View Full Version : Virtumonde - need help
Hi all! My comp got infected with Virtumonde, so i tried to remove him but without success. I used VundoFix and after that I dont see symptoms (pop-ups, fake antivirus programs...), yet every time when i run a scan, Spybot detect it (and it's unable to remove him). What i have to do???
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:42:54, on 11.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ASUS\WiFi-AP @n\WiFi-AP@n.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alienware Dock by Stardock ObjectDock] C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Product Registration.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Product Registration.lnk = ? (User 'Default user')
O4 - Startup: Product Registration.lnk = ?
O4 - Global Startup: ASUS WiFi-AP @n Utility.lnk = C:\Program Files\ASUS\WiFi-AP @n\WiFi-AP@n.exe
O4 - Global Startup: SetPointII.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224263536376
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{837C64A9-E356-4598-AB12-B8690A634685}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E26E5BB8-220B-4F3B-94C0-12956F7C9E14}: NameServer = 195.29.150.3,195.29.150.4
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 9295 bytes
Thanks!
Hello prpacro
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
It is advisable that you back up your personal data before starting any clean up procedure.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Hi, thank you for your help.
I've done everything as you said and here is malware log:
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3
12.11.2008 3:43:21
mbam-log-2008-11-12 (03-43-21).txt
Scan type: Quick Scan
Objects scanned: 48302
Time elapsed: 1 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 84
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\pmnmkiiI.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tuvTjICV.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvtjicv (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c1589413-382d-4bad-9dec-ac40fdc14a78} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c1589413-382d-4bad-9dec-ac40fdc14a78} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb2718 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd9841 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga6617 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc6341 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b0b3393c-62d1-44d8-abf5-08e0f067f29e} (Trojan.Vundo.H) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnmkiii -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnmkiii -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\tuvTjICV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pmnmkiiI.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\Iiikmnmp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Iiikmnmp.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pqyxuypb.dll_old (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bpyuxyqp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qvfedear.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\raedefvq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccbcdCu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccyASig.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnMgDvV.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnnmNdB.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkLEur.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMcayVL.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMcddcY.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMdBTmJ.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRHAQgE.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRHaYoM.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRhGYRl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRHyvUk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRlIyaX.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvTllJc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvuvusT.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUommmK.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtsPiFW.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtsqQKa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXNheEx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXOeEts.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcApqom.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcCTJYP.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcASiIy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcDUmND.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBqPIaa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBrsQgF.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBsttUo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBtSJab.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfdDVPf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfDtRHB.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfDwwtT.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfFWoMf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJAtRJy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJCULed.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJYRiFY.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJYrqRi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqPgfDu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqPghGw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqPjIBR.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqQkijK.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqRKddD.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkHBurp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkIBsTl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkICUMe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkIYrsQ.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkKccdb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUkjhGv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUoLeFv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqOEtRH.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqOIApP.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqPgeeC.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqPhEXN.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqPhFYq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqPhGXq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXPFXqr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJARlLD.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJATMda.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJaxxxu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJBqnME.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJBrSLB.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJCvsTk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJYQHay.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyaawUo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyaXrRk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyyxwtU.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxvSIY.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGwxyYp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGxWmjj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGxYRjh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGyvSkK.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnKARLE.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnKbxVp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnkIccb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnkihhF.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnnKaxU.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marko\Local Settings\Temp\is164385.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:51, on 12.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\Program Files\ASUS\WiFi-AP @n\WiFi-AP@n.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [SpybotDeletingA9050] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\SHDS.mht"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5237] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\SHDS.mht"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alienware Dock by Stardock ObjectDock] C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB3662] command /c del "C:\Program Files\Enigma Software Group\SpyHunter\SHDS.mht"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1648] cmd /c del "C:\Program Files\Enigma Software Group\SpyHunter\SHDS.mht"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Product Registration.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Product Registration.lnk = ? (User 'Default user')
O4 - Startup: Product Registration.lnk = ?
O4 - Global Startup: ASUS WiFi-AP @n Utility.lnk = C:\Program Files\ASUS\WiFi-AP @n\WiFi-AP@n.exe
O4 - Global Startup: SetPointII.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224263536376
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{837C64A9-E356-4598-AB12-B8690A634685}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E26E5BB8-220B-4F3B-94C0-12956F7C9E14}: NameServer = 195.29.150.3,195.29.150.4
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 9990 bytes
Good Morning,
Good job :bigthumb:
There may be more we can't see
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Hi!
There is a problem. When i run ComboFix it says that it deected rootkit activity and need to restart computer. But restart doesn't help, same error every time. also, I noticed when i disable comodo firewall, cmdagent.exe is still running and i can't terminate that process.
What to do?
Thanks
Try running it in Safemode with Network support
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
If still a no go, then run this tool and post the log
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
worked in safe mode :)
ComboFix log:
ComboFix 08-11-11.01 - Marko 2008-11-12 14:06:49.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.1763 [GMT 1:00]
Running from: c:\documents and settings\Marko\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\wlmfwprn.dll
c:\windows\system32\xaqpbnft.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.
2008-11-12 03:34 . 2008-11-12 03:34 <DIR> d-------- c:\documents and settings\Marko\Application Data\Malwarebytes
2008-11-12 03:33 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-12 03:33 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-12 03:32 . 2008-11-12 03:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-12 03:32 . 2008-11-12 03:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-11 16:42 . 2008-11-11 16:42 <DIR> d-------- c:\program files\Trend Micro
2008-11-10 18:26 . 2008-11-10 18:29 <DIR> d-------- c:\program files\QuickTime
2008-11-10 18:26 . 2008-11-10 18:26 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-10 18:26 . 2008-11-10 18:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-10 17:06 . 2008-11-10 17:06 120 ---hs---- c:\windows\system32\andrcrnh.ini
2008-11-10 17:01 . 2008-11-10 17:01 120 ---hs---- c:\windows\system32\cmmmfkcr.ini
2008-11-09 16:37 . 2008-11-09 16:37 24,576 --a------ c:\windows\system32\VundoFixSVC.exe
2008-11-09 16:32 . 2008-11-10 18:07 <DIR> d-------- C:\VundoFix Backups
2008-11-09 16:04 . 2008-11-09 16:04 <DIR> d-------- c:\program files\Lavasoft
2008-11-09 16:04 . 2008-11-09 16:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-09 11:23 . 2008-11-09 11:23 1,905,526 ---hs---- c:\windows\system32\bemtscja.tmp
2008-11-09 09:59 . 2008-11-11 23:12 290 --a------ c:\windows\wininit.ini
2008-11-09 01:30 . 2008-11-09 01:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-09 01:26 . 2008-11-09 01:26 <DIR> d-------- c:\program files\Bonjour
2008-11-09 01:18 . 2008-11-09 01:18 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-09 01:15 . 2008-11-09 01:15 <DIR> d-------- c:\program files\PowerISO
2008-11-09 00:56 . 2008-11-09 01:12 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-09 00:56 . 2008-11-09 01:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-07 00:37 . 2008-11-07 00:38 <DIR> d-------- c:\documents and settings\Marko\Application Data\Media Player Classic
2008-11-06 22:19 . 2008-11-06 22:19 <DIR> d-------- c:\program files\uTorrent
2008-11-06 22:19 . 2008-11-09 18:29 <DIR> d-------- c:\documents and settings\Marko\Application Data\uTorrent
2008-11-06 20:44 . 2008-11-06 20:44 5,760,054 --a------ c:\windows\ALX_1600x1200.bmp
2008-11-06 20:43 . 2008-11-06 20:43 5,760,054 --a------ c:\windows\AW_1600x1200.bmp
2008-11-06 15:59 . 2008-11-06 15:59 2,250,024 --a------ c:\windows\system32\pbsvc.exe
2008-11-05 22:55 . 2008-11-05 22:55 <DIR> d--hs---- c:\windows\ftpcache
2008-11-04 17:16 . 2008-11-04 17:17 34 --a------ c:\windows\system32\oeminfo.ini
2008-11-04 15:48 . 2008-11-04 16:03 <DIR> d-------- C:\wmdownloads
2008-11-04 15:14 . 2008-11-04 15:14 <DIR> d-------- c:\windows\Sun
2008-11-04 14:51 . 2008-11-04 14:51 0 --ah----- c:\windows\SwSys2.bmp
2008-11-04 14:51 . 2008-11-04 14:51 0 --ah----- c:\windows\SwSys1.bmp
2008-11-03 22:30 . 2008-11-03 22:30 268 --ah----- C:\sqmdata01.sqm
2008-11-03 22:30 . 2008-11-03 22:30 244 --ah----- C:\sqmnoopt01.sqm
2008-11-03 21:59 . 2008-11-03 22:02 <DIR> d-------- c:\program files\TuneUp Utilities 2008
2008-11-03 21:59 . 2008-11-03 21:59 <DIR> d-------- c:\documents and settings\Marko\Application Data\TuneUp Software
2008-11-03 21:59 . 2008-11-03 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-03 21:59 . 2008-11-03 21:59 306,432 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-11-03 21:59 . 2007-12-20 10:41 29,440 --a------ c:\windows\system32\uxtuneup.dll
2008-11-03 21:32 . 2008-11-06 16:00 22,328 --a------ c:\documents and settings\Marko\Application Data\PnkBstrK.sys
2008-11-03 21:31 . 2008-11-05 23:03 272 --a------ c:\windows\game.ini
2008-11-03 21:18 . 2008-11-03 21:18 <DIR> d-------- c:\program files\DAEMON Tools
2008-11-03 20:59 . 2008-11-03 20:59 268 --ah----- C:\sqmdata00.sqm
2008-11-03 20:59 . 2008-11-03 20:59 244 --ah----- C:\sqmnoopt00.sqm
2008-11-03 20:51 . 1996-08-26 02:12 345,600 -ra------ c:\windows\system\QTIM32.DLL
2008-11-03 20:51 . 2008-11-03 20:51 603 --a------ c:\windows\WININI.QTW
2008-11-03 20:51 . 2008-11-03 20:55 306 --a------ c:\windows\QTW.INI
2008-11-03 20:51 . 2008-11-03 20:51 231 --a------ c:\windows\SYSINI.QTW
2008-11-03 20:44 . 2008-11-03 20:44 <DIR> d-------- c:\documents and settings\Marko\WINDOWS
2008-11-03 20:44 . 1996-01-09 10:38 283,648 --a------ c:\windows\uninst.exe
2008-11-03 20:35 . 2008-11-03 20:51 30 --a------ c:\windows\RESULT.QTW
2008-11-03 20:32 . 2008-11-03 20:40 682,232 --a------ c:\windows\system32\drivers\sptd.sys
2008-11-03 20:17 . 2008-06-08 23:58 60,273 --a------ c:\windows\system32\pthreadGC2.dll
2008-11-03 20:17 . 2008-06-12 20:36 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-03 20:17 . 2007-07-10 18:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-03 20:16 . 2008-11-03 20:17 <DIR> d-------- c:\program files\ffdshow
2008-11-03 20:15 . 2008-11-11 00:02 69 --a------ c:\windows\NeroDigital.ini
2008-11-03 01:55 . 2008-11-03 01:55 62,391 --a------ C:\Picture 3.JPG
2008-11-03 01:55 . 2008-11-03 01:55 60,937 --a------ C:\Picture 6.JPG
2008-11-03 01:55 . 2008-11-03 01:55 47,895 --a------ C:\Picture 4.JPG
2008-11-03 01:55 . 2008-11-03 01:55 17,408 --ahs---- C:\Thumbs.db
2008-11-03 01:55 . 2008-11-10 02:15 8,192 --ahs---- c:\windows\Thumbs.db
2008-11-03 01:54 . 2008-11-03 01:54 69,696 --a------ C:\Picture 9.JPG
2008-11-02 09:44 . 2008-11-02 09:44 56,572 --a------ c:\windows\system32\drivers\scdemu.sys
2008-10-28 17:07 . 2008-10-28 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\KONAMI
2008-10-27 21:37 . 2008-10-27 21:37 <DIR> d-------- c:\documents and settings\Marko\Incomplete
2008-10-27 21:37 . 2008-11-05 00:12 <DIR> d-------- c:\documents and settings\Marko\Application Data\LimeWire
2008-10-27 21:36 . 2008-10-27 21:35 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-27 21:36 . 2008-10-27 21:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-27 21:35 . 2008-10-27 21:35 <DIR> d-------- c:\program files\Java
2008-10-23 22:15 . 2008-10-23 22:15 <DIR> dr-h----- c:\documents and settings\Marko\Application Data\SecuROM
2008-10-23 22:15 . 2008-10-23 22:15 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-10-23 22:13 . 2008-10-23 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\FarmFrenzy2
2008-10-23 22:11 . 2008-10-23 22:11 <DIR> d-------- c:\program files\ReflexiveArcade
2008-10-23 21:35 . 2008-10-23 21:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-10-22 21:28 . 2008-10-22 21:28 <DIR> d-------- c:\program files\LimeWire
2008-10-19 18:36 . 2008-11-06 16:00 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-10-19 15:29 . 2008-10-19 15:29 <DIR> d-------- c:\program files\Hewlett-Packard
2008-10-19 14:49 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe
2008-10-19 14:48 . 2008-04-13 23:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-10-19 14:48 . 2008-04-13 23:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-10-19 14:44 . 2008-10-19 14:44 <DIR> d-------- c:\program files\Teamspeak2_RC2
2008-10-19 14:44 . 2008-10-19 14:44 34,064 --a------ c:\windows\system32\lhacm.acm
2008-10-18 18:48 . 2008-10-18 18:48 <DIR> d-------- c:\program files\Autodesk
2008-10-18 18:46 . 2008-10-18 18:46 <DIR> d-------- c:\program files\AnswerWorks 4.0
2008-10-18 18:41 . 2008-10-18 18:48 <DIR> d-------- c:\program files\Common Files\Autodesk Shared
2008-10-18 18:41 . 2008-10-18 18:48 <DIR> d-------- c:\program files\AutoCAD 2005
2008-10-18 18:41 . 2008-10-18 19:02 <DIR> d-------- c:\documents and settings\Marko\Application Data\Autodesk
2008-10-18 18:41 . 2008-10-18 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2008-10-18 18:14 . 2008-11-06 16:00 107,832 --a------ c:\windows\system32\PnkBstrB.exe
2008-10-18 18:13 . 2008-11-06 15:59 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-10-18 17:58 . 2008-10-31 13:44 <DIR> d-------- c:\documents and settings\Marko\Contacts
2008-10-18 17:52 . 2008-10-18 17:52 <DIR> d-------- c:\windows\Logs
2008-10-18 17:52 . 2008-10-18 17:52 <DIR> d-------- C:\directx
2008-10-18 17:43 . 2008-10-18 17:55 <DIR> d-------- c:\program files\Windows Live
2008-10-18 17:43 . 2008-10-18 17:54 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-10-18 17:42 . 2008-10-18 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-18 17:06 . 2008-10-18 17:06 5,760,054 --a------ c:\windows\AW_XenoMorph1600.bmp
2008-10-18 17:00 . 2008-10-18 17:00 0 --a------ c:\windows\nsreg.dat
2008-10-18 16:43 . 2008-10-18 16:43 <DIR> d-------- c:\documents and settings\Marko\Application Data\Comodo
2008-10-18 13:06 . 2008-10-18 13:06 249,592 --a------ c:\windows\system32\cssdll32.dll
2008-10-18 13:05 . 2008-10-18 13:06 <DIR> d-------- c:\program files\COMODO
2008-10-18 13:05 . 2008-10-18 13:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2008-10-18 13:05 . 2008-10-30 08:05 143,096 --a------ c:\windows\system32\guard32.dll
2008-10-18 13:05 . 2008-10-30 08:04 99,856 --a------ c:\windows\system32\drivers\cmdguard.sys
2008-10-18 13:05 . 2008-10-30 08:05 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-10-18 01:03 . 2008-04-14 01:10 57,600 --a------ c:\windows\system32\drivers\redbook.sys
2008-10-18 01:03 . 2008-04-14 06:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-10-18 01:03 . 2001-08-17 14:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys
2008-10-18 01:02 . 2001-08-17 14:46 6,400 --a------ c:\windows\system32\drivers\enum1394.sys
2008-10-18 01:01 . 2008-11-10 18:30 <DIR> d--hs---- c:\windows\Installer
2008-10-18 01:01 . 2008-10-27 09:55 523,142 --a------ c:\windows\system32\PerfStringBackup.INI
2008-10-18 01:01 . 2008-04-14 04:42 74,240 --a------ c:\windows\system32\usbui.dll
2008-10-18 01:01 . 2008-04-14 04:42 74,240 --a--c--- c:\windows\system32\dllcache\usbui.dll
2008-10-18 01:01 . 2008-10-18 01:01 4,444 --a------ c:\windows\system32\pid.PNF
2008-10-18 01:01 . 2008-11-03 20:33 1,374 --a------ c:\windows\imsins.BAK
2008-10-18 01:00 . 2008-11-09 01:27 <DIR> dr------- c:\documents and settings\All Users\Documents
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 13:09 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-11-09 15:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-09 00:27 --------- d-----w c:\program files\Common Files\Adobe
2008-11-06 19:44 --------- d-----w c:\program files\AlienGUIse
2008-11-06 14:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 18:50 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-10-19 13:56 --------- d-----w c:\documents and settings\Marko\Application Data\Ahead
2008-10-18 15:56 --------- d-----w c:\program files\Common Files\Jasc Software Inc
2008-10-17 23:08 --------- d-----w c:\program files\My Company Name
2008-10-17 23:08 --------- d-----w c:\program files\AGEIA Technologies
2008-10-17 22:44 --------- d-----w c:\program files\ASUS
2008-10-17 22:44 --------- d-----w c:\documents and settings\Marko\Application Data\InstallShield
2008-10-17 22:38 --------- d-----w c:\program files\Marvell
2008-10-17 22:38 --------- d-----w c:\documents and settings\Marko\Application Data\TMP
2008-10-17 22:34 --------- d-----w c:\program files\Analog Devices
2008-10-17 22:16 --------- d-----w c:\program files\Intel
2008-10-17 22:10 --------- d-----w c:\program files\microsoft frontpage
2008-10-17 19:23 --------- d-----w c:\program files\Common Files\Logishrd
2008-10-17 19:20 --------- d-----w c:\program files\Logitech
2008-10-17 19:04 --------- d-----w c:\program files\MSBuild
2008-10-17 19:03 --------- d-----w c:\program files\Reference Assemblies
2008-10-17 18:57 --------- d-----w c:\documents and settings\Marko\Application Data\CyberLink
2008-10-17 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2008-10-17 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-10-17 18:56 --------- d-----w c:\program files\Common Files\LightScribe
2008-10-17 18:55 --------- d-----w c:\program files\Common Files\Ahead
2008-10-17 18:55 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-10-17 18:54 --------- d-----w c:\program files\Nero
2008-10-17 18:54 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-10-17 18:53 --------- d-----w c:\program files\CyberLink
2008-10-17 18:41 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-17 18:41 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-10-17 18:41 --------- d-----w c:\program files\NOS
2008-10-17 18:41 --------- d-----w c:\documents and settings\Marko\Application Data\Leadertech
2008-10-17 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-10-17 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-10-17 18:35 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-10-17 18:30 --------- d-----w c:\program files\7-Zip
2008-10-17 18:29 --------- d-----w c:\program files\Common Files\Stardock
2008-10-17 18:27 --------- d-----w c:\program files\Jasc Software Inc
2008-10-17 18:27 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-17 18:27 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-10-17 18:25 --------- d-----w c:\program files\Microsoft Works
2008-10-17 18:21 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-17 18:21 --------- d-----w c:\program files\Common Files\L&H
2008-10-17 18:20 --------- d-----w c:\program files\Microsoft.NET
2008-10-17 18:11 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-17 17:33 --------- d-----w c:\program files\Windows Media Connect 2
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Alienware Dock by Stardock ObjectDock"="c:\program files\AlienGUIse\AlienwareDock\ObjectDock.exe" [2006-10-03 2074360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-03-16 1040384]
"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2008-05-14 5958656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-18 1687824]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-10-18 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2008-10-30 1797880]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-07-17 c:\windows\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP @n Utility.lnk - c:\program files\ASUS\WiFi-AP @n\WiFi-AP@n.exe [2008-10-17 1224704]
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2007-08-30 319488]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe
"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Igre\\America's Army\\System\\ArmyOps.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"e:\\Igre\\PES 2009\\pes2009.exe"=
"e:\\Igre\\COD4\\iw3mp.exe"=
"e:\\Igre\\FarCry2\\Far Cry 2\\bin\\FarCry2.exe"=
"e:\\Igre\\FarCry2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"e:\\Igre\\FarCry2\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2008-05-19 150568]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-30 99856]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-30 31504]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 LVRS;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs.sys [2008-02-06 628760]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2007-11-16 550272]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-03 306432]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f5d786-9ecf-11dd-b027-0015af6e1ace}]
\Shell\AutoRun\command - F:\setup.exe AUTORUN=1
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-11-07 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 13:31]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Marko\Application Data\Mozilla\Firefox\Profiles\3f2rv9he.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\mozilla firefox\plugins\npdeploytk.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 14:10:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-11-12 14:12:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-12 13:12:31
Pre-Run: 155.530.825.728 bytes free
Post-Run: 155,438,989,312 bytes free
319
And HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:14:16, on 12.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alienware Dock by Stardock ObjectDock] C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Product Registration.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Product Registration.lnk = ? (User 'Default user')
O4 - Startup: Product Registration.lnk = ?
O4 - Global Startup: ASUS WiFi-AP @n Utility.lnk = C:\Program Files\ASUS\WiFi-AP @n\WiFi-AP@n.exe
O4 - Global Startup: SetPointII.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224263536376
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{837C64A9-E356-4598-AB12-B8690A634685}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E26E5BB8-220B-4F3B-94C0-12956F7C9E14}: NameServer = 195.29.150.3,195.29.150.4
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 8854 bytes
Lets try running it again with a script in Normal windows, if it won't run then do the safemode thing again. If you get the Rootkit warning then run the GMER program I posted earlier.
FYI ===> uTorrent P2P (File Sharing Programs ) are the latest avenue of attack by malware and virus writers. I want you to read our policy and the info on this.
We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.
Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.
We do not ask you to do this without reason.
P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\system32\andrcrnh.ini
c:\windows\system32\cmmmfkcr.ini
c:\windows\system32\bemtscja.tmp
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
ok, utorrent is uninstalled now.
about ComboFix - i got same error again, but after restart everything worked fine (in Normal mode). Here's log:
ComboFix 08-11-11.01 - Marko 2008-11-12 20:38:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.1690 [GMT 1:00]
Command switches used :: c:\documents and settings\Marko\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\system32\andrcrnh.ini
c:\windows\system32\bemtscja.tmp
c:\windows\system32\cmmmfkcr.ini
.
The following files were disabled during the run:
c:\windows\TEMP\logishrd\LVPrcInj01.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\andrcrnh.ini
c:\windows\system32\bemtscja.tmp
c:\windows\system32\cmmmfkcr.ini
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.
2008-11-12 03:34 . 2008-11-12 03:34 <DIR> d-------- c:\documents and settings\Marko\Application Data\Malwarebytes
2008-11-12 03:33 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-12 03:33 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-12 03:32 . 2008-11-12 03:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-12 03:32 . 2008-11-12 03:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-11 16:42 . 2008-11-11 16:42 <DIR> d-------- c:\program files\Trend Micro
2008-11-10 18:26 . 2008-11-10 18:29 <DIR> d-------- c:\program files\QuickTime
2008-11-10 18:26 . 2008-11-10 18:26 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-10 18:26 . 2008-11-10 18:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-09 16:37 . 2008-11-09 16:37 24,576 --a------ c:\windows\system32\VundoFixSVC.exe
2008-11-09 16:32 . 2008-11-10 18:07 <DIR> d-------- C:\VundoFix Backups
2008-11-09 16:04 . 2008-11-12 20:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-09 09:59 . 2008-11-11 23:12 290 --a------ c:\windows\wininit.ini
2008-11-09 01:30 . 2008-11-09 01:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-09 01:26 . 2008-11-09 01:26 <DIR> d-------- c:\program files\Bonjour
2008-11-09 01:18 . 2008-11-09 01:18 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-09 01:15 . 2008-11-09 01:15 <DIR> d-------- c:\program files\PowerISO
2008-11-09 00:56 . 2008-11-09 01:12 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-09 00:56 . 2008-11-09 01:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-07 00:37 . 2008-11-07 00:38 <DIR> d-------- c:\documents and settings\Marko\Application Data\Media Player Classic
2008-11-06 22:19 . 2008-11-12 20:29 <DIR> d-------- c:\program files\uTorrent
2008-11-06 22:19 . 2008-11-09 18:29 <DIR> d-------- c:\documents and settings\Marko\Application Data\uTorrent
2008-11-06 20:44 . 2008-11-06 20:44 5,760,054 --a------ c:\windows\ALX_1600x1200.bmp
2008-11-06 20:43 . 2008-11-06 20:43 5,760,054 --a------ c:\windows\AW_1600x1200.bmp
2008-11-06 15:59 . 2008-11-06 15:59 2,250,024 --a------ c:\windows\system32\pbsvc.exe
2008-11-05 22:55 . 2008-11-05 22:55 <DIR> d--hs---- c:\windows\ftpcache
2008-11-04 17:16 . 2008-11-04 17:17 34 --a------ c:\windows\system32\oeminfo.ini
2008-11-04 15:48 . 2008-11-04 16:03 <DIR> d-------- C:\wmdownloads
2008-11-04 15:14 . 2008-11-04 15:14 <DIR> d-------- c:\windows\Sun
2008-11-04 14:51 . 2008-11-04 14:51 0 --ah----- c:\windows\SwSys2.bmp
2008-11-04 14:51 . 2008-11-04 14:51 0 --ah----- c:\windows\SwSys1.bmp
2008-11-03 22:30 . 2008-11-03 22:30 268 --ah----- C:\sqmdata01.sqm
2008-11-03 22:30 . 2008-11-03 22:30 244 --ah----- C:\sqmnoopt01.sqm
2008-11-03 21:59 . 2008-11-03 22:02 <DIR> d-------- c:\program files\TuneUp Utilities 2008
2008-11-03 21:59 . 2008-11-03 21:59 <DIR> d-------- c:\documents and settings\Marko\Application Data\TuneUp Software
2008-11-03 21:59 . 2008-11-03 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-03 21:59 . 2008-11-03 21:59 306,432 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-11-03 21:59 . 2007-12-20 10:41 29,440 --a------ c:\windows\system32\uxtuneup.dll
2008-11-03 21:32 . 2008-11-06 16:00 22,328 --a------ c:\documents and settings\Marko\Application Data\PnkBstrK.sys
2008-11-03 21:31 . 2008-11-05 23:03 272 --a------ c:\windows\game.ini
2008-11-03 21:18 . 2008-11-03 21:18 <DIR> d-------- c:\program files\DAEMON Tools
2008-11-03 20:59 . 2008-11-03 20:59 268 --ah----- C:\sqmdata00.sqm
2008-11-03 20:59 . 2008-11-03 20:59 244 --ah----- C:\sqmnoopt00.sqm
2008-11-03 20:51 . 1996-08-26 02:12 345,600 -ra------ c:\windows\system\QTIM32.DLL
2008-11-03 20:51 . 2008-11-03 20:51 603 --a------ c:\windows\WININI.QTW
2008-11-03 20:51 . 2008-11-03 20:55 306 --a------ c:\windows\QTW.INI
2008-11-03 20:51 . 2008-11-03 20:51 231 --a------ c:\windows\SYSINI.QTW
2008-11-03 20:44 . 2008-11-03 20:44 <DIR> d-------- c:\documents and settings\Marko\WINDOWS
2008-11-03 20:44 . 1996-01-09 10:38 283,648 --a------ c:\windows\uninst.exe
2008-11-03 20:35 . 2008-11-03 20:51 30 --a------ c:\windows\RESULT.QTW
2008-11-03 20:32 . 2008-11-03 20:40 682,232 --a------ c:\windows\system32\drivers\sptd.sys
2008-11-03 20:17 . 2008-06-08 23:58 60,273 --a------ c:\windows\system32\pthreadGC2.dll
2008-11-03 20:17 . 2008-06-12 20:36 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-03 20:17 . 2007-07-10 18:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-03 20:16 . 2008-11-03 20:17 <DIR> d-------- c:\program files\ffdshow
2008-11-03 20:15 . 2008-11-11 00:02 69 --a------ c:\windows\NeroDigital.ini
2008-11-03 01:55 . 2008-11-03 01:55 62,391 --a------ C:\Picture 3.JPG
2008-11-03 01:55 . 2008-11-03 01:55 60,937 --a------ C:\Picture 6.JPG
2008-11-03 01:55 . 2008-11-03 01:55 47,895 --a------ C:\Picture 4.JPG
2008-11-03 01:55 . 2008-11-03 01:55 17,408 --ahs---- C:\Thumbs.db
2008-11-03 01:55 . 2008-11-10 02:15 8,192 --ahs---- c:\windows\Thumbs.db
2008-11-03 01:54 . 2008-11-03 01:54 69,696 --a------ C:\Picture 9.JPG
2008-11-02 09:44 . 2008-11-02 09:44 56,572 --a------ c:\windows\system32\drivers\scdemu.sys
2008-10-28 17:07 . 2008-10-28 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\KONAMI
2008-10-27 21:37 . 2008-10-27 21:37 <DIR> d-------- c:\documents and settings\Marko\Incomplete
2008-10-27 21:37 . 2008-11-05 00:12 <DIR> d-------- c:\documents and settings\Marko\Application Data\LimeWire
2008-10-27 21:36 . 2008-10-27 21:35 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-27 21:36 . 2008-10-27 21:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-27 21:35 . 2008-10-27 21:35 <DIR> d-------- c:\program files\Java
2008-10-23 22:15 . 2008-10-23 22:15 <DIR> dr-h----- c:\documents and settings\Marko\Application Data\SecuROM
2008-10-23 22:15 . 2008-10-23 22:15 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-10-23 22:13 . 2008-10-23 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\FarmFrenzy2
2008-10-23 22:11 . 2008-10-23 22:11 <DIR> d-------- c:\program files\ReflexiveArcade
2008-10-23 21:35 . 2008-10-23 21:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-10-22 21:28 . 2008-10-22 21:28 <DIR> d-------- c:\program files\LimeWire
2008-10-19 18:36 . 2008-11-06 16:00 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-10-19 15:29 . 2008-10-19 15:29 <DIR> d-------- c:\program files\Hewlett-Packard
2008-10-19 14:49 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe
2008-10-19 14:48 . 2008-04-13 23:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-10-19 14:48 . 2008-04-13 23:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-10-19 14:44 . 2008-10-19 14:44 <DIR> d-------- c:\program files\Teamspeak2_RC2
2008-10-19 14:44 . 2008-10-19 14:44 34,064 --a------ c:\windows\system32\lhacm.acm
2008-10-18 18:48 . 2008-10-18 18:48 <DIR> d-------- c:\program files\Autodesk
2008-10-18 18:46 . 2008-10-18 18:46 <DIR> d-------- c:\program files\AnswerWorks 4.0
2008-10-18 18:41 . 2008-10-18 18:48 <DIR> d-------- c:\program files\Common Files\Autodesk Shared
2008-10-18 18:41 . 2008-10-18 18:48 <DIR> d-------- c:\program files\AutoCAD 2005
2008-10-18 18:41 . 2008-10-18 19:02 <DIR> d-------- c:\documents and settings\Marko\Application Data\Autodesk
2008-10-18 18:41 . 2008-10-18 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2008-10-18 18:14 . 2008-11-06 16:00 107,832 --a------ c:\windows\system32\PnkBstrB.exe
2008-10-18 18:13 . 2008-11-06 15:59 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-10-18 17:58 . 2008-10-31 13:44 <DIR> d-------- c:\documents and settings\Marko\Contacts
2008-10-18 17:52 . 2008-10-18 17:52 <DIR> d-------- c:\windows\Logs
2008-10-18 17:52 . 2008-10-18 17:52 <DIR> d-------- C:\directx
2008-10-18 17:43 . 2008-10-18 17:55 <DIR> d-------- c:\program files\Windows Live
2008-10-18 17:43 . 2008-10-18 17:54 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-10-18 17:42 . 2008-10-18 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-18 17:06 . 2008-10-18 17:06 5,760,054 --a------ c:\windows\AW_XenoMorph1600.bmp
2008-10-18 17:00 . 2008-10-18 17:00 0 --a------ c:\windows\nsreg.dat
2008-10-18 16:43 . 2008-10-18 16:43 <DIR> d-------- c:\documents and settings\Marko\Application Data\Comodo
2008-10-18 13:06 . 2008-10-18 13:06 249,592 --a------ c:\windows\system32\cssdll32.dll
2008-10-18 13:05 . 2008-10-18 13:06 <DIR> d-------- c:\program files\COMODO
2008-10-18 13:05 . 2008-10-18 13:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2008-10-18 13:05 . 2008-10-30 08:05 143,096 --a------ c:\windows\system32\guard32.dll
2008-10-18 13:05 . 2008-10-30 08:04 99,856 --a------ c:\windows\system32\drivers\cmdguard.sys
2008-10-18 13:05 . 2008-10-30 08:05 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-10-18 01:03 . 2008-04-14 01:10 57,600 --a------ c:\windows\system32\drivers\redbook.sys
2008-10-18 01:03 . 2008-04-14 06:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-10-18 01:03 . 2001-08-17 14:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys
2008-10-18 01:02 . 2001-08-17 14:46 6,400 --a------ c:\windows\system32\drivers\enum1394.sys
2008-10-18 01:01 . 2008-11-12 20:30 <DIR> d--hs---- c:\windows\Installer
2008-10-18 01:01 . 2008-10-27 09:55 523,142 --a------ c:\windows\system32\PerfStringBackup.INI
2008-10-18 01:01 . 2008-04-14 04:42 74,240 --a------ c:\windows\system32\usbui.dll
2008-10-18 01:01 . 2008-04-14 04:42 74,240 --a--c--- c:\windows\system32\dllcache\usbui.dll
2008-10-18 01:01 . 2008-10-18 01:01 4,444 --a------ c:\windows\system32\pid.PNF
2008-10-18 01:01 . 2008-11-03 20:33 1,374 --a------ c:\windows\imsins.BAK
2008-10-18 01:00 . 2008-11-09 01:27 <DIR> dr------- c:\documents and settings\All Users\Documents
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 19:40 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-11-12 19:29 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-09 00:27 --------- d-----w c:\program files\Common Files\Adobe
2008-11-06 19:44 --------- d-----w c:\program files\AlienGUIse
2008-11-06 14:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 18:50 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-10-19 13:56 --------- d-----w c:\documents and settings\Marko\Application Data\Ahead
2008-10-18 15:56 --------- d-----w c:\program files\Common Files\Jasc Software Inc
2008-10-17 23:08 --------- d-----w c:\program files\My Company Name
2008-10-17 23:08 --------- d-----w c:\program files\AGEIA Technologies
2008-10-17 22:44 --------- d-----w c:\program files\ASUS
2008-10-17 22:44 --------- d-----w c:\documents and settings\Marko\Application Data\InstallShield
2008-10-17 22:38 --------- d-----w c:\program files\Marvell
2008-10-17 22:38 --------- d-----w c:\documents and settings\Marko\Application Data\TMP
2008-10-17 22:34 --------- d-----w c:\program files\Analog Devices
2008-10-17 22:16 --------- d-----w c:\program files\Intel
2008-10-17 22:10 --------- d-----w c:\program files\microsoft frontpage
2008-10-17 19:23 --------- d-----w c:\program files\Common Files\Logishrd
2008-10-17 19:20 --------- d-----w c:\program files\Logitech
2008-10-17 19:04 --------- d-----w c:\program files\MSBuild
2008-10-17 19:03 --------- d-----w c:\program files\Reference Assemblies
2008-10-17 18:57 --------- d-----w c:\documents and settings\Marko\Application Data\CyberLink
2008-10-17 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2008-10-17 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-10-17 18:56 --------- d-----w c:\program files\Common Files\LightScribe
2008-10-17 18:55 --------- d-----w c:\program files\Common Files\Ahead
2008-10-17 18:55 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-10-17 18:54 --------- d-----w c:\program files\Nero
2008-10-17 18:54 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-10-17 18:53 --------- d-----w c:\program files\CyberLink
2008-10-17 18:41 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-17 18:41 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-10-17 18:41 --------- d-----w c:\program files\NOS
2008-10-17 18:41 --------- d-----w c:\documents and settings\Marko\Application Data\Leadertech
2008-10-17 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-10-17 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-10-17 18:35 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-10-17 18:30 --------- d-----w c:\program files\7-Zip
2008-10-17 18:29 --------- d-----w c:\program files\Common Files\Stardock
2008-10-17 18:27 --------- d-----w c:\program files\Jasc Software Inc
2008-10-17 18:27 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-17 18:27 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-10-17 18:25 --------- d-----w c:\program files\Microsoft Works
2008-10-17 18:21 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-17 18:21 --------- d-----w c:\program files\Common Files\L&H
2008-10-17 18:20 --------- d-----w c:\program files\Microsoft.NET
2008-10-17 18:11 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-17 17:33 --------- d-----w c:\program files\Windows Media Connect 2
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.
((((((((((((((((((((((((((((( snapshot@2008-11-12_14.12.16.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-12 19:41:03 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Alienware Dock by Stardock ObjectDock"="c:\program files\AlienGUIse\AlienwareDock\ObjectDock.exe" [2006-10-03 2074360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-03-16 1040384]
"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2008-05-14 5958656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-18 1687824]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-10-18 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2008-10-30 1797880]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-07-17 c:\windows\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP @n Utility.lnk - c:\program files\ASUS\WiFi-AP @n\WiFi-AP@n.exe [2008-10-17 1224704]
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2007-08-30 319488]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe
"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Igre\\America's Army\\System\\ArmyOps.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"e:\\Igre\\PES 2009\\pes2009.exe"=
"e:\\Igre\\COD4\\iw3mp.exe"=
"e:\\Igre\\FarCry2\\Far Cry 2\\bin\\FarCry2.exe"=
"e:\\Igre\\FarCry2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"e:\\Igre\\FarCry2\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2008-05-19 150568]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-30 99856]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-30 31504]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 LVRS;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs.sys [2008-02-06 628760]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2007-11-16 550272]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-03 306432]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68f5d786-9ecf-11dd-b027-0015af6e1ace}]
\Shell\AutoRun\command - F:\setup.exe AUTORUN=1
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-11-07 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 13:31]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 20:41:23
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
.
**************************************************************************
.
Completion time: 2008-11-12 20:43:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-12 19:43:09
ComboFix2.txt 2008-11-12 13:12:36
Pre-Run: 155.408.781.312 bytes free
Post-Run: 155,398,950,912 bytes free
315
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:46:26, on 12.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alienware Dock by Stardock ObjectDock] C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Product Registration.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Product Registration.lnk = ? (User 'Default user')
O4 - Startup: Product Registration.lnk = ?
O4 - Global Startup: ASUS WiFi-AP @n Utility.lnk = C:\Program Files\ASUS\WiFi-AP @n\WiFi-AP@n.exe
O4 - Global Startup: SetPointII.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224263536376
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{837C64A9-E356-4598-AB12-B8690A634685}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E26E5BB8-220B-4F3B-94C0-12956F7C9E14}: NameServer = 195.29.150.3,195.29.150.4
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 7856 bytes
and GMER log:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-12 20:50:40
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB77E47B6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB77E3D16]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB77E4372]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xB77E4F80]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xB77E3A70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB77E5C70]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB77E499C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xB77E3646]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xB77E4BEA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xB77E4D9A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB77E34F8]
SSDT sptd.sys ZwEnumerateKey [0xBA6C5E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C61BA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB77E58F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB77E3F5C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB77E45AA]
SSDT sptd.sys ZwOpenKey [0xBA6C00B0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xB77E3228]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB77E41EC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xB77E33A0]
SSDT sptd.sys ZwQueryKey [0xBA6C6292]
SSDT sptd.sys ZwQueryValueKey [0xBA6C6112]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB77E5346]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xB77E3B8E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xB77E56AA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB77E5AA0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xB77E5146]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB77E3EF6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB77E40E0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xB77E393A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB77E3808]
---- Kernel code sections - GMER 1.0.14 ----
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B9E0A8AC 5 Bytes JMP 896301C8
? System32\Drivers\abn2vm79.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Marko\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6C0AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6C0C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6C0B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6C1748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6C161E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA4E4710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA4E4770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4E4990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA4E4950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA4E4950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA4E4770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA4E4710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4E4990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4E4990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA4E4950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA4E4770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA4E4710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA4E4950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA4E4990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA4E4710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA4E4770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA4E4710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA4E4770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA4E4950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4E4990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA4E4950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA4E4770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA4E4710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [BA4E4710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [BA4E4770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4E4990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [BA4E4950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA4E4950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA4E4990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA4E4710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA4E4770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
---- User IAT/EAT - GMER 1.0.14 ----
IAT E:\Docs\gmer.exe[8376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00E42F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT E:\Docs\gmer.exe[8376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00E42CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT E:\Docs\gmer.exe[8376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00E42D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT E:\Docs\gmer.exe[8376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00E42CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[8720] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C92F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[8720] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C92CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[8720] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C92D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[8720] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C92CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[10096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A42F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[10096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A42CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[10096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A42D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[10096] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A42CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 8A65B1E8
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
Device \Driver\usbuhci \Device\USBPDO-0 896CE1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A65D1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A65D1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A65D1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A65D1E8
Device \Driver\usbuhci \Device\USBPDO-1 896CE1E8
Device \Driver\PCI_NTPNP5756 \Device\00000045 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-2 896CE1E8
Device \Driver\usbehci \Device\USBPDO-3 895FB1E8
Device \Driver\usbuhci \Device\USBPDO-4 896CE1E8
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
Device \Driver\usbuhci \Device\USBPDO-5 896CE1E8
Device \Driver\usbuhci \Device\USBPDO-6 896CE1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6CE1E8
Device \Driver\usbehci \Device\USBPDO-7 895FB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6CE1E8
Device \Driver\Cdrom \Device\CdRom0 895B11E8
Device \Driver\Cdrom \Device\CdRom1 895B11E8
Device \Driver\Cdrom \Device\CdRom2 895B11E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 891611E8
Device \Driver\NetBT \Device\NetbiosSmb 891611E8
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
Device \Driver\usbuhci \Device\USBFDO-0 896CE1E8
Device \Driver\usbuhci \Device\USBFDO-1 896CE1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 891507A0
Device \Driver\usbuhci \Device\USBFDO-2 896CE1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 891507A0
Device \Driver\usbehci \Device\USBFDO-3 895FB1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{837C64A9-E356-4598-AB12-B8690A634685} 891611E8
Device \Driver\usbuhci \Device\USBFDO-4 896CE1E8
Device \Driver\Ftdisk \Device\FtControl 8A6CE1E8
Device \Driver\usbuhci \Device\USBFDO-5 896CE1E8
Device \Driver\usbuhci \Device\USBFDO-6 896CE1E8
Device \Driver\usbehci \Device\USBFDO-7 895FB1E8
Device \Driver\abn2vm79 \Device\Scsi\abn2vm791 895F4608
Device \Driver\abn2vm79 \Device\Scsi\abn2vm791Port5Path0Target1Lun0 895F4608
Device \Driver\abn2vm79 \Device\Scsi\abn2vm791Port5Path0Target0Lun0 895F4608
Device \Driver\mv61xx \Device\Scsi\mv61xx1Port4Path0Target14Lun0 8A65C1E8
Device \Driver\mv61xx \Device\Scsi\mv61xx1 8A65C1E8
Device \FileSystem\Cdfs \Cdfs 89531458
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0x1A 0x18 0xAE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x80 0xD4 0x83 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x44 0x4A 0xC7 0xAE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF8 0xE5 0xAF 0xB7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0x1A 0x18 0xAE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF0 0x0A 0xEB 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x44 0x4A 0xC7 0xAE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF8 0xE5 0xAF 0xB7 ...
---- EOF - GMER 1.0.14 ----
prpacro,
I usually am notified when you post back, this time I did not, sorry about that. I am looking over your log and will be back shortly
Looks good,
You still have entries for uTorrent and Limewire, do you want to completely remove them??
How are things running now??
Logs look fine, how are things running now
utorrnet folder was in program files, but empty, don't know why setup left it (deleted manually). Thing looks fine now, spybot don't detect anything now. is there anything i can do to avoid being infected in the future?
Hello,
c:\program files\uTorrent<--Delete this folder
c:\documents and settings\Marko\Application Data\uTorrent <--This one to
You also have Limewire installed, another P2P, your call to uninstall it via the Add Remove Programs, if you do than if these are still present delete them also
c:\documents and settings\Marko\Application Data\LimeWire
c:\program files\LimeWire
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Hijackthis <---Your call, hopefully you won't need it again, if you do you can redownload it
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
ok, i did everything on the list, should work fine now.
one last thing, i got same error on rootkit activity during uninstallation of ComboFix.
Thank u very much, u helped me alot. I owe u one. :D
Lets doublecheck
Download Blacklight Rootkit Detection and Elimination Tool (ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe) to your desktop
Click on fsbl.exe to run it and follow the prompts, post the log please
11/16/08 22:12:34 [Info]: BlackLight Engine 2.2.1092 initialized
11/16/08 22:12:34 [Info]: OS: 5.1 build 2600 (Service Pack 3)
11/16/08 22:12:34 [Note]: 7019 4
11/16/08 22:12:34 [Note]: 7005 0
11/16/08 22:12:40 [Note]: 7006 0
11/16/08 22:12:40 [Note]: 7011 2424
11/16/08 22:12:40 [Note]: 7035 0
11/16/08 22:12:40 [Note]: 7026 0
11/16/08 22:12:40 [Note]: 7026 0
11/16/08 22:12:42 [Note]: FSRAW library version 1.7.1024
11/16/08 22:18:16 [Note]: 7007 0
no hidden item were found...well thanks anyway
No rootkit :bigthumb:
Ken:p: