . 2007-12-04 15:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-28 21:29 . 2004-01-09 11:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-28 21:29 . 2007-12-04 14:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-28 21:29 . 2007-12-04 16:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-28 21:29 . 2007-12-04 16:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-28 21:29 . 2007-12-04 16:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-28 21:29 . 2007-12-04 16:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-28 21:29 . 2007-12-04 16:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-27 17:28 . 2008-01-27 17:28 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\vlc
2008-01-27 17:26 . 2008-01-27 17:26 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-27 17:15 . 2008-01-27 17:15 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-27 17:15 . 2008-01-27 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-27 17:00 . 2008-01-27 17:00 <DIR> d-------- C:\Program Files\Xvid
2008-01-27 17:00 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-27 17:00 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-01-27 17:00 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-01-27 14:58 . 2008-01-27 15:13 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-27 14:58 . 2008-01-27 15:13 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-27 14:57 . 2004-08-04 09:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-26 20:11 . 2008-01-27 20:58 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-01-26 14:52 . 2008-01-26 14:52 <DIR> d-------- C:\Program Files\Opera
2008-01-24 19:32 . 2008-01-24 19:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-24 19:32 . 2008-01-24 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 21:56 . 2008-01-21 22:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-21 21:56 . 2008-01-21 21:56 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\SUPERAntiSpyware.com
2008-01-21 18:06 . 2008-01-24 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-21 18:06 . 2008-01-24 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 17:48 . 2008-01-21 17:48 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-01-21 17:48 . 2008-01-21 17:48 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\Sunbelt Software
2008-01-20 13:59 . 2001-03-17 21:34 22,528 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-01-20 13:59 . 2002-07-17 08:05 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-01-20 13:04 . 2008-02-04 17:27 2,605,088 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-20 13:04 . 2008-02-04 17:25 32,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-20 13:02 . 2008-01-20 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-19 19:09 . 2008-01-19 19:09 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-19 19:09 . 2008-01-19 19:09 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\TuneUp Software
2008-01-19 19:09 . 2008-01-19 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-01-19 19:09 . 2008-01-19 19:09 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-19 19:09 . 2008-01-19 19:09 86,144 --a------ C:\WINDOWS\system32\drivers\atapii.sys
2008-01-19 19:09 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-19 19:08 . 2008-01-24 18:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-13 18:23 . 2008-01-13 18:23 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-12 17:01 . 2008-01-13 12:27 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\Joost
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 18:09 103,333 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_02_03_19_57_58_small.dmp.zip
2008-02-02 12:16 2,030,592 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-01 21:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 18:09 2,655,744 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-01 18:09 2,002,432 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-01 13:20 --------- d-----w C:\Documents and Settings\Apple\Application Data\BitTorrent
2008-01-27 13:07 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-27 12:57 --------- d-----w C:\Program Files\Google
2008-01-26 18:24 --------- d-----w C:\Program Files\BitTorrent
2008-01-22 19:16 3,165,971 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-21 17:28 1,916,416 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-12 15:12 --------- d-----w C:\Program Files\Doom 3
2007-12-28 23:08 --------- d-----w C:\Documents and Settings\Apple\Application Data\Canon
2007-12-17 16:43 16,325,161 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_12_16_17_17_32_full.dmp.zip
2007-12-17 16:43 113,851 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_16_17_12_14_small.dmp.zip
2007-12-14 09:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-14 14:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 14:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-08 14:16 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-19 13:36 1,740,800 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-08-09 13:32 1,608,192 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-07-11 19:49 15,909,766 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_11_20_51_00_full.dmp.zip
2007-07-11 19:49 114,797 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_11_20_45_31_small.dmp.zip
2007-07-11 14:28 15,895,556 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_10_16_22_43_full.dmp.zip
2007-07-11 14:28 113,294 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_10_16_17_20_small.dmp.zip
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 12:19 69632]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 11:22 86016]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 11:22 7700480]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 16:38 94208 C:\WINDOWS\KHALMNPR.Exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 16:25 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
C:\Documents and Settings\Apple\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-05-04 21:39:42 2913840]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-06 21:47:16 573440]
R1 atapii;atapii;C:\WINDOWS\system32\drivers\atapii.sys [2008-01-19 19:09]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:56]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 08:05]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-19 19:09]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 17:22:06 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-02-02 20:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 17:27:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-04 17:30:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 15:30:07
.
2008-01-27 13:19:48 --- E O F ---
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\drivers\atapii.sys
Driver::
atapii
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Hello , again , no probs with either programme. Here are the logs u requested.Cheers Mike D
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:03 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183571294156
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183571280281
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8143 bytes
ok , now for the combo fix log , thx
ComboFix 08-02.03.1 - Apple 2008-02-04 19:07:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.196 [GMT 2:00]
Running from: C:\Documents and Settings\Apple\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Apple\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\system32\drivers\atapii.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\atapii.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\atapii.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ATAPII
-------\atapii
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.
2008-02-03 16:34 . 2008-02-03 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 13:54 . 2008-02-03 13:54 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\Leadertech
2008-02-02 13:55 . 2008-02-02 13:55 <DIR> d-------- C:\Program Files\Eidos Interactive
2008-02-02 13:07 . 2008-02-02 13:07 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\CyberLink
2008-02-02 13:06 . 2008-02-02 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-01 23:31 . 2008-02-01 23:31 126,976 --a------ C:\WINDOWS\system32\UAService7.exe
2008-02-01 23:24 . 2008-02-01 23:45 <DIR> d-------- C:\Program Files\Giant
2008-02-01 21:14 . 2008-02-01 21:14 632 --a------ C:\WINDOWS\Qiii.INI
2008-02-01 21:05 . 2008-02-01 21:06 <DIR> d-------- C:\Quake III Arena
2008-02-01 15:21 . 2008-02-01 15:21 <DIR> d-------- C:\Program Files\uTorrent
2008-02-01 15:20 . 2008-02-02 15:09 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\uTorrent
2008-01-29 22:23 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-29 22:23 . 2008-01-29 22:23 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-01-29 22:17 . 2008-01-29 22:17 <DIR> d-------- C:\Program Files\Eidos
2008-01-29 22:04 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-01-29 22:04 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-01-29 22:04 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-01-29 22:04 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-01-29 22:04 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-01-29 22:04 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-29 22:04 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-29 22:03 . 2005-07-12 18:06 2,973,696 --------- C:\WINDOWS\NuNinst.exe
2008-01-29 22:03 . 2005-08-15 18:32 59,483 --------- C:\WINDOWS\NuNinst.cfg
2008-01-29 22:02 . 2008-01-29 22:02 <DIR> d-------- C:\WINDOWS\InCD
2008-01-29 22:02 . 2008-01-29 22:03 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-29 22:02 . 2008-01-29 22:04 <DIR> d-------- C:\Program Files\Ahead
2008-01-29 22:02 . 2005-07-08 17:17 99,584 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2008-01-29 22:02 . 2005-07-08 17:17 29,696 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2008-01-29 22:02 . 2005-07-08 16:17 28,672 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2008-01-29 22:02 . 2005-07-08 17:17 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2008-01-29 22:00 . 2008-01-29 22:00 <DIR> d-------- C:\Program Files\CyberLink
2008-01-29 21:59 . 2008-01-29 22:02 <DIR> d-------- C:\Program Files\CyberLink DVD Solution
2008-01-29 21:59 . 2008-01-29 21:59 <DIR> d-------- C:\MyWorks
2008-01-29 21:59 . 2004-10-01 15:00 40,960 --a------ C:\Program Files\Uninstall_CDS.exe
2008-01-28 22:13 . 2008-01-28 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-28 21:29 . 2007-12-04 15:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-28 21:29 . 2004-01-09 11:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-28 21:29 . 2007-12-04 14:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-28 21:29 . 2007-12-04 16:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-28 21:29 . 2007-12-04 16:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-28 21:29 . 2007-12-04 16:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-28 21:29 . 2007-12-04 16:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-28 21:29 . 2007-12-04 16:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-27 17:28 . 2008-01-27 17:28 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\vlc
2008-01-27 17:26 . 2008-01-27 17:26 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-27 17:15 . 2008-01-27 17:15 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-27 17:15 . 2008-01-27 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-27 17:00 . 2008-01-27 17:00 <DIR> d-------- C:\Program Files\Xvid
2008-01-27 17:00 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-27 17:00 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-01-27 17:00 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-01-27 14:58 . 2008-01-27 15:13 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-27 14:58 . 2008-01-27 15:13 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-27 14:57 . 2004-08-04 09:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-26 20:11 . 2008-01-27 20:58 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-01-26 14:52 . 2008-01-26 14:52 <DIR> d-------- C:\Program Files\Opera
2008-01-24 19:32 . 2008-01-24 19:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-24 19:32 . 2008-01-24 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 21:56 . 2008-01-21 22:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-21 21:56 . 2008-01-21 21:56 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\SUPERAntiSpyware.com
2008-01-21 18:06 . 2008-01-24 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-21 18:06 . 2008-01-24 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 17:48 . 2008-01-21 17:48 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-01-21 17:48 . 2008-01-21 17:48 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\Sunbelt Software
2008-01-20 13:59 . 2001-03-17 21:34 22,528 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-01-20 13:59 . 2002-07-17 08:05 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-01-20 13:04 . 2008-02-04 19:11 2,637,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-20 13:04 . 2008-02-04 19:10 32,984 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-20 13:02 . 2008-01-20 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-19 19:09 . 2008-01-19 19:09 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-19 19:09 . 2008-01-19 19:09 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\TuneUp Software
2008-01-19 19:09 . 2008-01-19 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-01-19 19:09 . 2008-01-19 19:09 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-19 19:09 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-19 19:08 . 2008-01-24 18:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-13 18:23 . 2008-01-13 18:23 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-12 17:01 . 2008-01-13 12:27 <DIR> d-------- C:\Documents and Settings\Apple\Application Data\Joost
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 18:09 103,333 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_02_03_19_57_58_small.dmp.zip
2008-02-02 12:16 2,030,592 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-01 21:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 18:09 2,655,744 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-01 18:09 2,002,432 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-01 13:20 --------- d-----w C:\Documents and Settings\Apple\Application Data\BitTorrent
2008-01-27 13:07 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-27 12:57 --------- d-----w C:\Program Files\Google
2008-01-26 18:24 --------- d-----w C:\Program Files\BitTorrent
2008-01-22 19:16 3,165,971 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-21 17:28 1,916,416 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-12 15:12 --------- d-----w C:\Program Files\Doom 3
2007-12-28 23:08 --------- d-----w C:\Documents and Settings\Apple\Application Data\Canon
2007-12-17 16:43 16,325,161 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_12_16_17_17_32_full.dmp.zip
2007-12-17 16:43 113,851 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_12_16_17_12_14_small.dmp.zip
2007-11-14 14:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-08 14:16 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-10-19 13:36 1,740,800 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-08-09 13:32 1,608,192 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-07-11 19:49 15,909,766 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_11_20_51_00_full.dmp.zip
2007-07-11 19:49 114,797 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_11_20_45_31_small.dmp.zip
2007-07-11 14:28 15,895,556 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_10_16_22_43_full.dmp.zip
2007-07-11 14:28 113,294 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_10_16_17_20_small.dmp.zip
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 14:28 577536 C:\WINDOWS\soundman.exe]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 12:19 69632]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 11:22 86016]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 11:22 7700480]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 16:38 94208 C:\WINDOWS\KHALMNPR.Exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 16:25 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
C:\Documents and Settings\Apple\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-05-04 21:39:42 2913840]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-06 21:47:16 573440]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:56]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 08:05]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-19 19:09]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 17:22:06 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-02-02 20:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 19:11:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-04 19:14:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 17:14:43
ComboFix2.txt 2008-02-04 15:30:13
.
2008-01-27 13:19:48 --- E O F ---
Hi
Looks better :)
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note: This scanner will work with Internet Explorer Only!
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
Hi. Ok so I ran kaspersky for almost 2 hours(phew) and something totally unexpected happened....the staus bar had reached approximately 90% then my pc rebooted.automatically.i was not at the pc at the time but last time I checked before the reboot the status had read around 80% complete. This has been a problem in the past with other scanning utilities, and i had hoped that these fixes might iron this out.But there could be the chance that it is hard ware related???Any how I hope you can shed some light on this but I gotta say up till now your help has been great!! Here is a least the freshest hjt log if this helps....Huge thanks Mike D
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:11 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183571294156
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183571280281
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8319 bytes
Hey , ps I will try the kaspersky scan again tomorrow to see if yields similar result(s) ,hopefully no automatic reboot...thanks Mike D
Hi
Yes, that might be hardware related.
If no go with re-scan, we'll try something else later :)
Hi , I have just had another go with kaspersky and I have had the same problem...automatic reboot around 90% complete of scan, I think there is a way that I can stop these auto reboots that will also produce an error report, but that is for another day....what is our next step shaba??:)Cheers Mike D.
Hi
Please print these instructions out, or write them down, as you can't read them during the fix.
Please download MWav (http://www.spywareinfo.dk/download/mwav.exe):
Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.
Restart onto Safe Mode (http://www.pchell.com/support/safemode.shtml) and locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.Now lets do the settings:
Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
Please be sure it has finished before proceeding.
Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).Reboot into normal Windows and post the results here along with a fresh HijackThis log.
Hi , have tried the mwav scan twice in safe mode and much to my frustration, my system has restarted on both attempts.I have no idea what the source of this problem is?? Are there any other solutions available now shaba??
Cheers , Mike
Hi
What is the temperature of your CPU?
hi
everything seemsnormal .....
System temp 45-47
cpu surface 45
cpu core 62
not sure what is up.......
Thanks, Mike
Hi
You can try to open computer case and remove dust from coolers and try again, please.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.