View Full Version : MSN Live virus
hello sorry,i am posting here,but your forum can help me only ,please i have problem,when i log in in my MSN Live,and when i enter to some friend,after 2-3 minutes there shows a Text in some strange language and there is link to download something
and it says that i send hom this text
me Siguri edhe ti ktu te koke [email of my friend shows here]
Please you are only people that i trust!
my mouse pad blocks for 10 sec and then it showes up
i think this is virus please some one give me post back
C:\WINDOWS\live.messenger.com
but i can't find him
here is my HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:21 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\live.messenger.com
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\TuneUp Utilities 2007\ProcessManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [speedfan] C:\Program Files\SpeedFan\speedfan.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: DajTube - Download - http://www.dajtube.com/fetch.php
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 7648 bytes
shelf life
2008-03-29, 16:10
hi viktors,
first we will use hjt;then boot into safe mode to look for a file.
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
-----------------------
boot into safe mode. you might want to copy/paste this into notepad and save it so you can find it in safe mode.
to reach safe mode you would tap the f8 key during a computer restart, chose the first option: safe mode
once in safe mode: to show all files:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
navigate here:
C:\WINDOWS
see if you can find and delete:
live.messenger.com
and
MSN.com
Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
--------------------------------
reboot computer normally and download, install and do a complete scan with:
Please download Malwarebytes' Anti-Malware to your desktop:
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
post the above log and anew hjt log
did you download/install this packet capture library:WinPcap??
HERE MY NEW LOG ,before i do anything
HERE MY NEW LOG ,before i do anything
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:02 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\live.messenger.com
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BM7b9babbf] Rundll32.exe "C:\WINDOWS\system32\swvoeexp.dll",s
O4 - HKLM\..\Run: [78a89823] rundll32.exe "C:\WINDOWS\system32\masygwlx.dll",b
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [speedfan] C:\Program Files\SpeedFan\speedfan.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: DajTube - Download - http://www.dajtube.com/fetch.php
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 6450 bytes
shelf life
2008-03-29, 17:27
hi,
i have installed WinPcap
ok, no problem
go ahead with the instructions, its only a starting point, no doubt there will be more to do.
i have done every thing you told me,and after restart, there's showed up two progs
first: Pic1.jpg
after i press OK
second: pic2.gif
HERE IS MY HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:19 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {d60561ef-0f38-2849-0594-74a3ae4b3652} - {2563b4ea-3a47-4950-9482-83f0fe16506d} - C:\WINDOWS\system32\goqeware.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB} - C:\WINDOWS\system32\ddcBUlKA.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [78a89823] rundll32.exe "C:\WINDOWS\system32\masygwlx.dll",b
O4 - HKLM\..\Run: [BM7b9babbf] Rundll32.exe "C:\WINDOWS\system32\swvoeexp.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [speedfan] C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: DajTube - Download - http://www.dajtube.com/fetch.php
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - Winlogon Notify: ddcBUlKA - C:\WINDOWS\SYSTEM32\ddcBUlKA.dll
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 7349 bytes
HERE IS THE MALWAREBYTES LOG
Malwarebytes' Anti-Malware 1.09
Database version: 564
Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 125755
Time elapsed: 1 hour(s), 1 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\masygwlx.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\iifGVmli.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d007fcd7-d3c0-4b28-86fb-05a05e158a6b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d007fcd7-d3c0-4b28-86fb-05a05e158a6b} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifgvmli -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\masygwlx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xlwgysam.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifGVmli.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ilmVGfii.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ilmVGfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
I have changed my anti virus i have NOD32 Business,i was short time without antivirus (i was installing NOD32)
and i got up new virus ,or malware
here is the pics
it showes in my Internet Explorer 7
here look my atachments :sad:
i also find something strange in my task manager
look my attachment :sad::sad:
please hurry,my computer is now full of viruses,mu Task Manager doesn't working,my My Computer has changed,i can't use Internet Explorer 7 i have of pop-ups showed,my computer is slow,i think that i need doctor(surgeon to fix my comp now:) ) ,please help me :sad::sad:
i am deed help me
shelf life
2008-03-30, 13:01
Hi,
another download to run:
Download combofix from one of these links and save it to Desktop:
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
as a precaution, before using combofix:
1. * Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
* Click on this link below to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
* Remember to re enable the protection again afterwards before connecting to the net
link:
http://www.bleepingcomputer.com/forums/topic114351.html
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
* IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
* If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Ok things are good already here is my log
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:08:31 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [speedfan] C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: DajTube - Download - http://www.dajtube.com/fetch.php
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 6862 bytes
ok look at my attachment
i Have NOD32 Business but i am not sure is that good,can you tell me what antivirus is good for my comp,i had Kaspersky Internet Security and Kaspersky antivirus but my computer is slow with these :sad:
Please tell me what antivirus in good and not eating my RAM
Thanks
shelf life
2008-03-30, 15:47
hi viktors,
ok good. i have pasted your combo log below for easier viewing:
ComboFix 08-03-30.1 - Viktor Salonski 2008-03-30 13:55:30.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1251.381.1033.18.377 [GMT 2:00]
Running from: C:\Documents and Settings\Viktor Salonski\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM7b9babbf.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ddcBUlKA.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\fdohxpwu.dll
C:\WINDOWS\system32\fsuxkibq.dll
C:\WINDOWS\system32\goqeware.dll
C:\WINDOWS\system32\macgjaxo.ini
C:\WINDOWS\system32\mlJYoppo.dll
C:\WINDOWS\system32\opnoLcbX.dll
C:\WINDOWS\system32\oppoYJlm.ini
C:\WINDOWS\system32\oppoYJlm.ini2
C:\WINDOWS\system32\oxajgcam.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\swvoeexp.dll
C:\WINDOWS\system32\vtUlMedD.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\win32.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wvUnKEuT.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\NPF
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.
2008-03-29 16:49 . 2008-03-29 16:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-29 16:49 . 2008-03-29 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-29 16:48 . 2008-03-29 16:48 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Malwarebytes
2008-03-29 14:13 . 2008-01-07 14:29 352 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-03-29 14:10 . 2008-03-29 14:10 <DIR> d-------- C:\Program Files\ESET
2008-03-29 13:36 . 2008-03-29 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-28 13:13 . 2008-03-30 01:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-28 13:13 . 2008-03-28 13:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-25 16:32 . 2008-03-25 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-03-25 15:29 . 2008-03-25 15:29 <DIR> d--hs---- C:\FOUND.040
2008-03-25 00:11 . 2008-03-25 00:11 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\FLV Extract
2008-03-23 14:52 . 2008-03-23 14:52 <DIR> d-------- C:\Program Files\Total Video Converter
2008-03-23 14:42 . 2008-03-23 14:42 <DIR> d-------- C:\VideoOutput
2008-03-23 14:41 . 2008-03-23 14:41 <DIR> d-------- C:\Program Files\AVD Video Processor 7.7 TRIAL
2008-03-22 14:43 . 2008-03-22 14:48 6,993 --a------ C:\WINDOWS\system32\fsmgmt.dll
2008-03-21 16:35 . 2008-03-21 16:35 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2008-03-16 23:54 . 2008-03-16 23:54 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Submersible
2008-03-16 23:53 . 2006-03-31 02:39 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-03-16 23:53 . 2006-03-30 01:11 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-03-16 23:30 . 2008-03-16 23:30 <DIR> d-------- C:\Program Files\Paint.NET
2008-03-16 23:27 . 2008-03-16 23:27 <DIR> d-------- C:\Program Files\Vista Drive Icon
2008-03-11 17:51 . 2008-03-11 17:51 <DIR> d-------- C:\vcs5BGEffects
2008-03-10 23:54 . 2008-03-10 23:54 <DIR> d-------- C:\My Music
2008-03-10 08:00 . 2008-03-10 08:00 <DIR> d--hs---- C:\FOUND.039
2008-03-08 16:23 . 2008-03-08 16:23 <DIR> d--hs---- C:\FOUND.038
2008-03-08 15:46 . 2008-03-08 15:46 <DIR> drahs---- C:\dcht
2008-03-08 15:39 . 2008-03-08 15:39 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\WNR
2008-03-07 03:08 . 2008-03-07 03:08 3,072 --ahs---- C:\Thumbs.db
2008-03-07 03:07 . 2008-03-07 03:07 1,127,243 --a------ C:\Misolovka.wmv
2008-03-06 18:05 . 2008-03-06 18:05 <DIR> d-------- C:\Program Files\Sony
2008-03-06 18:05 . 2008-03-06 18:05 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Sony
2008-03-06 18:04 . 2008-03-06 18:04 <DIR> d-------- C:\Program Files\Sony Setup
2008-03-02 15:27 . 2008-03-02 15:27 <DIR> d-------- C:\Program Files\AV Vcs 6.0 DIAMOND
2008-02-28 21:14 . 2008-02-28 21:14 176 --a------ C:\WINDOWS\wininit.ini
2008-02-28 21:10 . 2008-02-28 21:10 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 1
2008-02-28 20:39 . 2008-02-28 20:39 <DIR> d-------- C:\Program Files\Pricaonica
2008-02-27 13:01 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-27 13:01 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-27 13:01 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-26 18:59 . 2008-02-26 18:59 <DIR> d-------- C:\Program Files\Windows Live
2008-02-26 18:59 . 2008-02-26 18:59 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 18:59 . 2008-02-26 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-25 17:55 . 2008-02-25 17:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-25 16:59 . 2008-02-25 15:14 <DIR> d-------- C:\SDFix
2008-02-24 22:54 . 2008-02-24 22:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-24 22:20 . 2008-02-24 22:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-24 19:42 . 2008-02-24 19:42 <DIR> d--hs---- C:\FOUND.037
2008-02-22 14:12 . 2008-02-22 14:12 28,672 --a------ C:\WINDOWS\system32\klfv.exe
2008-02-22 14:07 . 2008-02-22 14:07 <DIR> d-------- C:\Program Files\FolderVault
2008-02-22 14:07 . 2008-02-22 14:07 921,654 --a------ C:\WINDOWS\stones6865E094.bmp
2008-02-22 14:07 . 2008-02-22 14:07 135,168 --a------ C:\WINDOWS\system32\Lock.dll
2008-02-22 14:07 . 2008-02-22 14:11 1,940 --a------ C:\WINDOWS\system32\fv2.lic
2008-02-22 14:07 . 2008-02-22 14:07 19 --a------ C:\WINDOWS\CTDChannels_Version.6865E094.cdf
2008-02-22 13:50 . 2008-02-22 13:50 <DIR> d-------- C:\Program Files\Folder Lock
2008-02-22 13:50 . 2007-12-02 19:54 79,920 --a------ C:\WINDOWS\system32\FLKill.exe
2008-02-22 13:50 . 2008-02-22 14:20 20 --a------ C:\sccfg.sys
2008-02-21 19:54 . 2008-02-21 19:54 <DIR> d--hs---- C:\FOUND.036
2008-02-20 21:38 . 2008-02-20 21:38 <DIR> d-------- C:\Program Files\RipCast 1.9
2008-02-19 17:40 . 2008-02-19 17:40 <DIR> d--hs---- C:\FOUND.035
2008-02-18 20:00 . 2008-02-18 20:00 <DIR> d-------- C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-02-18 20:00 . 2008-02-18 20:00 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Audacity
2008-02-18 19:56 . 2008-02-18 19:56 220 --a------ C:\WINDOWS\system32\test.aok
2008-02-18 19:55 . 2008-02-18 19:55 <DIR> d-------- C:\Program Files\Ultra Video Converter
2008-02-18 19:55 . 2007-04-12 14:19 129,024 --a------ C:\WINDOWS\system32\AVERM.dll
2008-02-18 19:55 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll
2008-02-18 14:18 . 2008-02-18 14:18 <DIR> d--hs---- C:\FOUND.034
2008-02-16 14:04 . 2008-02-16 14:04 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\ViStart
2008-02-16 13:58 . 2008-02-16 13:58 78,942 --a------ C:\WINDOWS\Icon_2.ico
2008-02-16 13:50 . 2008-02-16 13:50 <DIR> d-------- C:\Program Files\WinFlip
2008-02-16 13:50 . 2008-02-16 13:50 <DIR> d-------- C:\Program Files\TrueTransparency
2008-02-16 13:50 . 2008-02-16 13:50 <DIR> d-------- C:\Program Files\Styler
2008-02-16 13:47 . 2008-02-16 13:47 78,942 --a------ C:\WINDOWS\Icon_1.ico
2008-02-16 13:46 . 2008-02-16 13:46 <DIR> d-------- C:\WINDOWS\system32\VITrans
2008-02-16 13:19 . 2008-02-16 13:19 <DIR> d-------- C:\Program Files\Safarp
2008-02-15 22:21 . 2007-12-09 08:51 889 --a------ C:\ma477.bin
2008-02-15 19:19 . 2008-02-15 19:19 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-15 19:19 . 2008-02-15 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-15 15:24 . 2008-02-15 15:24 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-15 14:24 . 2008-02-15 14:24 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Styler
2008-02-15 14:23 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2008-02-15 14:23 . 2006-12-03 17:15 19,968 --a------ C:\WINDOWS\system32\reico.exe
2008-02-15 14:23 . 2006-12-03 17:14 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2008-02-14 21:26 . 2008-02-14 21:26 <DIR> d-------- C:\Program Files\Bad CD DVD Reader
2008-02-14 21:18 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-02-14 21:18 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-02-14 14:16 . 2008-02-14 14:16 <DIR> d-------- C:\Program Files\Nexus_Radio
2008-02-14 13:59 . 2008-02-14 13:59 <DIR> d-------- C:\Program Files\Nexus Radio
2008-02-14 13:55 . 2008-02-14 13:55 <DIR> d-------- C:\Program Files\JLC's Software
2008-02-14 13:55 . 2008-02-14 13:55 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\JLC's Software
2008-02-13 20:03 . 2008-02-13 20:03 <DIR> d-------- C:\Program Files\Ocean Technology
2008-02-13 20:03 . 2008-02-13 20:03 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\InstallShield
2008-02-13 20:03 . 2006-03-14 02:26 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll
2008-02-11 20:24 . 2008-02-11 20:24 <DIR> d-------- C:\Program Files\GameHouse
2008-02-11 13:00 . 2008-02-11 13:00 <DIR> d--hs---- C:\FOUND.033
2008-02-10 20:50 . 2008-02-10 21:00 26 --a------ C:\WINDOWS\Zone.Identifier
2008-02-10 02:44 . 2008-02-10 02:44 45,056 --a------ C:\WINDOWS\system32\fsmgmt.dll.tmp
2008-02-09 15:29 . 2008-02-09 15:29 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-09 15:29 . 2008-02-09 15:29 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-02-09 15:28 . 2008-02-09 15:28 <DIR> d-------- C:\Program Files\Eclypse
2008-02-02 17:22 . 2008-02-02 17:22 <DIR> d-------- C:\Program Files\Zuma Deluxe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 20:23 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-01-11 04:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 22:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 08:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 04:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 10:01 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 10:00 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 03:59 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 17:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 17:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-06-29 17:45 17 ----a-w C:\Program Files\Sims2Pack Clean Installer.ini
2007-08-08 12:32 801 --sha-w C:\WINDOWS\system32\mmf.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-04 18:06 68856]
"speedfan"="C:\Program Files\SpeedFan\speedfan.exe" [2007-09-17 18:04 2902528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-15 17:20 6803456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"DrvIcon"="C:\Program Files\Vista Drive Icon\DrvIcon.exe" [2007-07-04 20:59 45056]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 15:23 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsmgmt]
fsmgmt.dll 2008-03-22 14:48 6993 C:\WINDOWS\system32\fsmgmt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 11:09 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 22:57 30208 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Icq\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\WINDOWS\\System32\\autmgr32.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealOne Player\\REALPLAY.EXE"=
"C:\\TOTALCMD\\totalcmd.exe"=
"C:\\Program Files\\ApexDC++\\ApexDC.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\WINDOWS\\System32\\rtcshare.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-03 22:56]
S2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe []
S3 ES-620;Edisonsoft ES-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\ES-620.sys [2003-04-17 11:42]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-12-24 15:49]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-12-24 15:49]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-12-24 15:49]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-12-24 15:49]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-12-24 15:49]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\z530bus.sys [2006-12-24 15:49]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z530mdfl.sys [2006-12-24 15:49]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\z530mdm.sys [2006-12-24 15:49]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\z530mgmt.sys [2006-12-24 15:49]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\z530obex.sys [2006-12-24 15:49]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 20:47:04 C:\WINDOWS\Tasks\{1C82364A-8B8D-40B7-A7BC-F7E694BE0141}_PRIVATE-B55B9C7_Viktor Salonski.job"
- C:\WINDOWS\system32\mobsync.exeT /Schedule=
"2008-03-28 15:16:06 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 14:05:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-03-30 14:07:46 - machine was rebooted
ComboFix2.txt 2008-02-26 00:11:14
ComboFix-quarantined-files.txt 2008-03-30 12:07:42
Pre-Run: 7,609,204,736 bytes free
Post-Run: 7,736,770,560 bytes free
.
2008-03-24 00:11:17 --- E O F ---
shelf life
2008-03-30, 16:40
hi viktors,
ok good. we will use combofix again. first disable any real time protection that may be running, like you did before:
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
C:\WINDOWS\system32\fsmgmt.dll
C:\WINDOWS\system32\fsmgmt.dll.tmp
C:\WINDOWS\system32\bdod.bin
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsmgmt]
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on the desktop.
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.
Please tell me what antivirus in good and not eating my RAM
single rather than the "all in one suite" might be a better way to go.
shelf life
Ok here is HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:46 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [speedfan] C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: DajTube - Download - http://www.dajtube.com/fetch.php
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 6814 bytes
Here is ComboFix Log
ComboFix 08-03-30.1 - Viktor Salonski 2008-03-30 17:06:23.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1251.381.1033.18.412 [GMT 2:00]
Running from: C:\Documents and Settings\Viktor Salonski\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Viktor Salonski\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\bdod.bin
C:\WINDOWS\system32\fsmgmt.dll
C:\WINDOWS\system32\fsmgmt.dll.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\bdod.bin
C:\WINDOWS\system32\fsmgmt.dll
C:\WINDOWS\system32\fsmgmt.dll.tmp
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.
2008-03-29 16:49 . 2008-03-29 16:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-29 16:49 . 2008-03-29 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-29 16:48 . 2008-03-29 16:48 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Malwarebytes
2008-03-29 14:13 . 2008-01-07 14:29 352 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-03-29 14:10 . 2008-03-29 14:10 <DIR> d-------- C:\Program Files\ESET
2008-03-29 13:36 . 2008-03-29 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-28 13:13 . 2008-03-30 01:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-28 13:13 . 2008-03-28 13:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-25 16:32 . 2008-03-25 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-03-25 15:29 . 2008-03-25 15:29 <DIR> d--hs---- C:\FOUND.040
2008-03-25 00:11 . 2008-03-25 00:11 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\FLV Extract
2008-03-23 14:52 . 2008-03-23 14:52 <DIR> d-------- C:\Program Files\Total Video Converter
2008-03-23 14:42 . 2008-03-23 14:42 <DIR> d-------- C:\VideoOutput
2008-03-21 16:35 . 2008-03-21 16:35 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2008-03-16 23:54 . 2008-03-16 23:54 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Submersible
2008-03-16 23:53 . 2006-03-31 02:39 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-03-16 23:53 . 2006-03-30 01:11 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-03-16 23:30 . 2008-03-16 23:30 <DIR> d-------- C:\Program Files\Paint.NET
2008-03-16 23:27 . 2008-03-16 23:27 <DIR> d-------- C:\Program Files\Vista Drive Icon
2008-03-11 17:51 . 2008-03-11 17:51 <DIR> d-------- C:\vcs5BGEffects
2008-03-10 23:54 . 2008-03-10 23:54 <DIR> d-------- C:\My Music
2008-03-10 08:00 . 2008-03-10 08:00 <DIR> d--hs---- C:\FOUND.039
2008-03-08 16:23 . 2008-03-08 16:23 <DIR> d--hs---- C:\FOUND.038
2008-03-08 15:46 . 2008-03-08 15:46 <DIR> drahs---- C:\dcht
2008-03-08 15:39 . 2008-03-08 15:39 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\WNR
2008-03-07 03:08 . 2008-03-07 03:08 3,072 --ahs---- C:\Thumbs.db
2008-03-07 03:07 . 2008-03-07 03:07 1,127,243 --a------ C:\Misolovka.wmv
2008-03-06 18:05 . 2008-03-06 18:05 <DIR> d-------- C:\Program Files\Sony
2008-03-06 18:05 . 2008-03-06 18:05 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Sony
2008-03-06 18:04 . 2008-03-06 18:04 <DIR> d-------- C:\Program Files\Sony Setup
2008-03-02 15:27 . 2008-03-02 15:27 <DIR> d-------- C:\Program Files\AV Vcs 6.0 DIAMOND
2008-02-28 21:14 . 2008-02-28 21:14 176 --a------ C:\WINDOWS\wininit.ini
2008-02-28 21:10 . 2008-02-28 21:10 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 1
2008-02-28 20:39 . 2008-02-28 20:39 <DIR> d-------- C:\Program Files\Pricaonica
2008-02-27 13:01 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-27 13:01 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-27 13:01 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-26 18:59 . 2008-02-26 18:59 <DIR> d-------- C:\Program Files\Windows Live
2008-02-26 18:59 . 2008-02-26 18:59 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 18:59 . 2008-02-26 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-25 17:55 . 2008-02-25 17:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-25 16:59 . 2008-02-25 15:14 <DIR> d-------- C:\SDFix
2008-02-24 22:54 . 2008-02-24 22:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-24 22:20 . 2008-02-24 22:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-24 19:42 . 2008-02-24 19:42 <DIR> d--hs---- C:\FOUND.037
2008-02-22 14:12 . 2008-02-22 14:12 28,672 --a------ C:\WINDOWS\system32\klfv.exe
2008-02-22 14:07 . 2008-02-22 14:07 <DIR> d-------- C:\Program Files\FolderVault
2008-02-22 14:07 . 2008-02-22 14:07 921,654 --a------ C:\WINDOWS\stones6865E094.bmp
2008-02-22 14:07 . 2008-02-22 14:07 135,168 --a------ C:\WINDOWS\system32\Lock.dll
2008-02-22 14:07 . 2008-02-22 14:11 1,940 --a------ C:\WINDOWS\system32\fv2.lic
2008-02-22 14:07 . 2008-02-22 14:07 19 --a------ C:\WINDOWS\CTDChannels_Version.6865E094.cdf
2008-02-22 13:50 . 2008-02-22 13:50 <DIR> d-------- C:\Program Files\Folder Lock
2008-02-22 13:50 . 2007-12-02 19:54 79,920 --a------ C:\WINDOWS\system32\FLKill.exe
2008-02-22 13:50 . 2008-02-22 14:20 20 --a------ C:\sccfg.sys
2008-02-21 19:54 . 2008-02-21 19:54 <DIR> d--hs---- C:\FOUND.036
2008-02-20 21:38 . 2008-02-20 21:38 <DIR> d-------- C:\Program Files\RipCast 1.9
2008-02-19 17:40 . 2008-02-19 17:40 <DIR> d--hs---- C:\FOUND.035
2008-02-18 20:00 . 2008-02-18 20:00 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Audacity
2008-02-18 19:56 . 2008-02-18 19:56 220 --a------ C:\WINDOWS\system32\test.aok
2008-02-18 14:18 . 2008-02-18 14:18 <DIR> d--hs---- C:\FOUND.034
2008-02-16 14:04 . 2008-02-16 14:04 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\ViStart
2008-02-16 13:58 . 2008-02-16 13:58 78,942 --a------ C:\WINDOWS\Icon_2.ico
2008-02-16 13:50 . 2008-02-16 13:50 <DIR> d-------- C:\Program Files\WinFlip
2008-02-16 13:50 . 2008-02-16 13:50 <DIR> d-------- C:\Program Files\TrueTransparency
2008-02-16 13:50 . 2008-02-16 13:50 <DIR> d-------- C:\Program Files\Styler
2008-02-16 13:47 . 2008-02-16 13:47 78,942 --a------ C:\WINDOWS\Icon_1.ico
2008-02-16 13:46 . 2008-02-16 13:46 <DIR> d-------- C:\WINDOWS\system32\VITrans
2008-02-16 13:19 . 2008-02-16 13:19 <DIR> d-------- C:\Program Files\Safarp
2008-02-15 22:21 . 2007-12-09 08:51 889 --a------ C:\ma477.bin
2008-02-15 19:19 . 2008-02-15 19:19 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-15 19:19 . 2008-02-15 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-15 15:24 . 2008-02-15 15:24 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-15 14:24 . 2008-02-15 14:24 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\Styler
2008-02-15 14:23 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2008-02-15 14:23 . 2006-12-03 17:15 19,968 --a------ C:\WINDOWS\system32\reico.exe
2008-02-15 14:23 . 2006-12-03 17:14 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2008-02-14 21:26 . 2008-02-14 21:26 <DIR> d-------- C:\Program Files\Bad CD DVD Reader
2008-02-14 21:18 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-02-14 21:18 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-02-14 14:16 . 2008-02-14 14:16 <DIR> d-------- C:\Program Files\Nexus_Radio
2008-02-14 13:59 . 2008-02-14 13:59 <DIR> d-------- C:\Program Files\Nexus Radio
2008-02-14 13:55 . 2008-02-14 13:55 <DIR> d-------- C:\Program Files\JLC's Software
2008-02-14 13:55 . 2008-02-14 13:55 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\JLC's Software
2008-02-13 20:03 . 2008-02-13 20:03 <DIR> d-------- C:\Program Files\Ocean Technology
2008-02-13 20:03 . 2008-02-13 20:03 <DIR> d-------- C:\Documents and Settings\Viktor Salonski\Application Data\InstallShield
2008-02-13 20:03 . 2006-03-14 02:26 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll
2008-02-11 20:24 . 2008-02-11 20:24 <DIR> d-------- C:\Program Files\GameHouse
2008-02-11 13:00 . 2008-02-11 13:00 <DIR> d--hs---- C:\FOUND.033
2008-02-10 20:50 . 2008-02-10 21:00 26 --a------ C:\WINDOWS\Zone.Identifier
2008-02-09 15:29 . 2008-02-09 15:29 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-09 15:29 . 2008-02-09 15:29 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-02-09 15:28 . 2008-02-09 15:28 <DIR> d-------- C:\Program Files\Eclypse
2008-02-02 17:22 . 2008-02-02 17:22 <DIR> d-------- C:\Program Files\Zuma Deluxe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 04:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 22:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 08:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 04:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 10:01 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 10:00 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 03:59 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 17:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 17:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-06-29 17:45 17 ----a-w C:\Program Files\Sims2Pack Clean Installer.ini
2007-08-08 12:32 801 --sha-w C:\WINDOWS\system32\mmf.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-04 18:06 68856]
"speedfan"="C:\Program Files\SpeedFan\speedfan.exe" [2007-09-17 18:04 2902528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-15 17:20 6803456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"DrvIcon"="C:\Program Files\Vista Drive Icon\DrvIcon.exe" [2007-07-04 20:59 45056]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 15:23 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 11:09 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 22:57 30208 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Icq\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\WINDOWS\\System32\\autmgr32.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealOne Player\\REALPLAY.EXE"=
"C:\\TOTALCMD\\totalcmd.exe"=
"C:\\Program Files\\ApexDC++\\ApexDC.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\WINDOWS\\System32\\rtcshare.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
S2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe []
S3 ES-620;Edisonsoft ES-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\ES-620.sys [2003-04-17 11:42]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-12-24 15:49]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-12-24 15:49]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-12-24 15:49]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-12-24 15:49]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-12-24 15:49]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\z530bus.sys [2006-12-24 15:49]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z530mdfl.sys [2006-12-24 15:49]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\z530mdm.sys [2006-12-24 15:49]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\z530mgmt.sys [2006-12-24 15:49]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\z530obex.sys [2006-12-24 15:49]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 20:47:04 C:\WINDOWS\Tasks\{1C82364A-8B8D-40B7-A7BC-F7E694BE0141}_PRIVATE-B55B9C7_Viktor Salonski.job"
- C:\WINDOWS\system32\mobsync.exeT /Schedule=
"2008-03-28 15:16:06 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 17:08:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-30 17:08:47
ComboFix3.txt 2008-02-26 00:11:14
ComboFix-quarantined-files.txt 2008-03-30 15:08:46
ComboFix2.txt 2008-03-30 12:07:48
Pre-Run: 10,320,871,424 bytes free
Post-Run: 10,311,090,176 bytes free
.
2008-03-24 00:11:17 --- E O F ---
single rather than the "all in one suite" might be a better way to go.
come on you are the expert please tell me :):)
shelf life
2008-03-30, 21:35
hi,
i Have NOD32 Business but i am not sure is that good,
nothing wrong with NOD32 for AV. i believe its a single component only. By suite i mean a app that is bundled as a antivirus, antimalware, firewall, anti this and that etc. a suite might be heavier on system resources.
if all is good as a last step we can delete combofix and make a new restore point.
shelf life
2008-03-30, 22:34
hi,
ok to remove combofix:
start>run and type in combofix /u click ok
note: there is a space after the x and before the u
the how and why for a new restore point:
One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
some tips for you (http://www.virusvault.us/prevention.htm)
happy safe surfing out there.