View Full Version : i think i have vundo......
i couldn't get the kaspersky online scan to work, kept saying it had an error on the page and wouldn't download anything or even get to the scan options page, and i used IE. Spybot S&D didnt find anything in red, but every once in a while i get a notice from my CA Anti-Virus 2008 that it stopped an infection and it is always a random filenamebut here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:58 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D334EE9-5637-46B3-9129-E3E8C8D7A525}: NameServer = 206.9.80.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 10367 bytes
and i keep getting pop ups....i am afraid to use any passwords in case any get sent via internet to some hacker...i even think they changed my password for these forums so i had it reset....how long does it take for a reply on average here anyway??? not trying to rush anyone just trying to find out when to expect some help.
Hi
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
i couldnt get combofix to work in normal mode, the first attempt triggered a spybot scan for some reason *shrugs shoulders* after which the combo fix was froze at the "creating new restore point", the second attempt nothing happened...absolutely nothing, so i booted into safe mode and then combo fix ran quite smoothly all the way through and rebooted back into normal mode without issues.
i also renamed HJT.exe as Necro1.exe, i may have been reading up on other ppls issues like this, also my spyware scanner keeps quarintining darksma with every scan it does.
hope this added info helps, and thank you for the much needed help :yahoo:
below are the logs you asked for: combofix first, than HJT.
ComboFix 08-06-10.1 - Necro1 2008-06-10 20:46:40.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1792 [GMT -5:00]
Running from: C:\Documents and Settings\Necro1\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM5b22c20d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\fkgiqetk.dll
C:\WINDOWS\system32\kswkkybm.ini
C:\WINDOWS\system32\kteqigkf.ini
C:\WINDOWS\system32\llVDNXbc.ini
C:\WINDOWS\system32\llVDNXbc.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\PrXwvGgh.ini
C:\WINDOWS\system32\PrXwvGgh.ini2
C:\WINDOWS\system32\pyvuosqs.dll
C:\WINDOWS\system32\winzwr32.dll
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\system32\restore
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\system32\npp
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\srchasst
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\msagent
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-09 23:07 . 2008-06-09 23:07 <DIR> d-------- C:\Program Files\Chatango
2008-06-08 13:40 . 2008-06-08 13:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 11:10 . 2008-06-08 11:10 <DIR> d-------- C:\VundoFix Backups
2008-06-07 22:44 . 2008-06-07 23:32 151 --a------ C:\WINDOWS\wininit.ini
2008-06-07 17:47 . 2008-06-07 17:47 <DIR> d-------- C:\Program Files\ThreatFire
2008-06-07 17:47 . 2008-06-07 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-07 17:47 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-06-07 17:47 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-06-07 17:47 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-06-07 17:47 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-06-07 16:59 . 2008-06-07 16:59 82,944 --a------ C:\WINDOWS\system32\mbykkwsk.dll
2008-06-07 12:01 . 2008-06-07 12:01 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\dvdcss
2008-06-07 11:43 . 2008-06-07 11:43 <DIR> d-------- C:\Program Files\QuickTime
2008-06-07 11:43 . 2008-05-06 01:01 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-06-07 11:43 . 2008-05-06 01:01 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-06-07 11:30 . 2008-06-07 11:30 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\Uniblue
2008-06-07 11:14 . 2008-06-07 11:14 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-06-07 11:14 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-06-07 11:14 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-06-07 11:14 . 2008-02-07 16:15 408,576 --a------ C:\WINDOWS\system32\Smab.dll
2008-06-07 11:14 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-06-07 11:14 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-06-07 11:14 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
2008-06-07 11:14 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-06-07 11:14 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-06-07 11:14 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-06-07 11:14 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-06-07 11:12 . 2008-06-07 11:12 <DIR> d-------- C:\Program Files\eRightSoft
2008-06-06 20:02 . 2008-06-06 20:02 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\Axara
2008-06-06 20:01 . 2008-06-06 20:01 <DIR> d-------- C:\Program Files\Common Files\Axara
2008-06-06 20:01 . 2008-06-06 20:01 <DIR> d-------- C:\Program Files\Axara
2008-06-06 20:01 . 2004-07-03 20:59 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-06 20:00 . 2008-06-06 20:00 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-31 14:00 . 2008-05-31 14:00 <DIR> d-------- C:\Program Files\AC3Filter
2008-05-31 14:00 . 2007-08-18 02:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-05-28 21:23 . 2008-02-26 06:48 297,984 --a------ C:\WINDOWS\system32\dllcache\msctf.dll
2008-05-27 00:07 . 2008-05-31 01:00 <DIR> d--hs---- C:\Diskeeper
2008-05-17 02:02 . 2008-05-17 02:02 <DIR> d-------- C:\Program Files\River Past
2008-05-17 02:02 . 2008-05-17 02:02 <DIR> d-------- C:\Program Files\Common Files\River Past
2008-05-17 02:02 . 2008-05-17 02:02 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\River Past G5
2008-05-17 02:02 . 2008-05-17 02:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-05-17 02:02 . 2008-05-17 02:02 166,782 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2008-05-16 23:26 . 2008-05-16 23:37 <DIR> d-------- C:\Temp
2008-05-16 21:53 . 2008-06-07 11:43 <DIR> d-------- C:\Program Files\ImTOO
2008-05-16 16:42 . 2008-05-16 16:42 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-11 22:42 . 2008-05-25 21:02 50 --a------ C:\WINDOWS\MegaManager.INI
2008-05-11 22:18 . 2008-05-11 22:18 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\Megaupload
2008-05-11 22:17 . 2008-05-11 22:17 <DIR> d-------- C:\Program Files\Megaupload
2008-05-11 13:41 . 2008-05-11 22:18 <DIR> d-------- C:\Program Files\MegauploadToolbar
2008-05-11 13:41 . 2008-06-09 01:37 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\MegauploadToolbar
2008-05-11 01:25 . 2008-05-31 16:52 <DIR> d-------- C:\divx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 01:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-11 01:49 --------- d-----w C:\Documents and Settings\Necro1\Application Data\tor
2008-06-11 01:45 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-06-11 01:45 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-06-11 01:45 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-06-11 01:45 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-06-11 01:45 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-06-11 01:45 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-06-11 01:45 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-06-11 01:45 177,838 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-06-11 00:46 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Vidalia
2008-06-11 00:15 --------- d-----w C:\Documents and Settings\Necro1\Application Data\CallingID
2008-06-10 02:00 --------- d-----w C:\Documents and Settings\Necro1\Application Data\BitTorrent
2008-06-05 03:58 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-05 03:58 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-17 03:27 --------- d-----w C:\Documents and Settings\Necro1\Application Data\DivX
2008-05-12 03:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 03:38 --------- d-----w C:\Documents and Settings\Necro1\Application Data\teamspeak2
2008-05-11 03:21 --------- d-----w C:\Program Files\DivXCodec
2008-05-11 00:06 --------- d-----w C:\Program Files\MKVTOAVI
2008-05-10 19:57 --------- d-----w C:\Program Files\Unlocker
2008-05-10 02:49 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-05-10 02:43 --------- d-----w C:\Program Files\Disney
2008-05-09 03:34 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Media Player Classic
2008-05-09 03:33 --------- d-----w C:\Program Files\Real Alternative
2008-05-09 02:13 --------- d-----w C:\Program Files\XviD
2008-05-09 02:13 --------- d-----w C:\Program Files\A-Z
2008-05-09 01:50 --------- d-----w C:\Program Files\SysShield Tools
2008-05-09 01:24 --------- d-----w C:\Program Files\Naevius GVI Converter
2008-05-09 01:20 --------- d-----w C:\Program Files\DivX
2008-05-07 22:05 --------- d-----w C:\Documents and Settings\Necro1\Application Data\NeroDigital™
2008-05-07 02:53 --------- d-----w C:\Program Files\Lavasoft
2008-05-07 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-07 02:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 03:37 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Nero
2008-05-06 03:36 --------- d-----w C:\Program Files\Nero
2008-05-06 03:36 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-06 03:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-06 03:14 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-05 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-05-05 02:07 --------- d-----w C:\Program Files\Vidalia Bundle
2008-05-04 21:31 --------- d-----w C:\Program Files\Guild Wars
2008-05-04 21:31 --------- d-----w C:\Documents and Settings\Necro1\Application Data\DNA
2008-05-04 20:01 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-05-04 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-05-04 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-04 18:27 --------- d-----w C:\Program Files\SlySoft
2008-04-30 23:54 --------- d-----w C:\Program Files\DNA
2008-04-30 23:54 --------- d-----w C:\Program Files\BitTorrent
2008-04-30 04:03 --------- d-----w C:\Program Files\RivaTuner v2.09
2008-04-30 02:47 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-04-30 02:46 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-04-29 02:49 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Talkback
2008-04-28 02:50 --------- d-----w C:\Program Files\MySpace
2008-04-28 02:50 --------- d-----w C:\Documents and Settings\Necro1\Application Data\MySpace
2008-04-27 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-27 23:05 --------- d-----w C:\Program Files\Winamp
2008-04-27 22:58 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Winamp
2008-04-27 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-04-27 21:55 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Logitech
2008-04-27 21:54 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-04-27 21:53 --------- d-----w C:\Program Files\Logitech
2008-04-27 21:53 --------- d-----w C:\Documents and Settings\Necro1\Application Data\InstallShield
2008-04-27 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-27 16:44 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-27 16:42 --------- d-----w C:\Program Files\Java
2008-04-27 16:36 --------- d-----w C:\Program Files\Common Files\Java
2008-04-26 04:23 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-04-26 04:22 --------- d-----w C:\Program Files\MSECACHE
2008-04-23 23:09 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Ahead
2008-04-23 22:07 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-23 21:51 --------- d-----w C:\Program Files\Sierra
2008-04-22 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-22 00:20 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Skype
2008-04-22 00:02 --------- d-----w C:\Documents and Settings\Necro1\Application Data\skypePM
2008-04-21 23:27 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-21 23:24 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-21 03:38 --------- d-----w C:\Program Files\THQ
2008-04-21 03:01 --------- d-----w C:\Program Files\VS Revo Group
2008-04-20 22:26 --------- d-----w C:\Program Files\Common Files\NSV
2008-04-20 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 22:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-20 21:58 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-20 21:55 --------- d-----w C:\Program Files\Skype
2008-04-20 21:55 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-20 21:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-20 21:54 --------- d-----w C:\Program Files\CCleaner
2008-04-19 07:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-19 06:04 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-19 06:03 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-04-19 06:03 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-04-19 06:03 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-04-19 06:03 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-04-19 06:03 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-04-19 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-04-18 22:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-18 22:58 --------- d-----w C:\Program Files\CA
2008-04-18 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-18 10:34 --------- d-----w C:\Program Files\Microsoft PowerToys
2008-04-18 10:34 --------- d-----w C:\Program Files\HashTab Shell Extension
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DC75041-350C-4FD1-AFEC-F64E8F9CF905}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DE09CD6-0D67-4C7C-AB3A-EE45A4DDECDF}]
C:\WINDOWS\system32\hgGvwXrP.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62C9ECC2-DE78-468B-8869-9634B04DC1AC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d674affe-2b62-42e0-8b9a-c297a1dfbb5f}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [2008-06-08 11:52 12889088]
"Chatango"="C:\Program Files\Chatango\Chatango.exe" [2008-02-04 23:18 356352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2008-03-29 22:39 19968 C:\WINDOWS\Logi_MwX.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-29 19:00 15473664 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-03-04 11:02 1626112 C:\WINDOWS\system32\nwiz.exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-26 13:39 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-04-19 01:03 234760]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-04-18 23:20 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-04-18 23:20 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-04-18 23:20 259336]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-04-18 23:20 14088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 13:25 2707456]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-05-06 21:19 4579328]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-04 11:02 8523776]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 08:03 124928 C:\WINDOWS\system32\advpack.dll]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []
C:\Documents and Settings\Necro1\Start Menu\Programs\Startup\
taskmgr.exe.lnk - C:\WINDOWS\system32\taskmgr.exe [2004-08-03 18:56:58 135680]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-27 16:54:28 789008]
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2008-06-08 11:52:20 250368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"EnableShellExecuteHooks"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 21:40 1373624]
"{A0B4FFEA-D466-49A8-9BB0-B7BBD2FCB449}"= C:\WINDOWS\system32\rqRLcbXR.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"vidc.DIVF"= DivX412.dll
"vidc.vp31"= vp31vfw.dll
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-04-30 18:54 288576 C:\Program Files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
R2 CX88XBAR;KWorld TV88X Crossbar;C:\WINDOWS\system32\drivers\CX88XBAR.sys [2005-01-18 05:58]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 10:24]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 10:24]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 13:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-04-18 23:19]
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
S1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 22:58:24 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Necro1 at 4 30 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\caantispyware.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 20:49:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\cappactiveprotection.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
.
**************************************************************************
.
Completion time: 2008-06-10 20:52:51 - machine was rebooted [Necro1]
ComboFix-quarantined-files.txt 2008-06-11 01:52:08
Pre-Run: 278,134,145,024 bytes free
Post-Run: 278,081,478,656 bytes free
351 --- E O F --- 2008-05-29 02:24:08
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:23 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Chatango\Chatango.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Necro1.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DE09CD6-0D67-4C7C-AB3A-EE45A4DDECDF} - C:\WINDOWS\system32\hgGvwXrP.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Chatango] C:\Program Files\Chatango\Chatango.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D334EE9-5637-46B3-9129-E3E8C8D7A525}: NameServer = 206.9.80.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 10864 bytes
Hi
Uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is clean :)
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\mbykkwsk.dll
C:\WINDOWS\system32\Smab0.dll
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DC75041-350C-4FD1-AFEC-F64E8F9CF905}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DE09CD6-0D67-4C7C-AB3A-EE45A4DDECDF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62C9ECC2-DE78-468B-8869-9634B04DC1AC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d674affe-2b62-42e0-8b9a-c297a1dfbb5f}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A0B4FFEA-D466-49A8-9BB0-B7BBD2FCB449}"=-
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).
well.....i tryed to do the combofix thing but, in normal mode i kept getting an error: "Some files could not be created. Please close all applications, reboot Windows and restart this installation." I tried it 3 times but i would get the same error every time, so i booted into safe mode again and it ran just fine that way.
I downloaded ATF and it installed fine but when i followed your instructions some of the items i was supposed to check were blacked out so i couldn't see them (i figured out what was what through a matter of elimination since only "all users temp", "java cache" and "select all" were blacked out) other than that it seemed to run fine.
The KOS still doesn't work, it keeps saying "You need to install Java Version 1.5 or later to run Kaspersky Online Scan 7.0" and it gives me a link to the java site where i downloaded java 6 update 6 and i installed it, rebooted and tryed the KOS again with no change. I even tried all of the trouble shooting steps given and everything is configured properly and my cache is empty and it didn't help.
Otherwise here are the combofix, and HJT logs:
ComboFix 08-06-10.1 - Necro1 2008-06-11 17:39:04.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1799 [GMT -5:00]
Running from: C:\Documents and Settings\Necro1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Necro1\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\mbykkwsk.dll
C:\WINDOWS\system32\Smab0.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\WINDOWS\system32\mbykkwsk.dll
C:\WINDOWS\system32\Smab0.dll
.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\system32\restore
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\system32\npp
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\srchasst
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\msagent
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-09 23:07 . 2008-06-09 23:07 <DIR> d-------- C:\Program Files\Chatango
2008-06-08 13:40 . 2008-06-08 13:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 22:44 . 2008-06-07 23:32 151 --a------ C:\WINDOWS\wininit.ini
2008-06-07 17:47 . 2008-06-07 17:47 <DIR> d-------- C:\Program Files\ThreatFire
2008-06-07 17:47 . 2008-06-07 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-07 17:47 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-06-07 17:47 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-06-07 17:47 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-06-07 17:47 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-06-07 12:01 . 2008-06-07 12:01 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\dvdcss
2008-06-07 11:43 . 2008-06-07 11:43 <DIR> d-------- C:\Program Files\QuickTime
2008-06-07 11:43 . 2008-05-06 01:01 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-06-07 11:43 . 2008-05-06 01:01 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-06-07 11:30 . 2008-06-07 11:30 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\Uniblue
2008-06-07 11:14 . 2008-06-07 11:14 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-06-07 11:14 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-06-07 11:14 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-06-07 11:14 . 2008-02-07 16:15 408,576 --a------ C:\WINDOWS\system32\Smab.dll
2008-06-07 11:14 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-06-07 11:14 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-06-07 11:14 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
2008-06-07 11:14 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-06-07 11:14 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-06-07 11:14 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-06-07 11:14 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-06-07 11:12 . 2008-06-07 11:12 <DIR> d-------- C:\Program Files\eRightSoft
2008-06-06 20:02 . 2008-06-06 20:02 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\Axara
2008-06-06 20:01 . 2008-06-06 20:01 <DIR> d-------- C:\Program Files\Common Files\Axara
2008-06-06 20:01 . 2008-06-06 20:01 <DIR> d-------- C:\Program Files\Axara
2008-06-06 20:01 . 2004-07-03 20:59 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-06 20:00 . 2008-06-06 20:00 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-31 14:00 . 2008-05-31 14:00 <DIR> d-------- C:\Program Files\AC3Filter
2008-05-31 14:00 . 2007-08-18 02:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-05-28 21:23 . 2008-02-26 06:48 297,984 --a------ C:\WINDOWS\system32\dllcache\msctf.dll
2008-05-27 00:07 . 2008-05-31 01:00 <DIR> d--hs---- C:\Diskeeper
2008-05-17 02:02 . 2008-05-17 02:02 <DIR> d-------- C:\Program Files\River Past
2008-05-17 02:02 . 2008-05-17 02:02 <DIR> d-------- C:\Program Files\Common Files\River Past
2008-05-17 02:02 . 2008-05-17 02:02 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\River Past G5
2008-05-17 02:02 . 2008-05-17 02:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-05-17 02:02 . 2008-05-17 02:02 166,782 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2008-05-16 23:26 . 2008-05-16 23:37 <DIR> d-------- C:\Temp
2008-05-16 21:53 . 2008-06-07 11:43 <DIR> d-------- C:\Program Files\ImTOO
2008-05-16 16:42 . 2008-05-16 16:42 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-11 22:42 . 2008-05-25 21:02 50 --a------ C:\WINDOWS\MegaManager.INI
2008-05-11 22:18 . 2008-05-11 22:18 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\Megaupload
2008-05-11 22:17 . 2008-05-11 22:17 <DIR> d-------- C:\Program Files\Megaupload
2008-05-11 13:41 . 2008-05-11 22:18 <DIR> d-------- C:\Program Files\MegauploadToolbar
2008-05-11 13:41 . 2008-06-10 22:50 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\MegauploadToolbar
2008-05-11 01:25 . 2008-05-31 16:52 <DIR> d-------- C:\divx
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 22:36 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-06-11 22:36 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-06-11 22:36 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-06-11 22:36 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-06-11 22:36 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-06-11 22:36 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-06-11 22:36 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-06-11 22:36 177,838 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-06-11 22:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-11 22:36 --------- d-----w C:\Documents and Settings\Necro1\Application Data\tor
2008-06-11 22:33 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Vidalia
2008-06-11 22:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-11 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 00:15 --------- d-----w C:\Documents and Settings\Necro1\Application Data\CallingID
2008-06-10 02:00 --------- d-----w C:\Documents and Settings\Necro1\Application Data\BitTorrent
2008-06-05 03:58 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-05 03:58 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-17 03:27 --------- d-----w C:\Documents and Settings\Necro1\Application Data\DivX
2008-05-12 03:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 03:38 --------- d-----w C:\Documents and Settings\Necro1\Application Data\teamspeak2
2008-05-11 03:21 --------- d-----w C:\Program Files\DivXCodec
2008-05-11 00:06 --------- d-----w C:\Program Files\MKVTOAVI
2008-05-10 19:57 --------- d-----w C:\Program Files\Unlocker
2008-05-10 02:49 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-05-10 02:43 --------- d-----w C:\Program Files\Disney
2008-05-09 03:34 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Media Player Classic
2008-05-09 03:33 --------- d-----w C:\Program Files\Real Alternative
2008-05-09 02:13 --------- d-----w C:\Program Files\XviD
2008-05-09 02:13 --------- d-----w C:\Program Files\A-Z
2008-05-09 01:50 --------- d-----w C:\Program Files\SysShield Tools
2008-05-09 01:24 --------- d-----w C:\Program Files\Naevius GVI Converter
2008-05-09 01:20 --------- d-----w C:\Program Files\DivX
2008-05-07 22:05 --------- d-----w C:\Documents and Settings\Necro1\Application Data\NeroDigital™
2008-05-07 02:53 --------- d-----w C:\Program Files\Lavasoft
2008-05-07 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-07 02:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 03:37 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Nero
2008-05-06 03:36 --------- d-----w C:\Program Files\Nero
2008-05-06 03:36 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-06 03:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-06 03:14 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-05 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-05-05 02:07 --------- d-----w C:\Program Files\Vidalia Bundle
2008-05-04 21:31 --------- d-----w C:\Program Files\Guild Wars
2008-05-04 21:31 --------- d-----w C:\Documents and Settings\Necro1\Application Data\DNA
2008-05-04 20:01 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-05-04 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-05-04 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-04 18:27 --------- d-----w C:\Program Files\SlySoft
2008-04-30 23:54 --------- d-----w C:\Program Files\DNA
2008-04-30 23:54 --------- d-----w C:\Program Files\BitTorrent
2008-04-30 04:03 --------- d-----w C:\Program Files\RivaTuner v2.09
2008-04-30 02:47 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-04-30 02:46 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-04-29 02:49 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Talkback
2008-04-28 02:50 --------- d-----w C:\Program Files\MySpace
2008-04-28 02:50 --------- d-----w C:\Documents and Settings\Necro1\Application Data\MySpace
2008-04-27 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-27 23:05 --------- d-----w C:\Program Files\Winamp
2008-04-27 22:58 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Winamp
2008-04-27 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-04-27 21:55 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Logitech
2008-04-27 21:54 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-04-27 21:53 --------- d-----w C:\Program Files\Logitech
2008-04-27 21:53 --------- d-----w C:\Documents and Settings\Necro1\Application Data\InstallShield
2008-04-27 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-27 16:44 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-27 16:42 --------- d-----w C:\Program Files\Java
2008-04-27 16:36 --------- d-----w C:\Program Files\Common Files\Java
2008-04-26 04:23 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-04-26 04:22 --------- d-----w C:\Program Files\MSECACHE
2008-04-23 23:09 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Ahead
2008-04-23 22:07 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-23 21:51 --------- d-----w C:\Program Files\Sierra
2008-04-22 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-22 00:20 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Skype
2008-04-22 00:02 --------- d-----w C:\Documents and Settings\Necro1\Application Data\skypePM
2008-04-21 23:27 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-21 23:24 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-21 03:38 --------- d-----w C:\Program Files\THQ
2008-04-21 03:01 --------- d-----w C:\Program Files\VS Revo Group
2008-04-20 22:26 --------- d-----w C:\Program Files\Common Files\NSV
2008-04-20 21:58 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-20 21:55 --------- d-----w C:\Program Files\Skype
2008-04-20 21:55 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-20 21:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-20 21:54 --------- d-----w C:\Program Files\CCleaner
2008-04-19 07:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-19 06:04 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-19 06:03 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-04-19 06:03 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-04-19 06:03 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-04-19 06:03 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-04-19 06:03 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-04-19 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-04-18 22:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-18 22:58 --------- d-----w C:\Program Files\CA
2008-04-18 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-18 10:34 --------- d-----w C:\Program Files\Microsoft PowerToys
2008-04-18 10:34 --------- d-----w C:\Program Files\HashTab Shell Extension
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-10_20.50.48.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-11 01:48:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 22:37:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [2008-06-08 11:52 12889088]
"Chatango"="C:\Program Files\Chatango\Chatango.exe" [2008-02-04 23:18 356352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2008-03-29 22:39 19968 C:\WINDOWS\Logi_MwX.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-29 19:00 15473664 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-03-04 11:02 1626112 C:\WINDOWS\system32\nwiz.exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-26 13:39 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-04-19 01:03 234760]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-04-18 23:20 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-04-18 23:20 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-04-18 23:20 259336]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-04-18 23:20 14088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 13:25 2707456]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-04 11:02 8523776]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 08:03 124928 C:\WINDOWS\system32\advpack.dll]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []
C:\Documents and Settings\Necro1\Start Menu\Programs\Startup\
taskmgr.exe.lnk - C:\WINDOWS\system32\taskmgr.exe [2004-08-03 18:56:58 135680]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-27 16:54:28 789008]
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2008-06-08 11:52:20 250368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"EnableShellExecuteHooks"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 21:40 1373624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"vidc.DIVF"= DivX412.dll
"vidc.vp31"= vp31vfw.dll
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-05-06 21:19 4579328 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-04-30 18:54 288576 C:\Program Files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire]
--a------ 2008-04-24 16:52 259392 C:\Program Files\ThreatFire\TFTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
S0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
S1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
S1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
S1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]
S2 CX88XBAR;KWorld TV88X Crossbar;C:\WINDOWS\system32\drivers\CX88XBAR.sys [2005-01-18 05:58]
S2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
S2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
S2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
S2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 10:24]
S2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 10:24]
S2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 13:30]
S3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-04-18 23:19]
S3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
*Newly Created Service* - CATCHME
*Newly Created Service* - CX88XBAR
*Newly Created Service* - CXTUNE
.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 22:58:24 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Necro1 at 4 30 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\caantispyware.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 17:39:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-11 17:39:56
ComboFix-quarantined-files.txt 2008-06-11 22:39:54
Pre-Run: 278,130,417,664 bytes free
Post-Run: 278,139,703,296 bytes free
316 --- E O F --- 2008-05-29 02:24:08
HIGHJACKTHIS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:00 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Chatango\Chatango.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\Trend Micro\HijackThis\Necro1.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Chatango] C:\Program Files\Chatango\Chatango.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D334EE9-5637-46B3-9129-E3E8C8D7A525}: NameServer = 206.9.80.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 10215 bytes
i also stopped lavasoft's ad-watch and threatfire from starting up from msconfig under the startup tab....also my spyware scanner continues to detect and quarintine more spyware: Bifrost, KaZaA, and another Darksma....the only P2P software i have installed is Bittorrent and i havnt used that in about a month so i don't know why KaZaA is there...i hope this added info helps, if not just tell me to leave this stuff out from now on. And another thing...Thank you for helping me out...i would be drowning if it were not for you. :)
Hi
Let's try following actions. :)
Rename ComboFix.exe -> Combo-Fix.exe and then disable CA Security Suite and try running renamed ComboFix again and post back its log.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log in your next reply.
well i renamed combofix to combo-fix.....but i still can't get it to do anything in normal boot mode, i keep getting the same error message as before(and it is right after the little progress bar fills up)...is this an issue? or is safe mode just fine?...should i go ahead and download malwarebytes and do the run or should i wait untill combo-fix is working properly? I was considering uninstalling combofix and re-downloading it and starting fresh...is this a good idea? I didnt want to take the next step without your approval first and risk messing up everything we have done.
You disabled also CA Antivirus? Running from safe mode was just fine. Please move on to Malwarebytes' Anti-malware scan.
ok...running in safe mode disables all CA real time scanners automatically...i ran Combo-Fix.exe in safe mode successfully again. I could not get malwarebytes to run in normal mode but it ran with no issues in safe mode and it found 2 instances of vundo and another virus/spyware that i can't remember the name of but it was a dialer of some sort. I made sure all of them were checked and i clicked remove like you said. Below are the Combo-fix, malwarebytes and HJT logs, in that order.
ComboFix 08-06-10.1 - Necro1 2008-06-12 17:18:03.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1797 [GMT -5:00]
Running from: C:\Documents and Settings\Necro1\Desktop\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.
2008-06-11 17:38 . 2008-06-11 17:40 <DIR> d-------- C:\ComboFix
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\system32\restore
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\system32\npp
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\srchasst
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\WINDOWS\msagent
2008-06-10 20:48 . 2008-06-10 20:48 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-09 23:07 . 2008-06-09 23:07 <DIR> d-------- C:\Program Files\Chatango
2008-06-08 13:40 . 2008-06-08 13:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 22:44 . 2008-06-07 23:32 151 --a------ C:\WINDOWS\wininit.ini
2008-06-07 17:47 . 2008-06-07 17:47 <DIR> d-------- C:\Program Files\ThreatFire
2008-06-07 17:47 . 2008-06-07 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-07 17:47 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-06-07 17:47 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-06-07 17:47 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-06-07 17:47 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-06-07 12:01 . 2008-06-07 12:01 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\dvdcss
2008-06-07 11:43 . 2008-06-07 11:43 <DIR> d-------- C:\Program Files\QuickTime
2008-06-07 11:43 . 2008-05-06 01:01 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-06-07 11:43 . 2008-05-06 01:01 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-06-07 11:30 . 2008-06-07 11:30 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\Uniblue
2008-06-07 11:14 . 2008-06-07 11:14 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-06-07 11:14 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-06-07 11:14 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-06-07 11:14 . 2008-02-07 16:15 408,576 --a------ C:\WINDOWS\system32\Smab.dll
2008-06-07 11:14 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-06-07 11:14 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-06-07 11:14 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
2008-06-07 11:14 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-06-07 11:14 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-06-07 11:14 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-06-07 11:14 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-06-07 11:12 . 2008-06-07 11:12 <DIR> d-------- C:\Program Files\eRightSoft
2008-06-06 20:02 . 2008-06-06 20:02 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\Axara
2008-06-06 20:01 . 2008-06-06 20:01 <DIR> d-------- C:\Program Files\Common Files\Axara
2008-06-06 20:01 . 2008-06-06 20:01 <DIR> d-------- C:\Program Files\Axara
2008-06-06 20:01 . 2004-07-03 20:59 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-06 20:00 . 2008-06-06 20:00 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-31 14:00 . 2008-05-31 14:00 <DIR> d-------- C:\Program Files\AC3Filter
2008-05-31 14:00 . 2007-08-18 02:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-05-28 21:23 . 2008-02-26 06:48 297,984 --a------ C:\WINDOWS\system32\dllcache\msctf.dll
2008-05-27 00:07 . 2008-05-31 01:00 <DIR> d--hs---- C:\Diskeeper
2008-05-17 02:02 . 2008-05-17 02:02 <DIR> d-------- C:\Program Files\River Past
2008-05-17 02:02 . 2008-05-17 02:02 <DIR> d-------- C:\Program Files\Common Files\River Past
2008-05-17 02:02 . 2008-05-17 02:02 <DIR> d-------- C:\Documents and Settings\Necro1\Application Data\River Past G5
2008-05-17 02:02 . 2008-05-17 02:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-05-17 02:02 . 2008-05-17 02:02 166,782 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2008-05-16 23:26 . 2008-05-16 23:37 <DIR> d-------- C:\Temp
2008-05-16 21:53 . 2008-06-07 11:43 <DIR> d-------- C:\Program Files\ImTOO
2008-05-16 16:42 . 2008-05-16 16:42 118 --a------ C:\WINDOWS\system32\MRT.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 22:14 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-06-12 22:14 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-06-12 22:14 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-06-12 22:14 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-06-12 22:14 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-06-12 22:14 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-06-12 22:14 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-06-12 22:14 177,838 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-06-12 22:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 22:13 --------- d-----w C:\Documents and Settings\Necro1\Application Data\tor
2008-06-12 22:01 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Vidalia
2008-06-12 03:37 --------- d-----w C:\Documents and Settings\Necro1\Application Data\teamspeak2
2008-06-12 00:06 --------- d-----w C:\Documents and Settings\Necro1\Application Data\CallingID
2008-06-12 00:03 --------- d-----w C:\Documents and Settings\Necro1\Application Data\MegauploadToolbar
2008-06-11 23:53 --------- d-----w C:\Program Files\Java
2008-06-11 22:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-11 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 02:00 --------- d-----w C:\Documents and Settings\Necro1\Application Data\BitTorrent
2008-06-05 03:58 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-05 03:58 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-17 03:27 --------- d-----w C:\Documents and Settings\Necro1\Application Data\DivX
2008-05-12 03:18 --------- d-----w C:\Program Files\MegauploadToolbar
2008-05-12 03:18 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Megaupload
2008-05-12 03:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-12 03:17 --------- d-----w C:\Program Files\Megaupload
2008-05-11 03:21 --------- d-----w C:\Program Files\DivXCodec
2008-05-11 00:06 --------- d-----w C:\Program Files\MKVTOAVI
2008-05-10 19:57 --------- d-----w C:\Program Files\Unlocker
2008-05-10 02:49 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-05-10 02:43 --------- d-----w C:\Program Files\Disney
2008-05-09 03:34 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Media Player Classic
2008-05-09 03:33 --------- d-----w C:\Program Files\Real Alternative
2008-05-09 02:13 --------- d-----w C:\Program Files\XviD
2008-05-09 02:13 --------- d-----w C:\Program Files\A-Z
2008-05-09 01:50 --------- d-----w C:\Program Files\SysShield Tools
2008-05-09 01:24 --------- d-----w C:\Program Files\Naevius GVI Converter
2008-05-09 01:20 --------- d-----w C:\Program Files\DivX
2008-05-07 22:05 --------- d-----w C:\Documents and Settings\Necro1\Application Data\NeroDigital™
2008-05-07 02:53 --------- d-----w C:\Program Files\Lavasoft
2008-05-07 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-07 02:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 03:37 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Nero
2008-05-06 03:36 --------- d-----w C:\Program Files\Nero
2008-05-06 03:36 --------- d-----w C:\Program Files\Common Files\Nero
2008-05-06 03:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-06 03:14 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-05 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-05-05 02:07 --------- d-----w C:\Program Files\Vidalia Bundle
2008-05-04 21:31 --------- d-----w C:\Program Files\Guild Wars
2008-05-04 21:31 --------- d-----w C:\Documents and Settings\Necro1\Application Data\DNA
2008-05-04 20:01 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-05-04 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-05-04 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-04 18:27 --------- d-----w C:\Program Files\SlySoft
2008-04-30 23:54 --------- d-----w C:\Program Files\DNA
2008-04-30 23:54 --------- d-----w C:\Program Files\BitTorrent
2008-04-30 04:03 --------- d-----w C:\Program Files\RivaTuner v2.09
2008-04-30 02:47 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-04-30 02:46 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-04-29 02:49 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Talkback
2008-04-28 02:50 --------- d-----w C:\Program Files\MySpace
2008-04-28 02:50 --------- d-----w C:\Documents and Settings\Necro1\Application Data\MySpace
2008-04-27 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-27 23:05 --------- d-----w C:\Program Files\Winamp
2008-04-27 22:58 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Winamp
2008-04-27 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-04-27 21:55 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Logitech
2008-04-27 21:54 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-04-27 21:53 --------- d-----w C:\Program Files\Logitech
2008-04-27 21:53 --------- d-----w C:\Documents and Settings\Necro1\Application Data\InstallShield
2008-04-27 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-27 16:44 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-27 16:36 --------- d-----w C:\Program Files\Common Files\Java
2008-04-26 04:23 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-04-26 04:22 --------- d-----w C:\Program Files\MSECACHE
2008-04-23 23:09 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Ahead
2008-04-23 22:07 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-23 21:51 --------- d-----w C:\Program Files\Sierra
2008-04-22 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-22 00:20 --------- d-----w C:\Documents and Settings\Necro1\Application Data\Skype
2008-04-22 00:02 --------- d-----w C:\Documents and Settings\Necro1\Application Data\skypePM
2008-04-21 23:27 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-21 23:24 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-21 03:38 --------- d-----w C:\Program Files\THQ
2008-04-21 03:01 --------- d-----w C:\Program Files\VS Revo Group
2008-04-20 22:26 --------- d-----w C:\Program Files\Common Files\NSV
2008-04-20 21:58 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-20 21:55 --------- d-----w C:\Program Files\Skype
2008-04-20 21:55 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-20 21:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-20 21:54 --------- d-----w C:\Program Files\CCleaner
2008-04-19 07:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-19 06:04 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-19 06:03 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-04-19 06:03 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-04-19 06:03 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-04-19 06:03 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-04-19 06:03 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-04-19 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-04-18 22:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-10_20.50.48.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-11 01:48:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-12 22:14:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 06:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 06:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 07:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [2008-06-08 11:52 12889088]
"Chatango"="C:\Program Files\Chatango\Chatango.exe" [2008-02-04 23:18 356352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2008-03-29 22:39 19968 C:\WINDOWS\Logi_MwX.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-29 19:00 15473664 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-03-04 11:02 1626112 C:\WINDOWS\system32\nwiz.exe]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-26 13:39 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-04-19 01:03 234760]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-04-18 23:20 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-04-18 23:20 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-04-18 23:20 259336]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-04-18 23:20 14088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 13:25 2707456]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-04 11:02 8523776]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 08:03 124928 C:\WINDOWS\system32\advpack.dll]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []
C:\Documents and Settings\Necro1\Start Menu\Programs\Startup\
taskmgr.exe.lnk - C:\WINDOWS\system32\taskmgr.exe [2004-08-03 18:56:58 135680]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-27 16:54:28 789008]
Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2008-06-08 11:52:20 250368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"EnableShellExecuteHooks"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 21:40 1373624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-01-09 12:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"vidc.DIVF"= DivX412.dll
"vidc.vp31"= vp31vfw.dll
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-05-06 21:19 4579328 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-04-30 18:54 288576 C:\Program Files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire]
--a------ 2008-04-24 16:52 259392 C:\Program Files\ThreatFire\TFTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
S0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
S1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
S1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
S1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]
S2 CX88XBAR;KWorld TV88X Crossbar;C:\WINDOWS\system32\drivers\CX88XBAR.sys [2005-01-18 05:58]
S2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
S2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
S2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
S2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 10:24]
S2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 10:24]
S2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 13:30]
S3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-04-18 23:19]
S3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
*Newly Created Service* - CX88XBAR
*Newly Created Service* - CXTUNE
.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 05:19:16 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Necro1 at 11 18 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\caantispyware.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 17:18:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-12 17:18:56
ComboFix-quarantined-files.txt 2008-06-12 22:18:54
ComboFix2.txt 2008-06-11 22:39:57
Pre-Run: 278,047,645,696 bytes free
Post-Run: 278,050,516,992 bytes free
308 --- E O F --- 2008-05-29 02:24:08
**************************************************************************
Malwarebytes' Anti-Malware 1.17
Database version: 851
6:35:11 PM 6/12/2008
mbam-log-6-12-2008 (18-35-01).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 261644
Time elapsed: 17 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a0b4ffea-d466-49a8-9bb0-b7bbd2fcb449} (Trojan.Vundo) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\winzwr32.dll.vir (Dialer) -> No action taken.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.
***************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:50 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Chatango\Chatango.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Necro1.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Chatango] C:\Program Files\Chatango\Chatango.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D334EE9-5637-46B3-9129-E3E8C8D7A525}: NameServer = 206.9.80.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 10232 bytes
Hi
Did you quarantine Malwarebytes' Anti-Malware (MBAM) findings as instructed? I'm asking this cos in the log it says 'no action taken'. Also, what problems did you have while trying MBAM running in normal mode?
yes i did quarantine them as you had asked...i double checked and they are listed under the MBAM quarantine list as well. The problem i had with MBAM in normal mode was that when i clicked for a full scan on drives c: and d: (both of my hard drives) it didn't do anything. It just sat there doing nothing, and i tried it 3 times with the same results, but in safe mode it worked fine. I could always try to do another scan for you if you wish...its nothing if it gets rid of these stupid malware progs.
Hi
I'm not sure if it's needed to run MBAM again. Anyway, let's see your hjt log again. Do you still have problems with the system?
my system does seem to be running better :) ...but something is still disabling my realtime anti-spyware scanner, i will turn it on but a few seconds later it is off again. :sad: Maybe i could try a Kaspersky scan again? Well anyway here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:08 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Chatango\Chatango.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\caavGUIScan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Necro1.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Chatango] C:\Program Files\Chatango\Chatango.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D334EE9-5637-46B3-9129-E3E8C8D7A525}: NameServer = 206.9.80.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 10418 bytes
Yes, try Kaspersky scanner again. Hjt log itself doesn't show any sign of infection anymore :)
unfortunately i still get the same error message as before when i try to do the kaspersky scan: "you need to install java version 1.5 or later to run kaspersky online scan 7.0" i uninstalled java 6u6 and reinstalled java 6u6 and it has the same results. it seems i may have a unique issue that i haven't read elsewhere on these forums. :sad: but the good news is that i have no more popups and u say that HJT is clean:)
Hi
Seems really weird. I'm not sure if Kaspersky forums could answer the question why Online Scanner doesn't work even with right Java installed.
Is your anti-spyware scanner still disabled? Could you try reinstalling it to see if there was some malfunction causing the disabling?
i will try to uninstall my ca suite so there will be no doubt about my anti spyware scanner being the prob with other scans...i am gonna delete the stuff in the quarantine list from that first though....as far as the kaspersky scanner goes i used it without any issues about 2 days before i posted a new thread here in these forums so i don't know what changed...i did notice that the gui for it is different so maybe they updated there scanner on there end and they have some bugs to work out...are there any other scanners i could try to get the info needed to feel that everything is working fine?
also none of the applets on the java site work so it is something with the java install or something is interfering with java i think
i uninstalled CA AV suite 2008 and i ran ccleaner (it has a java cache cleaner i noticed) and now i am able to run KOS, i am doing so as we speak.
Hi
Kaspersky changed their GUI to use Java just a couple of days ago.
Just to make sure did you download Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp) offline version (jre-6u6-windows-i586-p.exe file)?
EDIT: Didn't see your latest reply. I'll wait for those results then :)
its gonna take a long time...i have over 1,000,000 files according to CA.....currently i have been running almost 50 mins and i am only a little over 50,000 files scanned
well here is my KOS log finally :2thumb: it didn't have scan setting like "extended" so i set it to scan "my computer"...i thought for sure that ca said i had over 1,000,000 files to scan but this stops at a little under 230,000...don't know why.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 14, 2008 20:47:24
Records in database: 863969
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan statistics:
Files scanned: 220922
Threat name: 4
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 02:19:31
File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\system32\mbykkwsk.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pyvuosqs.dll.vir Infected: Trojan.Win32.Monder.gen 1
D:\Downloads\Nero-7.7.5.1_eng_update.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
D:\Downloads\Nero-7.8.5.0_eng_update.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
D:\Downloads\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.g 1
D:\Downloads\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 1
D:\Downloads\WPPerm_v1.0\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.g 1
D:\Downloads\WPPerm_v1.0\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 1
The selected area was scanned.
i also may have sent you the wrong log before for MBAM....perhaps one that i had before i deleted the infected files....this is the oldest one i could find through the gui from MBAM:
Malwarebytes' Anti-Malware 1.17
Database version: 851
6:35:21 PM 6/12/2008
mbam-log-6-12-2008 (18-35-21).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 261644
Time elapsed: 17 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a0b4ffea-d466-49a8-9bb0-b7bbd2fcb449} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\winzwr32.dll.vir (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Hi
Could you tell me what are these used for:
D:\Downloads\keyfinder.exe
D:\Downloads\WPPerm_v1.0\
Please download this tool (http://go.microsoft.com/fwlink/?linkid=52012) from Microsoft.
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.
i used those to find a windows key for a computer i had bought used for my 5 yr old daughter...they didn't wipe the hard drive and i wanted to get rid of all the junk they had on it and i wanted to keep the same key for windows to keep it legal. I am currently running windows media center (during the install it says it is xp pro) i had used ryanvm to remove the media center part so it was stripped of that part to keep things simple, i never used that part before anyway. well here is the log you asked for.
Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-T63PG-M6FK7-Q6GQM
Windows Product Key Hash: C/ZE1g4ErDlFMTYwT6faglNNO6A=
Windows Product ID: 76488-OEM-2282241-23804
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.2.0.med
CSVLK Server: N/A
CSVLK PID: N/A
ID: {3B96AC9B-5012-4593-89C8-F794C450A45C}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.18.5
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A
WgaER Data-->
ThreatID(s): N/A
Version: N/A
WGA Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.18.5
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: Microsoft
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-171-1
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{3B96AC9B-5012-4593-89C8-F794C450A45C}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010100.2.0.med</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-Q6GQM</PKey><PID>76488-OEM-2282241-23804</PID><PIDType>3</PIDType><SID>S-1-5-21-682003330-1202660629-725345543</SID><SYSTEM><Manufacturer>NVIDIA</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="2"/><Date>20060418000000.000000+000</Date><SLPBIOS>americanfuture,americanfuture,americanfuture,americanfuture</SLPBIOS></BIOS><HWID>95CC3CF70184CE76</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Destructive Tendencies Inc.</name><model>Gamer SLI</model></SBID><OEM/><BRT/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Ok. Those files can be used bad causes too and that's why I wanted to check. May I now see a fresh hjt log, please? :)
here is the new HJT log...things are looking better?? can i reinstall my CA suite? i'm kinda nervous without my firewall.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:47 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Chatango\Chatango.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\Necro1.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Chatango] C:\Program Files\Chatango\Chatango.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D334EE9-5637-46B3-9129-E3E8C8D7A525}: NameServer = 206.9.80.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--
End of file - 7240 bytes
Yes, you may reinstall CA Suite now :)
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combo-fix /u in the runbox and click OK
Next we remove all used tools.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
everything has been running quite well over the past few days.....it seems you kicked those malware issues in the ass!!! :2thumb: i must say i couldnt have done it without you :ninja: i got my machine back yay!!! :yahoo: so thank you ever so much for your most elite help :present:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.