View Full Version : Services and Controller app has encountered a problem and needs to close
NightDrifter
2009-11-03, 21:25
Well, this is my problem... I boot up my Computer, load up Windows and then, after some seconds of waiting, a Message Box pops up, saying:
Services and Controller app has encountered a problem and needs to close
If not:
services.exe has encountered a problem and needs to close
Then, a shutdown timer starts. I heard it may be related to some malware, and searched on "Google", but didn't find any answers. Installed AND updated my software, but didn't fix anything.
I scanned my System with "Spyware Doctor" and "Malwarebytes' Anti-Malware", and they both found nothing.
I don't use/have/can't afford an Antivirus, and i just dislike "AVG" and "Avast!".
Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:27 PM, on 11/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Kerio\WinRoute Firewall\avServer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Exploder
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: SBCONVERT - {31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live ????? ???? - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Badongo Toolbar - {eadb5c49-abd7-447d-81ee-d5245b6f3929} - C:\Program Files\Badongo Toolbar\toolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: e&xportar a microsoft excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: send by bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: send via &message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O8 - Extra context menu item: upload linked file to badongo - C:\Program Files\Badongo Toolbar\uploadfile.html
O8 - Extra context menu item: upload this image to badongo - C:\Program Files\Badongo Toolbar\uploadimage.html
O9 - Extra button: Enviar a OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O13 - Gopher Prefix:
O16 - DPF: {4ABB12B3-8A8B-481D-874A-93E16F930A8B} (CKKeyPro Crypto support Class (CKNhnInst)) - http://www.hangame.com/common/CKKeyProInst.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://pubid.hangame.com/common/HanSetup1020.cab
O18 - Protocol: groovelocalgws - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BlueSoleilCS (bluesoleilcs) - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS (bshelpcs) - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS (bsmobilecs) - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: Imapi Helper (imapi helper) - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU (nmsaccessu) - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA (pnkbstra) - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
O23 - Service: Kerio WinRoute Firewall (winroute) - Kerio Technologies - C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Zwunzi Service (zwunzi service) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi121.exe (file missing)
--
End of file - 10939 bytes
There's something missing there, and it's quite obvious what it is.
I had to do "shutdown -a" in order to maintain the system. It took me a lot to get the browser working, because it just wouldn't launch, and the system is quite unstable without services.exe working, often crashing the whole OS.
Extra Information about this Computer:
It's mostly used for playing games, the system is barely average, not a gaming machine. It can play all of the newest games though, and i'm just happy with that.
It is also used for homework, although there's often no homework to do.
Any help is appreciated, i know i'm in capable hands here :D:
Thanks,
~NightDrifter
Hi NightDrifter
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
NightDrifter
2009-11-08, 06:22
Here's the list you asked for:
µTorrent
7-Zip 4.65
Adobe Flash Player 10 Plugin
AI War
AI War: Fleet Command
America's Army 3
Ares 2.1.1
Ask Toolbar
ASRock WiFi-802.11g
Audiosurf
Badongo Toolbar v1.0
Battleforge
Blender (remove only)
Bluesoleil 6.4.249.0
CABAL Online
CDBurnerXP
Cheat Engine 5.5
ÇÑ°ÔÀÓ ÀÚµ¿ ÀνºÅç·¯
DAEMON Tools Toolbar
dBpoweramp m4a Codec
dBpoweramp Musepack Codec
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Download Accelerator Plus (DAP)
Dxtory 1.0.79
FATAL/FAKE
Foxit Reader
Free Sound Recorder v8.1.1
GameSpy Arcade
Garry's Mod
Half-Life
Half-Life 2: Deathmatch
HashCheck Shell Extension (x86-32)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HyperCam 2
ISO Recorder
Java(TM) 6 Update 17
Junk Mail filter update
Left 4 Dead 2 Demo
LimeWire 5.3.6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Halo
Microsoft Office Access MUI (Spanish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office Groove MUI (Spanish) 2007
Microsoft Office InfoPath MUI (Spanish) 2007
Microsoft Office OneNote MUI (Spanish) 2007
Microsoft Office Outlook MUI (Spanish) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Publisher MUI (Spanish) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Silverlight
Microsoft Virtual PC 2007
Microsoft Visual C++ 2005 Redistributable
Modem Booster
Monster Hunter Frontier Online 9.1.7
Mozilla Firefox (3.5.5)
MSVCRT
MSXML 4.0 SP2 Parser and SDK
MSXML 4.0 SP3 Parser
MSXML 6.0 Parser (KB927977)
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
ObjectDock
Open Command Prompt Shell Extension (x86-32)
Paint.NET v3.36
Project64 1.6
PunkBuster Services
Python 2.6.4
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Segoe UI
Skype web features
Skype™ 4.1
SlimDX Redistributable (March 2009)
Source Dedicated Server
Source SDK Base
SourceOP Beta Version 0.9.0.74
SourceOP DF_admins.txt Helper 1.0
SpeedBit Video Accelerator
SpeedBit Video Downloader
Spybot - Search & Destroy
Spyware Doctor 6.1
SpywareBlaster 4.2
Starcraft
Steam
Sven Co-op 4.0B
TeamSpeak 2 RC2
TeamViewer 4
Ultimate Paint 2.88 Freeware Edition
Unlocker 1.8.7
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.2
WindowBlinds
Windows Live ???
Windows Live ????? ??????
Windows Live ?????? ???
Windows Live ???????
Windows Live ???????
Windows Live Call
Windows Live Communications Platform
Windows Live Messenger
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WinRAR archiver
XecureCK Keyboard Protector with E2E
Zombie Panic! Source
Zwunzi 1.0 build 121
NightDrifter
2009-11-08, 06:37
Sorry for the double post, but i forgot to mention:
I scanned my system with Spyware Doctor and detected a Trojan.Buzus a few minutes ago, i re-scanned 3 times, pressing "Fix problems" each time, and every time, the same results came up: Trojan.Buzus
Says something about a very high risk level, and it doesn't delete the Trojan. I kept repeating the scanning, and now, Trojan.Buzus doesn't show up anymore... But, i am aware that it might still be on my System, although i'm not sure it is related to my Issue.
Since Spyware Doctor could not delete this Trojan, i went to the C:\ folder, and deleted some files myself using the Eraser tool.
On the other hand, i use the Peer 2 Peer programs, to distribute my own homemade VB6 applications on the Internet, and on my LAN, via either a Torrent or LimeWire. Uninstalling them if needed is fine, as i don't make that much applications, and they arent used that much either.
Thanks,
~NightDrifter
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
Ares 2.1.1
LimeWire 5.3.6
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Uninstall also this:
Ask Toolbar
Please run a new uninstall list scan when finished and post the log back here.
NightDrifter
2009-11-08, 23:24
Done, uninstalled those four programs. Here's the list:
7-Zip 4.65
Adobe Flash Player 10 Plugin
AI War
AI War: Fleet Command
America's Army 3
ASRock WiFi-802.11g
Audiosurf
Badongo Toolbar v1.0
Battleforge
Blender (remove only)
Bluesoleil 6.4.249.0
CABAL Online
CDBurnerXP
Cheat Engine 5.5
ÇÑ°ÔÀÓ ÀÚµ¿ ÀνºÅç·¯
DAEMON Tools Toolbar
dBpoweramp m4a Codec
dBpoweramp Musepack Codec
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Download Accelerator Plus (DAP)
Dxtory 1.0.79
EVEREST Corporate Edition v5.30
FATAL/FAKE
Foxit Reader
Free Sound Recorder v8.1.1
GameSpy Arcade
Garry's Mod
Half-Life
Half-Life 2: Deathmatch
HashCheck Shell Extension (x86-32)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HyperCam 2
ISO Recorder
Java(TM) 6 Update 17
Junk Mail filter update
Left 4 Dead 2 Demo
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Halo
Microsoft Office Access MUI (Spanish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office Groove MUI (Spanish) 2007
Microsoft Office InfoPath MUI (Spanish) 2007
Microsoft Office OneNote MUI (Spanish) 2007
Microsoft Office Outlook MUI (Spanish) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Publisher MUI (Spanish) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Silverlight
Microsoft Virtual PC 2007
Microsoft Visual C++ 2005 Redistributable
Modem Booster
Monster Hunter Frontier Online 9.1.7
Mozilla Firefox (3.5.5)
MSVCRT
MSXML 4.0 SP2 Parser and SDK
MSXML 4.0 SP3 Parser
MSXML 6.0 Parser (KB927977)
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
ObjectDock
Open Command Prompt Shell Extension (x86-32)
Paint.NET v3.36
Project64 1.6
PunkBuster Services
Python 2.6.4
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Segoe UI
Skype web features
Skype™ 4.1
SlimDX Redistributable (March 2009)
Source Dedicated Server
Source SDK Base
SourceOP Beta Version 0.9.0.74
SourceOP DF_admins.txt Helper 1.0
SpeedBit Video Accelerator
SpeedBit Video Downloader
Spybot - Search & Destroy
Spyware Doctor 6.1
SpywareBlaster 4.2
Starcraft
Steam
Sven Co-op 4.0B
TeamSpeak 2 RC2
TeamViewer 4
Ultimate Paint 2.88 Freeware Edition
Unlocker 1.8.7
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.2
WindowBlinds
Windows Live ???
Windows Live ????? ??????
Windows Live ?????? ???
Windows Live ???????
Windows Live ???????
Windows Live Call
Windows Live Communications Platform
Windows Live Messenger
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WinRAR archiver
XecureCK Keyboard Protector with E2E
Zombie Panic! Source
Zwunzi 1.0 build 121
So, what's the next procedure?
D:
Thanks
~NightDrifter
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
NightDrifter
2009-11-09, 20:24
Guess it's done... This is the ComboFix log you asked for.
ComboFix 09-11-08.03 - Owner 11/09/2009 11:34.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1395 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 31744 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Custom Settings\TaskBarCmd v1.1.exe
c:\documents and settings\Owner\Application Data\Desktopicon
c:\documents and settings\Owner\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\01d00098f732f640c6a5c8d431515b46.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\049497fd8947e722ae04b02eab871c18.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\067a9fd1541da872bb757c3da6a33d92.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\0783fa07a21528ab730a1df23334399c.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\0999dc9d92e75202025b885f39592438.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\0ba4ed06c78b5997716890d067fe2f51.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\0bb985ae9fc3a38262b3fd4c5cb03a3e.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\0ccc70e9bd23465e9e97d9445314fa13.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\0d5b5b246d05342352b6c776e1cf5212.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\11e75649feaf8ef009c4ed99aafe8310.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\1ba01a94a454af76ad1d723478b7127d.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\1ec397e7e85d3c521dc4c849c4e3ea0f.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\1f840d5d0d14655c624d157818b7003d.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\24c8b24d8a5c9889dac59d968fa1b8d8.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\251f27bb0e06e757f562bc1dc84a615f.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\25e9c02c9d769d249732f66e042c290e.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\28358b19588cf08bbb5de8b51850fe3a.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\288a0b7430370eb282f72b7e015c3c9a.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\28e51fb50e37beadbd134e4ae50e8f63.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\2a066ba87c16f28ec9819e3285252403.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\2c5a2cabd3b78548df720c3ee90efb41.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\2c86ccbe1c6e19b40bb8de244b0ba1e7.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\2d0afc3654f0a438f23598fb84be758c.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\2dfb42d5ca2c7ccc627743d095dfbac9.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\2eacacaddf4a71fe74de2b3f14074ac6.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\354c633ff9bf6fb3ecfad0ad65113c47.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\366a8f1bc352313a1074df76fdbce056.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\393e4d90773d8bbc9b905d903b618bdf.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\397bc65516fb1e815aa106a3d14d5305.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\3c1498e5ef362e757dc43d17482960f3.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\3ca41046bcb79924498d631f343d4371.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\461b3a8e7cfacb0c812e36aed9447c6d.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\46ceb001bfdc384ffe00657d8c567973.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\46eb2cd25804a00a1f22c69c4020c7e5.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\47d1dba34092ceb5412ac6f70c51e606.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\485d27cb769c9983f17e3d9eb5d03c5c.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\4b377d6eea3966e34c9a3ac2c647e5e5.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\4e216d83dc7da9779966ea4d31e236dd.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\4e6865e0bf7cf90244ce414917cc6556.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\51303604fcc7ede3ff317e6daac0c19a.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\52b483be9d71439ea530fb17638e5382.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\56613b7bd5cb1c3e01ecaa7a811022a9.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\59a83ef1238e50bddcc7caeb618d1824.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\59d3e0ea0c210c7674fea90f5382090c.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\5af1fa38e21413b7b2f5c6371f706543.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\5c5edcfe25ff895bc5c6a8d734710c5c.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\5f45a68915125fa8ad11a60ebffe29ee.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\6166b09fdf1ac1eaa1ae57a6eb20c03b.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\63eb5d17d60101356a7bbfdaae9afa57.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\654f8818ae39026c29f34808452fb02f.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\69482b1568b01b43c70d0ace76055f7e.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\6ab204a5ef9f916fe93d527a421ffdda.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\741983fb8768fa4d118c8ca59f82bb83.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\7cef98e862160d452cf773da8f4e2064.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\7f1d8b588793a67a9e8271b309c497c8.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\82724e37ddf746e5c798c9541a83d990.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\877d5ef68d1b6d7922fd09e955289803.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\8abcdf24b4bfa351f3b767c4232c6d02.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\91a1315c3d05215b1504e5899d32b936.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\9a40bf533c72981026081869543bbde2.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\9a846edeab464b62f0f2a74c54059f0b.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\9c5178781b9775c8036205fa67727330.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\9f9c2aa3ed1b1b0f922524c5a5260d1c.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\a26ba057241a8c2ae219a8db7335f51c.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\a67e0c2d6a842bf89983192c7e42d7c7.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\a9583053db1a9b326763e99e2321c517.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ad63fa05a8e976a9e0939831eb5ba308.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\b2c8a6ebad81932fcbe8461599d71865.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\b527594c48bbaad67924ced89a416e20.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\b86745632d1223fab788478c41828d9a.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\b88e5980318f9688b4348228079f4f04.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\c25b7660062dfaf312f7142d2126cf2e.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\c2a9bad2a6f3c5b8aba800c2646abbf0.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\c36f2f770b74dd9e49947e924f85eeea.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\c636b5bf68f8ea6811c91dd569143b63.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\c73959eceda75ddf82609033ed2756e9.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ccbebc209ee7342ed2a62b6d6e996645.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\d0d1583aaf54f587014b422167bddd89.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\d41d8cd98f00b204e9800998ecf8427e.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\d7c0d1ef6446382c3f7bb71308ba122f.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\d8c72d47eaed4bf47aa5d4f291a7c350.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\d909bf9e40d3de9bfa779059a90ff834.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\dc973701a6a9f218f60e389f479684db.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\dcc3ea4461b925db5858951892b5fa12.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\df0ea822d926c8fa5e9401e70f2cea67.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\e09d50f5972f50e03ca6be41cf66e0b5.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\e261f32b2da3462f5a3f10d0e3cb11c7.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\e52ee3c662672a47bf85d717ebb4ae8e.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\e5c061252396f14b1dca59f288bf9c20.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ebc4635e6aeb6c62f3801a378bdfaa4d.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ecb246b7273dc7466b406d7b8b10c09e.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\f63720489499e58792f33295e3dfbf29.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\f9531b586c797615c6b11c5d9e8b7302.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fd44d831ab115f692f560f8ea07c9868.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fe5046d3ac6595d8f385d8a45126456e.bmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fe6d388665fbc8cdfabaa8dc587839f7.bmp
c:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1858
c:\recycler\S-1-5-21-2515692050-3951781386-664637758-4387
c:\recycler\S-1-5-21-3960351061-0147686217-620205669-3838
c:\recycler\S-1-5-21-515967899-842925246-682003330-1003
c:\recycler\S-1-5-21-5478708572-8337656310-807184546-8180
c:\windows\system32\drivers\79104c4a.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_npf
-------\Service_npf
-------\Service_79104c4a
((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.
2009-11-08 06:58 . 2009-11-08 06:58 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\TeamViewer
2009-11-08 06:33 . 2009-11-08 06:33 -------- d-----w- c:\program files\Lavalys
2009-11-06 23:58 . 2009-11-07 00:17 -------- d-----w- C:\tmp
2009-11-06 23:40 . 2009-11-06 23:41 -------- d-----w- C:\Python26
2009-11-06 23:37 . 2009-11-06 23:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Blender Foundation
2009-11-06 23:37 . 2009-11-06 23:37 -------- d-----w- c:\program files\Blender Foundation
2009-11-06 02:48 . 2009-11-06 03:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Stardock
2009-11-06 02:47 . 2009-11-06 02:47 -------- d-----w- c:\program files\Common Files\Stardock
2009-11-05 19:22 . 2009-11-05 19:22 -------- d-----w- c:\program files\Arcen Games, LLC
2009-11-05 19:22 . 2009-11-05 19:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Arcen Games, LLC
2009-11-04 23:29 . 2009-11-05 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-04 23:29 . 2009-11-04 23:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 18:17 . 2009-11-04 18:17 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-04 05:31 . 2009-11-05 19:21 -------- d-----w- c:\windows\LastGood
2009-11-03 01:28 . 2009-11-03 01:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Bioshock
2009-11-03 01:23 . 2009-11-03 01:23 -------- d--h--r- c:\documents and settings\Owner\Application Data\SecuROM
2009-11-03 01:23 . 2009-11-03 01:23 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-02 20:42 . 2005-07-01 14:20 198144 ------w- c:\windows\eiunin2.exe
2009-11-02 20:42 . 2009-11-02 20:42 -------- d-----w- c:\program files\Lights
2009-11-02 14:24 . 2009-11-02 14:24 -------- d-----w- c:\program files\Microsoft Works
2009-11-02 14:22 . 2009-11-02 14:22 -------- d-----w- c:\program files\Microsoft.NET
2009-11-02 14:22 . 2009-11-02 14:22 -------- d-----w- c:\program files\SpywareBlaster
2009-11-02 14:19 . 2009-11-02 14:19 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-02 14:18 . 2009-11-02 14:23 -------- d-----w- c:\windows\SHELLNEW
2009-11-02 14:17 . 2009-11-02 14:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Microsoft Help
2009-11-02 14:17 . 2009-11-02 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-02 14:16 . 2009-11-02 14:16 -------- d-----r- C:\MSOCache
2009-11-02 13:49 . 2009-11-02 13:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Kerio
2009-11-02 13:47 . 2009-11-02 13:47 -------- d-----w- c:\program files\Kerio
2009-11-02 13:19 . 2009-11-02 13:19 -------- d-----w- c:\program files\Trend Micro
2009-11-01 18:45 . 2009-09-04 23:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-01 18:45 . 2009-09-04 23:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-11-01 18:45 . 2009-09-04 23:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-11-01 18:45 . 2009-09-04 23:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-11-01 18:45 . 2009-09-04 23:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-11-01 18:45 . 2009-09-04 23:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-11-01 18:44 . 2009-09-04 23:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-11-01 18:44 . 2009-11-01 18:44 -------- d--h--w- c:\windows\msdownld.tmp
2009-10-31 17:45 . 2009-10-31 17:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Canneverbe_Limited
2009-10-31 17:45 . 2009-10-31 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2009-10-31 17:44 . 2009-09-29 01:57 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-10-31 17:44 . 2009-10-31 17:44 -------- d-----w- c:\program files\CDBurnerXP
2009-10-31 17:41 . 2009-10-31 17:41 3638 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2009-10-31 17:40 . 2009-10-31 17:40 -------- d-----w- c:\program files\Alex Feinman
2009-10-31 07:45 . 2009-11-08 06:47 165232 ---ha-w- c:\documents and settings\Owner\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-10-31 07:44 . 2009-10-31 07:44 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-10-31 07:02 . 2009-10-31 07:02 -------- d-----w- c:\program files\Paint.NET
2009-10-31 07:02 . 2009-11-04 04:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Paint.NET
2009-10-31 04:09 . 2009-11-01 07:40 -------- d-----w- c:\windows\logs
2009-10-31 04:09 . 2009-10-31 04:11 -------- d-----w- c:\windows\inis
2009-10-31 04:09 . 2009-10-31 04:11 -------- dc----w- c:\windows\memcards
2009-10-31 04:09 . 2009-10-31 04:09 -------- d-----w- c:\windows\sstates
2009-10-31 00:13 . 2009-10-31 00:13 -------- d-----w- c:\program files\UP
2009-10-30 16:51 . 2009-10-30 16:51 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\bluesoleil
2009-10-30 01:24 . 2009-10-30 01:24 -------- d-----w- c:\program files\IVT Corporation
2009-10-29 18:13 . 2009-10-29 18:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Subversion
2009-10-29 15:18 . 2009-10-30 06:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Badongo Toolbar
2009-10-29 15:18 . 2009-10-29 15:18 -------- d-----w- c:\program files\Badongo Toolbar
2009-10-29 14:09 . 2009-10-29 14:09 -------- d-----w- c:\program files\inKline Global
2009-10-27 21:13 . 2009-10-27 21:13 -------- d-----w- c:\program files\directx
2009-10-27 21:03 . 2009-10-27 21:03 -------- d-----w- c:\program files\Majesco Entertainment
2009-10-26 16:48 . 2009-10-26 16:48 -------- d-----w- c:\windows\system32\xircom
2009-10-26 16:48 . 2009-10-26 16:48 -------- d-----w- c:\windows\system32\wbem\snmp
2009-10-26 16:48 . 2009-10-26 16:48 -------- d-----w- c:\windows\system32\oobe
2009-10-26 16:48 . 2009-10-26 16:48 -------- d-----w- c:\program files\microsoft frontpage
2009-10-26 14:24 . 2009-10-26 14:24 2149888 ----a-w- c:\windows\system32\python26.dll
2009-10-26 04:19 . 2009-10-26 04:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PunkBuster
2009-10-26 04:17 . 2009-10-26 04:19 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-26 04:17 . 2009-10-26 04:17 139152 ----a-w- c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-10-26 04:17 . 2009-10-26 04:50 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-26 04:17 . 2009-10-26 04:17 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-26 04:17 . 2009-10-26 04:17 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-26 04:17 . 2009-10-26 04:17 -------- d-----w- c:\windows\system32\LogFiles
2009-10-25 19:48 . 2009-10-25 19:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-25 19:48 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-25 19:48 . 2009-10-25 19:48 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2009-10-25 19:48 . 2009-10-25 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-25 19:48 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-25 18:31 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-25 18:31 . 2009-08-24 19:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-25 18:31 . 2009-08-19 16:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-25 18:31 . 2009-10-25 18:33 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-25 18:31 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-25 18:31 . 2009-10-25 19:54 -------- d-----w- c:\program files\Spyware Doctor
2009-10-25 18:31 . 2009-10-25 18:31 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-10-25 18:31 . 2009-10-25 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-25 18:05 . 2009-10-25 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\69341730
2009-10-25 18:04 . 2009-10-25 18:04 195165 ----a-w- C:\wtcqrqjr.exe
2009-10-25 06:04 . 2009-10-25 06:04 12264 ----a-w- c:\windows\scunin.dat
2009-10-25 06:04 . 2009-10-25 06:04 967 ----a-w- c:\windows\ScUnin.pif
2009-10-25 06:04 . 2009-10-25 06:04 68096 ----a-w- c:\windows\ScUnin.exe
2009-10-25 06:04 . 2009-10-26 16:48 -------- d-----w- c:\program files\Starcraft
2009-10-25 06:01 . 2009-10-25 06:01 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Pro
2009-10-24 22:56 . 2009-10-24 22:56 -------- d-----w- c:\program files\SourceOP
2009-10-24 18:29 . 2009-10-24 18:36 199097 ----a-w- C:\xvqdt.exe
2009-10-23 18:42 . 2009-10-25 22:18 -------- d-----w- c:\program files\Cheat Engine
2009-10-23 18:42 . 2007-12-26 22:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2009-10-23 18:42 . 2007-12-26 22:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2009-10-22 18:30 . 2009-10-22 18:30 8854 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2009-10-22 18:30 . 2009-10-22 18:30 40960 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2009-10-22 18:30 . 2009-10-22 18:30 40960 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-10-22 18:30 . 2009-10-22 18:30 -------- d-----w- c:\program files\Project64 1.6
2009-10-21 17:40 . 2009-10-21 17:40 -------- d-----w- c:\documents and settings\Owner\Application Data\teamspeak2
2009-10-21 17:38 . 2009-10-21 17:40 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-10-19 01:06 . 2005-01-01 09:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-10-19 01:04 . 2009-10-19 01:04 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-10-19 00:06 . 2009-10-19 00:06 -------- d-----w- c:\documents and settings\Default User\Application Data\skypePM
2009-10-18 23:46 . 2009-11-06 03:52 -------- d-----w- c:\program files\Stardock
2009-10-18 23:46 . 2007-07-11 20:06 42672 ----a-w- c:\windows\system32\wbsys.dll
2009-10-18 21:19 . 2009-11-03 22:08 -------- d-----w- C:\HanPurple
2009-10-18 21:19 . 2009-07-06 20:09 176832 ----a-w- c:\windows\system32\HGReport.dll
2009-10-18 21:19 . 2009-08-07 16:52 161224 ----a-w- c:\windows\system32\PubPlugin.dll
2009-10-18 21:15 . 2009-09-23 16:58 1147576 ----a-w- c:\windows\system32\HanWebMsg1058.dll
2009-10-17 20:05 . 2009-10-17 20:05 3283 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Musepack Codec.dat
2009-10-17 20:04 . 2009-10-17 20:04 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-10-17 20:01 . 2009-10-17 20:01 3065 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2009-10-17 19:58 . 2009-10-17 19:58 -------- d-----w- c:\documents and settings\Owner\Application Data\AccurateRip
2009-10-17 19:58 . 2009-10-17 20:05 593272 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-10-17 19:58 . 2009-10-17 19:58 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-10-17 19:57 . 2009-10-17 19:57 -------- d-----w- c:\program files\Illustrate
2009-10-16 23:34 . 2009-11-07 01:16 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-10-16 23:33 . 2009-10-16 23:33 -------- d-----w- c:\program files\VideoLAN
2009-10-16 01:11 . 2009-11-08 20:21 -------- d-----w- c:\program files\CABAL Online (GSC)
2009-10-15 01:34 . 2009-10-15 01:39 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AaaaaRecklessDisregard
2009-10-15 01:24 . 2009-11-01 21:17 -------- d-----w- c:\documents and settings\Owner\Application Data\TeamViewer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 17:41 . 2009-10-12 22:12 -------- d-----w- c:\program files\Steam
2009-11-09 17:40 . 2009-11-02 13:48 70619 ----a-w- c:\windows\system32\drivers\kwfupper.log
2009-11-09 17:40 . 2009-11-02 13:48 107430 ----a-w- c:\windows\system32\drivers\kwflower.log
2009-11-09 17:21 . 2009-10-12 22:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-09 04:13 . 2009-11-02 18:49 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-11-03 23:16 . 2009-10-12 22:28 90736 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 14:24 . 2009-10-12 23:11 -------- d-----w- c:\program files\MSBuild
2009-10-30 19:32 . 2009-10-12 23:31 -------- d-----w- c:\program files\Unlocker
2009-10-30 16:50 . 2009-10-26 19:41 -------- d-----w- c:\program files\Zwunzi
2009-10-29 14:09 . 2009-10-12 23:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-26 19:41 . 2009-10-26 19:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Free Sound Recorder
2009-10-26 19:41 . 2009-10-26 19:40 -------- d-----w- c:\program files\Free Sound Recorder
2009-10-25 19:06 . 2009-10-12 23:06 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-25 18:04 . 2009-07-19 16:02 14848 ----a-w- c:\windows\system32\svchost.exe
2009-10-24 19:04 . 2009-10-13 02:41 -------- d-----w- c:\program files\DivX
2009-10-24 19:04 . 2009-10-13 02:41 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-12 23:32 . 2009-10-12 23:32 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2009-10-12 23:32 . 2009-10-12 23:32 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-12 23:31 . 2009-10-12 23:11 94248 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-12 23:31 . 2009-10-12 23:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit
2009-10-12 23:31 . 2009-10-12 23:31 -------- d-----w- c:\program files\Foxit Software
2009-10-12 23:30 . 2009-10-12 23:30 -------- d-----w- c:\program files\7-Zip
2009-10-12 23:23 . 2009-10-12 23:23 -------- d-----w- c:\program files\Intel
2009-10-12 23:21 . 2009-10-12 23:21 -------- d-----w- c:\program files\Realtek
2009-10-12 23:21 . 2009-10-12 23:21 315392 ----a-w- c:\windows\HideWin.exe
2009-10-12 23:21 . 2009-10-12 23:20 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-12 23:20 . 2009-10-12 23:20 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-12 23:20 . 2009-10-12 23:20 -------- d-----w- c:\program files\ASRock WiFi-802.11g
2009-10-12 23:11 . 2009-10-12 23:11 -------- d-----w- c:\program files\Reference Assemblies
2009-10-12 23:05 . 2009-10-12 23:05 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-12 23:04 . 2009-10-12 23:04 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-12 23:03 . 2009-10-12 23:03 -------- d-----w- c:\program files\MSXML 4.0
2009-10-12 23:02 . 2009-10-12 23:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-12 22:55 . 2009-10-12 22:55 -------- d-----r- c:\program files\Skype
2009-10-12 22:55 . 2009-10-12 22:55 -------- d-----w- c:\program files\Common Files\Skype
2009-10-12 22:55 . 2009-10-12 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-12 22:46 . 2009-10-12 22:28 -------- d-----w- c:\program files\SpeedBit Video Accelerator
2009-10-12 22:41 . 2009-10-12 22:40 -------- d-----w- c:\program files\Windows Live
2009-10-12 22:41 . 2009-10-12 22:41 -------- d-----w- c:\program files\Microsoft
2009-10-12 22:40 . 2009-10-12 22:40 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-12 22:28 . 2009-10-12 22:28 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-12 22:28 . 2009-10-12 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit
2009-10-12 22:28 . 2009-10-12 22:28 91648 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\SDCondition.dll
2009-10-12 22:17 . 2009-10-12 22:17 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-12 22:17 . 2009-10-12 22:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-12 22:17 . 2009-10-12 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-10-12 22:17 . 2009-10-12 22:17 -------- d-----w- c:\program files\NVIDIA Corporation
2009-10-12 22:11 . 2009-10-12 22:09 -------- d-----w- c:\program files\DAP
2009-10-12 22:11 . 2009-10-12 22:11 3317784 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Offers\VA3_DapSo.exe
2009-10-12 22:09 . 2009-10-12 22:09 -------- d-----w- c:\program files\SpeedBit Video Downloader
2009-10-12 22:04 . 2009-10-12 22:04 0 ----a-w- c:\windows\nsreg.dat
2009-10-12 21:56 . 2009-10-12 21:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-27 23:20 . 2009-09-27 23:20 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 23:20 . 2009-09-27 23:20 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-09-27 23:19 . 2009-09-27 23:19 3166208 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 23:19 . 2009-09-27 23:19 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 23:19 . 2009-09-27 23:19 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 23:19 . 2009-09-27 23:19 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 23:19 . 2009-09-27 23:19 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 23:19 . 2009-09-27 23:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 23:19 . 2009-09-27 23:19 4935680 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 23:19 . 2009-09-27 23:19 172100 ----a-w- c:\windows\system32\nvsvc32.exe
2009-09-27 23:19 . 2009-09-27 23:19 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-09-27 23:19 . 2009-09-27 23:19 13918208 ----a-w- c:\windows\system32\nvcpl.dll
2009-09-27 23:19 . 2009-09-27 23:19 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-09-27 21:12 . 2009-10-12 21:38 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-09-27 21:12 . 2009-10-12 21:38 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-27 21:12 . 2009-09-27 21:12 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-27 21:12 . 2009-09-27 21:12 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 21:12 . 2009-09-27 21:12 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 21:12 . 2009-09-27 21:12 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 21:12 . 2009-09-27 21:12 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-27 21:12 . 2009-09-27 21:12 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 21:12 . 2009-09-27 21:12 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-27 21:12 . 2009-09-27 21:12 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-04 23:44 . 2009-10-12 23:03 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-08-14 18:36 . 2009-08-14 18:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
------- Sigcheck -------
[-] 2009-07-19 . 6F986564076C2A3A94285AA2BBD11AA4 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B}]
2009-10-12 22:09 2655736 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-11-03 1217808]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"WrCtrl"="c:\program files\Kerio\WinRoute Firewall\wrctrl.exe" [2008-11-24 120680]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2009-02-27 278016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-11-22 16858112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-07-19 128512]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-11-5 3450608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-09-23 15:10 229376 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASRock WiFi-802.11g.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ASRock WiFi-802.11g.lnk
backup=c:\windows\pss\ASRock WiFi-802.11g.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"Spooler"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"Alerter"=2 (0x2)
"TapiSrv"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\reeve291\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\reeve291\\zombie panic! source\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\Source HL2DM Server\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\ai war fleet command\\AIWar.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\Source HL2DM Server\\srcds.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 bthidbus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [1/7/2009 10:39 PM 20744]
R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/25/2009 12:31 PM 206256]
R2 bsmobilecs;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2/27/2009 3:40 PM 143467]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm [?]
R2 winroute;Kerio WinRoute Firewall;c:\program files\Kerio\WinRoute Firewall\winroute.exe [11/24/2008 3:19 PM 3987304]
R3 btnetbus;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [12/7/2008 11:44 AM 30088]
R3 ivtbtbus;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [7/2/2008 1:58 PM 26248]
R3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [6/24/2008 9:36 AM 65024]
R3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\drivers\kwflower.sys [7/2/2008 10:10 AM 100352]
R3 kwfupper;Kerio WinRoute Firewall Driver - Upper Layer;c:\windows\system32\drivers\kwfupper.sys [11/24/2008 3:36 PM 123952]
S2 zwunzi service;Zwunzi Service;"c:\documents and settings\All Users\Application Data\Zwunzi\zwunzi121.exe" "c:\program files\Zwunzi\zwunzi.dll" Service --> c:\documents and settings\All Users\Application Data\Zwunzi\zwunzi121.exe [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/25/2009 12:31 PM 348752]
S3 XDva297;XDva297;\??\c:\windows\system32\XDva297.sys --> c:\windows\system32\XDva297.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-09 c:\windows\Tasks\User_Feed_Synchronization-{5D7F6256-FE76-4F7C-ADC9-BC314DA9C61A}.job
- c:\windows\system32\msfeedssync.exe [2009-07-19 16:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: e&xportar a microsoft excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: send by bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: send via &message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
IE: upload linked file to badongo - c:\program files\Badongo Toolbar\uploadfile.html
IE: upload this image to badongo - c:\program files\Badongo Toolbar\uploadimage.html
LSP: c:\progra~1\SPEEDB~2\sblsp.dll
DPF: {4ABB12B3-8A8B-481D-874A-93E16F930A8B} - hxxp://www.hangame.com/common/CKKeyProInst.cab
DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} - hxxp://pubid.hangame.com/common/HanSetup1020.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gl7wcekd.default\
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gl7wcekd.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKLM-Run-nwiz - c:\program files\NVIDIA Corporation\nView\nwiz.exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 11:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys spaq.sys hal.dll >>UNKNOWN [0x89BC0938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
atapi.sys @ 0x0 0x0 bytes
\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF7978B40 atapi.sys
\Driver\atapi IRP hooks detected !
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1491950412-2009852829-4049741679-1003\Software\securom\!caution! never delete or change any key*]
"??"=hex:fc,83,46,a1,04,bb,66,ad,3a,bd,f2,f2,a5,c1,50,53,9b,fe,28,f4,aa,7a,8b,
8a,e1,bf,34,1f,82,0b,39,68,8b,02,ce,f8,6e,2d,e5,f5,49,3a,3e,39,e7,ce,4a,23,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1256)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
- - - - - - - > 'lsass.exe'(1312)
c:\program files\SpeedBit Video Accelerator\Accelerator.dll
c:\windows\system32\WININET.dll
c:\program files\SpeedBit Video Accelerator\CommPipe.dll
c:\program files\SpeedBit Video Accelerator\Collector.dll
- - - - - - - > 'explorer.exe'(3872)
c:\windows\system32\WININET.dll
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\BsMobileSDK.dll
c:\windows\system32\BsLangInDepRes.dll
c:\windows\system32\Bs2Res.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\progra~1\SPEEDB~2\VideoAcceleratorService.exe
c:\program files\IVT Corporation\BlueSoleil\BsHelpCS.exe
c:\progra~1\SPEEDB~2\VideoAcceleratorEngine.exe
c:\program files\Kerio\WinRoute Firewall\avServer.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-11-09 11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-09 17:55
Pre-Run: 5,680,791,552 bytes free
Post-Run: 5,820,628,992 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - C431BA5E4245DA826DE9AFCD533EAD1D
So, how to proceed now?
Thanks,
~NightDrifter
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
c:\windows\system32\drivers\tcpip.sys
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
NightDrifter
2009-11-09, 20:46
Guess this file is no malware.
Jotti:
Filename: tcpip.sys
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 9 Nov 2009 19:41:42 (CET) Permalink
Virustotal:
MD5: 6f986564076c2a3a94285aa2bbd11aa4
First received: 2009.09.16 08:39:57 UTC
Date: 2009.09.16 08:39:57 UTC [>54D]
Results: 0/41
I'm not sure about what to do next...
So, what's the next procedure?
Hah, i'm sorry if i'm being too much trouble here.
Thanks,
~NightDrifter
Yes it might not be.
Have you patched that file?
NightDrifter
2009-11-10, 20:47
I think i did some time ago, because some people were deciding to make my PC a Server host (hence, Source HL2DM Server in ComboFix logs)
I mostly run 12 servers at a time, sometimes more, sometimes less. Which lags my connection a lot. It's 100 Mbps, so i have nothing to worry about.
......I shouldnt have patched that file, right? D:
No I just need to know if it has been you or malware ;)
Please do a search for wscntfy.exe and let me know if you got any hits.
NightDrifter
2009-11-10, 22:45
Search Completed. No results if using .exe extension. Theres wscntfy.vlkj in C:\WINDOWS though.
File size: 0 Kb
Do you have windows CD handy?
NightDrifter
2009-11-11, 19:42
No, sorry. I don't have any Windows CD at hand.
This computer came with Windows already pre-installed on the Hard Drive, it came with no backup/format disc nor anything like that, though.
I used to have a Windows XP SP2 CD, but the case broke, and there was no place to put it in, so it got scratched over-time, and it doesn't work anymore.
...The only discs that are still working, that came with my computer, is the Motherboard Drivers CD and Wireless Drivers disc. Although i never use Wireless, as i have an Ethernet cable :\
I can buy another copy of Windows, if needed, though.
No need to buy but you need to borrow one :)
Let me know when it is done and we will continue.
NightDrifter
2009-11-12, 20:28
Okay, just borrowed a Windows CD from a friend, so, what should i do now? D:
Please insert CD and search for wscntfy.exe or wscntfy.ex_ from it :)
NightDrifter
2009-11-15, 06:45
I think i have a problem, i got the wscntfy.exe file, but i cant use it. Each time i copy it into the Hard Drive, there's a popup on my taskbar, that says that the file is corrupted. :sad:
Any ideas on what is going on? I don't want to run Chkdsk because it "might" delete something that is related to the possible infection.
So, what do i do?
Also, have a cookie :P
:oreo:
Which version of XP is in CD?
NightDrifter
2009-11-16, 01:44
Windows XP SP3 Build 2600
So it should be fine.
Then we use combofix:
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
SRPeek::
wscntfy.exe
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
NightDrifter
2009-11-18, 02:33
It never got past Stage 4.
Not to mention, it was saying that some Windows files were replaced by an unknown version.
...Any ideas?
NightDrifter
2009-11-18, 19:40
Windows File Protection, actually...
ComboFix just got stuck at Stage_4, and never got out of that one for five complete hours.
If so, we continue with this:
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
NightDrifter
2009-11-21, 05:09
Online scan did not finish, browser crashed each time it got to 10,000 objects scanned.
During that time, no infections to be found.
On the other hand, the problem "seems" to be randomly fixed.
So are you happy with that and ready for final instructions?
NightDrifter
2009-11-21, 22:40
I'm happy with services.exe not crashing, because now i can just finish one of my thousand projects.
So, ready for final instructions!
OK, then please post a fresh HijackThis log and I will post you those instructions :)
NightDrifter
2009-11-22, 21:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:23 PM, on 11/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kerio\WinRoute Firewall\avServer.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\program files\steam\steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SBCONVERT - {31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live ????? ???? - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Badongo Toolbar - {eadb5c49-abd7-447d-81ee-d5245b6f3929} - C:\Program Files\Badongo Toolbar\toolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: e&xportar a microsoft excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: send by bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: send via &message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O8 - Extra context menu item: upload linked file to badongo - C:\Program Files\Badongo Toolbar\uploadfile.html
O8 - Extra context menu item: upload this image to badongo - C:\Program Files\Badongo Toolbar\uploadimage.html
O9 - Extra button: Enviar a OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar a OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {4ABB12B3-8A8B-481D-874A-93E16F930A8B} (CKKeyPro Crypto support Class (CKNhnInst)) - http://www.hangame.com/common/CKKeyProInst.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://pubid.hangame.com/common/HanSetup1020.cab
O18 - Protocol: groovelocalgws - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BlueSoleilCS (bluesoleilcs) - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS (bshelpcs) - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS (bsmobilecs) - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Imapi Helper (imapi helper) - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU (nmsaccessu) - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
O23 - Service: Kerio WinRoute Firewall (winroute) - Kerio Technologies - C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Zwunzi Service (zwunzi service) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi121.exe (file missing)
--
End of file - 10874 bytes
Thank you very much for your time, Shaba. :thanks:
Looks like we are not done.
Some windows services are borked.
Please download the Registry Search tool by clicking on the "hard drive" icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for fystemroot and click OK. Post the logfile from the tool here for me.
NightDrifter
2009-11-23, 00:01
Some windows services are borked..
Oh boy...
Logfile...? I only got a message box saying:
"Search completed in 17 sconds.
No instances of "fystemroot" found."
Soooooooo, what do i do?
Please go to start - run - services.msc - ok
Find Background Intelligent Transfer Service and tell me what it says in Path to executable.
NightDrifter
2009-11-23, 19:02
It says:
%fystemRoot%\system32\svchost.exe -k netsvcs
...umm... Isn't fystemRoot supposed to be SystemRoot?
Yes but it has been changed by malware.
Please do another search for %fystemroot% and post back results.
NightDrifter
2009-11-24, 03:12
As stated before, no instances of %fystemroot% found.
When entered in Windows Explorer, path is not recognized (Unknown)
Well there should be hits.
Download RegSearch (http://download.bleepingcomputer.com/steelwerx/regsearch.zip) by Bobbi Flekman.
Create a folder in your C: drive C:\Regsearch, and extract all the files from the zip archive into that folder.
Double click regsearch.exe to launch the programme.
Copy/Paste the following into the Search Box %fystemroot%
Click OK.
Regsearch will now search your Registry for the required strings, when it is finished it will open a Notepad file RegSearch.txt, saved to the Regsearch folder.
Copy/Paste that file into your next post.
NightDrifter
2009-11-25, 02:41
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 11/24/2009 9:36:50 PM for strings:
; '%fystemroot%'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS]
; Contents of value:
; %fystemRoot%\system32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]
; Contents of value:
; %fystemroot%\system32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BITS]
; Contents of value:
; %fystemRoot%\system32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv]
; Contents of value:
; %fystemroot%\system32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
; Contents of value:
; %fystemRoot%\system32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
; Contents of value:
; %fystemroot%\system32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
; End Of The Log...
This is the log you asked for.
So, what next?
(I never expected my issue to turn out like this, lol)
OK so there are hits :)
Please now use regedit search to see if it can found those.
NightDrifter
2009-12-01, 00:49
It finds this:
ImagePath REG_EXPAND_SZ %fystemRoot%\system32\svchost.exe -k netsvcs
And information about the Background Intelligent Transfer Service.
So, what do i do?
Well we have two choices.
You can edit those back manually (before that you need to take a registry backup) or I can make a reg file for it. I think the latter one might be more convinient?
NightDrifter
2009-12-01, 22:59
I would prefer a Reg file, sounds.... Safer, and more convenient.
Backing up registry, just in case.
Please use the following link to download ERUNT (http://aumha.org/downloads/erunt-setup.exe)
Use the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.
Note:to restore your registry, go to the folder and start ERDNT.exe
Open Notepad and copy the contents of the following box to a new file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS]
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BITS]
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv]
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
Save it as fix.reg (save type: "All files" (*.*)) to your desktop.
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Go to Desktop, double-click fix.reg and merge the infomation with the registry.
Reboot.
Do another search for fystemroot using regsearch and post back results here.
NightDrifter
2009-12-03, 02:20
Can't merge with Registry.
It says some keys are open by the System or other processes.
Please then try again in safe mode.
NightDrifter
2009-12-05, 01:26
It also doesn't work in Safemode, same error again.
Then it has to be done manually.
Go to start - run - regedit - ok
Browse to these keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Change value for Imagepath to %systemroot%. Let me know how it went.
NightDrifter
2009-12-05, 21:47
Doesn't work, i keep getting an error saying that it can't save the content, tried both in normal and Safemode
Well in that case I think repair installation of windows is required to fix those services.
Do you have CD handy and do you need instructions for that?
NightDrifter
2009-12-06, 18:44
I have the CD at hand, ready for the instructions.
Thanks,
~NightDrifter
This (http://michaelstevenstech.com/XPrepairinstall.htm) should help here.
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Everyone else please begin a New Topic.