|
|
|
Weird .dll files messing up explorer.exe
|
|
Senior Member
2 product reviews
|
28. August 2008 @ 07:56 |
Link to this message
|
A while back, while I was on the internet (using dial-up) the taskbar just disappeared,along with the desktop icons and my computer.
I couldn't fix this and it made my computer unusable, so I did a complete format and windows re-install. The next day when I finished installing everything I went on-line again to check my e-mail and the same thing happened again, so I did another complete format and re-install.
When I went on-line after formatting a second time, the same thing happened. Before i broke my monitor in frustration, a message pooped up from winPatrol that looked like this.
I then thought to move the .dll file mentioned by Winpatrol to the desktop, and to erase it after a reboot and explorer.exe was fine when I did so
Since then each time I go on-line the same thing happens and I must repeat the whole process so I can continue to surf in peace.
These are the names of some of the .dll files:
WvUkJgWp.dll
wvukHBTK.dll
byXOecDW.dll
iifghGXq.dll
WVUmnnmn.dll
nnnkldEx.dll
pmnkLFXr.dll
cbXOHxQJ.dll
Many, many more
Can someone please tell me how I can stop this from happening as its really annoying me
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P |
|
Advertisement
|
 |
|
|
|
laxos
Suspended permanently
|
3. September 2008 @ 02:27 |
Link to this message
|
|
Hi have the same problem as you, except i found a easier way to get onto the computer without moving .dll files STEP 1 hold controll+alt+delete STEP 2 click on start task manager STEP 3 click file then run
STEP 4 type in explorer and click ok....
And yeah it works for me but if anyone can fix this problem permanatly then yeah it will be great :)
|
Senior Member
|
5. September 2008 @ 11:47 |
Link to this message
|
Hi Ray92
Woah... a malware that survives formatting... that's unbelievable, even for Vundo. Are you sure it isn't something you installed after reinstalling Windows?
Let's do a little cleanup.
Now, please download Combofix.
With Combofix, at the download window, please rename it to Combo-fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
? Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
? Wait for the scan to be completed.
? If it requires a reboot, please do it.
? After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the Comobofix window, as it may cause it to stall.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
Senior Member
2 product reviews
|
5. September 2008 @ 11:58 |
Link to this message
|
|
Just an update
Thanks for your replies, I found out that there was a file called Urrqhat.dll or similar, and eset found it to be an adware, and this is what was causing the .dll to come into the pc. (may have been due to a keygen I think)
It wasn't getting deleted, but I was finally able to use FILE assassin to delete it, and all is well now.
Thanks for replies
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
|
5. September 2008 @ 12:05 |
Link to this message
|
hey Ray92
KEYGENS!!!!! Oh, the audacity. :(
Also, Vundo is well known for hiding, so I have a different set of instructions for you, if you don't mind following them.
Before we begin the cleanup process, it is important to do a little analysis first. We will analyze your computer with a tool called HijackThis.
Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.
Rename HijackThis(.exe) to scanner(.exe).
Next, run scanner(.exe). A window will pop up.
? Click on the button which says Main Menu, then Do a system scan and save a logfile.
? Please wait for the scan to be completed.
? After the scan has completed, a text window will pop up. Please post the contents of this window here.
This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.
NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
Senior Member
2 product reviews
|
6. September 2008 @ 07:41 |
Link to this message
|
Sorry, I forgot to mention that after I fixed explorer.exe, I ran a full scan with malwarebytes anti-malaware, and it removed some files that were infected with Vundo
Anyhow just to be safe, here is the HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:32 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
D:\Program Files\T-Clock\tclock.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRAM FILES\FRAPS\FRAPS.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RaY YaN\Desktop\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C306420-56E3-4844-9B2F-F718826C3071} - (no file)
O2 - BHO: (no name) - {11190E82-182E-43D5-A525-D386558A3E7F} - (no file)
O2 - BHO: (no name) - {1923E897-93F2-458B-9FA7-91DA28F7EFAD} - (no file)
O2 - BHO: (no name) - {272C30C0-A7CB-4934-B5B9-35F3D802F194} - (no file)
O2 - BHO: (no name) - {31BA0700-DA83-4F0E-83C6-DE93D1105A95} - (no file)
O2 - BHO: (no name) - {33CF7186-2125-4820-90C1-9D274513B4A8} - (no file)
O2 - BHO: (no name) - {34777332-951D-45B1-9A56-D4FC61263073} - (no file)
O2 - BHO: (no name) - {3C516895-ED1C-40AE-865E-33BC87A81A09} - (no file)
O2 - BHO: (no name) - {3F5FA489-BC09-407C-99DD-935BDA523C6C} - (no file)
O2 - BHO: (no name) - {4D43E1AF-1FC7-4821-9E8C-2F2F9BCA7439} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {736B2BF5-429C-4108-B9D7-0B514BEC32DE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {80ECB9ED-A435-4025-BEFD-C5A35642994D} - (no file)
O2 - BHO: (no name) - {82C771A6-6EA0-40C7-8B45-CAA35D33DFEC} - (no file)
O2 - BHO: (no name) - {8ADF9F54-A602-4EB1-AE6E-6346CA16398D} - (no file)
O2 - BHO: (no name) - {8C250808-0CC7-49C8-8FD6-0E11F06E3ECA} - (no file)
O2 - BHO: (no name) - {8FCAFB57-6739-47E7-8858-3E50145DC48E} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {98FCD7B9-245E-41E7-A5C2-E68E0ADE836F} - (no file)
O2 - BHO: (no name) - {9ECC4E08-2C94-4827-A7E8-5454AB2398D4} - (no file)
O2 - BHO: (no name) - {AA36F939-29B9-4517-B0F7-2575974CA76C} - (no file)
O2 - BHO: (no name) - {C590C435-F99E-45BB-880C-CA3D4EBA8A3E} - (no file)
O2 - BHO: (no name) - {D3087919-B7EC-4461-96EF-D6E8E680CCDF} - (no file)
O2 - BHO: (no name) - {FB954524-B91E-4AE2-9C8D-1B09799D1AFC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [mpt] c:\WINDOWS\system32\mpt.exe
O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: urqQhHAT - urqQhHAT.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
--
End of file - 8701 bytes
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
|
6. September 2008 @ 09:16 |
Link to this message
|
Hey Ray
It's a good thing we ran HijackThis. There were many traces left behind by the malware.
Please run HijackThis.
? Click on the button which says Main Menu, then Do a system scan only.
? Please wait for the scan to be completed.
? After the scan has completed, check the following entries.
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {0C306420-56E3-4844-9B2F-F718826C3071} - (no file)
O2 - BHO: (no name) - {11190E82-182E-43D5-A525-D386558A3E7F} - (no file)
O2 - BHO: (no name) - {1923E897-93F2-458B-9FA7-91DA28F7EFAD} - (no file)
O2 - BHO: (no name) - {272C30C0-A7CB-4934-B5B9-35F3D802F194} - (no file)
O2 - BHO: (no name) - {31BA0700-DA83-4F0E-83C6-DE93D1105A95} - (no file)
O2 - BHO: (no name) - {33CF7186-2125-4820-90C1-9D274513B4A8} - (no file)
O2 - BHO: (no name) - {34777332-951D-45B1-9A56-D4FC61263073} - (no file)
O2 - BHO: (no name) - {3C516895-ED1C-40AE-865E-33BC87A81A09} - (no file)
O2 - BHO: (no name) - {3F5FA489-BC09-407C-99DD-935BDA523C6C} - (no file)
O2 - BHO: (no name) - {4D43E1AF-1FC7-4821-9E8C-2F2F9BCA7439} - (no file)
O2 - BHO: (no name) - {736B2BF5-429C-4108-B9D7-0B514BEC32DE} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {80ECB9ED-A435-4025-BEFD-C5A35642994D} - (no file)
O2 - BHO: (no name) - {82C771A6-6EA0-40C7-8B45-CAA35D33DFEC} - (no file)
O2 - BHO: (no name) - {8ADF9F54-A602-4EB1-AE6E-6346CA16398D} - (no file)
O2 - BHO: (no name) - {8C250808-0CC7-49C8-8FD6-0E11F06E3ECA} - (no file)
O2 - BHO: (no name) - {8FCAFB57-6739-47E7-8858-3E50145DC48E} - (no file)
O2 - BHO: (no name) - {98FCD7B9-245E-41E7-A5C2-E68E0ADE836F} - (no file)
O2 - BHO: (no name) - {9ECC4E08-2C94-4827-A7E8-5454AB2398D4} - (no file)
O2 - BHO: (no name) - {AA36F939-29B9-4517-B0F7-2575974CA76C} - (no file)
O2 - BHO: (no name) - {C590C435-F99E-45BB-880C-CA3D4EBA8A3E} - (no file)
O2 - BHO: (no name) - {D3087919-B7EC-4461-96EF-D6E8E680CCDF} - (no file)
O2 - BHO: (no name) - {FB954524-B91E-4AE2-9C8D-1B09799D1AFC} - (no file)
O20 - Winlogon Notify: urqQhHAT - urqQhHAT.dll (file missing)
Click on the button Fix checked
NOTE:: Close all browsers before fixing anything.
Also, please to go C:\Windows\system32. Find a file called mpt.exe and then upload it to www.virustotal.com. Send me the results.
After that, reboot.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
Senior Member
2 product reviews
|
6. September 2008 @ 14:41 |
Link to this message
|
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
2 product reviews
|
6. September 2008 @ 14:50 |
Link to this message
|
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
|
7. September 2008 @ 02:31 |
Link to this message
|
Hey Ray
Now, please download Combofix.
With Combofix, at the download window, please rename it to Combo-fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
? Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
? Wait for the scan to be completed.
? If it requires a reboot, please do it.
? After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the Comobofix window, as it may cause it to stall.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
Senior Member
2 product reviews
|
7. September 2008 @ 08:58 |
Link to this message
|
Thanks for your help
Here is the combofix log, it opened directly after the pc was rebooted by comboFix
ComboFix 08-09-05.02 - RaY YaN 2008-09-07 15:32:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT 3:00]
Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\AJjlkUtv.ini
C:\WINDOWS\system32\AJjlkUtv.ini2
C:\WINDOWS\system32\BJlTwGgh.ini
C:\WINDOWS\system32\BJlTwGgh.ini2
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ccIjPXbc.ini
C:\WINDOWS\system32\ccIjPXbc.ini2
C:\WINDOWS\system32\ccKRBcdd.ini
C:\WINDOWS\system32\ccKRBcdd.ini2
C:\WINDOWS\system32\CehRrXbc.ini
C:\WINDOWS\system32\CehRrXbc.ini2
C:\WINDOWS\system32\CKkkQXbc.ini
C:\WINDOWS\system32\CKkkQXbc.ini2
C:\WINDOWS\system32\dJRBbcdd.ini
C:\WINDOWS\system32\dJRBbcdd.ini2
C:\WINDOWS\system32\EMmSAcfe.ini
C:\WINDOWS\system32\EMmSAcfe.ini2
C:\WINDOWS\system32\FffeLnpo.ini
C:\WINDOWS\system32\FffeLnpo.ini2
C:\WINDOWS\system32\fgPYyyay.ini
C:\WINDOWS\system32\fgPYyyay.ini2
C:\WINDOWS\system32\HkRCefhk.ini
C:\WINDOWS\system32\HkRCefhk.ini2
C:\WINDOWS\system32\jbgndpdu.ini
C:\WINDOWS\system32\JQXHOXbc.ini
C:\WINDOWS\system32\JQXHOXbc.ini2
C:\WINDOWS\system32\KTBHkUvw.ini
C:\WINDOWS\system32\KTBHkUvw.ini2
C:\WINDOWS\system32\lTBLknmp.ini
C:\WINDOWS\system32\lTBLknmp.ini2
C:\WINDOWS\system32\nmnnmUvw.ini
C:\WINDOWS\system32\nmnnmUvw.ini2
C:\WINDOWS\system32\NoUEOqss.ini
C:\WINDOWS\system32\NoUEOqss.ini2
C:\WINDOWS\system32\OVxHRXbc.ini
C:\WINDOWS\system32\OVxHRXbc.ini2
C:\WINDOWS\system32\popqBJjl.ini
C:\WINDOWS\system32\popqBJjl.ini2
C:\WINDOWS\system32\Pruwxyay.ini
C:\WINDOWS\system32\Pruwxyay.ini2
C:\WINDOWS\system32\pWyJkUvw.ini
C:\WINDOWS\system32\pWyJkUvw.ini2
C:\WINDOWS\system32\qXGhgfii.ini
C:\WINDOWS\system32\qXGhgfii.ini2
C:\WINDOWS\system32\RqqpYcdd.ini
C:\WINDOWS\system32\RqqpYcdd.ini2
C:\WINDOWS\system32\rXFLknmp.ini
C:\WINDOWS\system32\rXFLknmp.ini2
C:\WINDOWS\system32\tBJikkkj.ini
C:\WINDOWS\system32\tBJikkkj.ini2
C:\WINDOWS\system32\WDceOXyb.ini
C:\WINDOWS\system32\WDceOXyb.ini2
C:\WINDOWS\system32\XEdLknnn.ini
C:\WINDOWS\system32\XEdLknnn.ini2
C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.
2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-06 04:42 126,976 ----a-w C:\WINDOWS\system32\cheeto.exe
2008-07-14 19:03 58,594 ----a-w C:\WINDOWS\system32\mpt.exe
2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"mpt"="c:\WINDOWS\system32\mpt.exe" [2008-07-14 58594]
"TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
"Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autorun.exe
\Shell\Demo\command - JSDemo.exe
\Shell\help\command - kahelp.exe
\Shell\Setup\command - L:\setup.exe
\Shell\website\command - L:\website.exe
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-NvCplDaemon - (no file)
ShellExecuteHooks-{38B9D19D-021A-4282-A2BD-F9E40DCBA8C9} - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\RaY YaN\Application Data\Mozilla\Firefox\Profiles\2amwhqwo.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://mail.live.com/
FF -: plugin - D:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 15:35:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2008-09-07 15:37:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-07 12:37:18
Pre-Run: 8,651,595,776 bytes free
Post-Run: 8,563,462,144 bytes free
303 --- E O F --- 2008-09-07 10:00:33
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
|
7. September 2008 @ 23:44 |
Link to this message
|
Hey Ray
Please run HijackThis.
? Click on the button which says Main Menu, then Do a system scan only.
? Please wait for the scan to be completed.
? After the scan has completed, check the following entries.
O4 - HKCU\..\Run: [mpt] c:\WINDOWS\system32\mpt.exe
Click on the button Fix checked
NOTE:: Close all browsers before fixing anything.
Open Notepad and copy/paste the text in the code box below into it:
File::
C:\Windows\System32\cheeto.exe
C:\Windows\System32\mpt.exe
C:\Windows\System32\mpxa.exe
Save this as CFScript.txt in the same folder as Combofix
Then drag the CFScript.txt into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Tell me how's your computer doing.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
Senior Member
2 product reviews
|
8. September 2008 @ 07:38 |
Link to this message
|
Here is the combo fix log:
ComboFix 08-09-05.02 - RaY YaN 2008-09-08 14:30:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT 3:00]
Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\RaY YaN\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\System32\cheeto.exe
C:\Windows\System32\mpt.exe
C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.
2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-07_15.37.02.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-07 12:35:34 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-09-08 11:32:17 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
"Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autorun.exe
\Shell\Demo\command - JSDemo.exe
\Shell\help\command - kahelp.exe
\Shell\Setup\command - L:\setup.exe
\Shell\website\command - L:\website.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 14:32:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2008-09-08 14:34:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 11:34:02
ComboFix2.txt 2008-09-07 12:37:22
Pre-Run: 8,470,482,944 bytes free
Post-Run: 8,457,781,248 bytes free
243 --- E O F --- 2008-09-08 10:53:53
This is the HijackThis log after running combofix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:07 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRAM FILES\FRAPS\FRAPS.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RaY YaN\Desktop\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Logitech SetPoint] C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
--
End of file - 6964 bytes
Thanks for your help, pc is running fine.
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
2 product reviews
|
8. September 2008 @ 07:39 |
Link to this message
|
Here is the combo fix log:
ComboFix 08-09-05.02 - RaY YaN 2008-09-08 14:30:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT 3:00]
Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\RaY YaN\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\System32\cheeto.exe
C:\Windows\System32\mpt.exe
C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.
2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-07_15.37.02.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-07 12:35:34 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-09-08 11:32:17 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
"Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autorun.exe
\Shell\Demo\command - JSDemo.exe
\Shell\help\command - kahelp.exe
\Shell\Setup\command - L:\setup.exe
\Shell\website\command - L:\website.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 14:32:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2008-09-08 14:34:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 11:34:02
ComboFix2.txt 2008-09-07 12:37:22
Pre-Run: 8,470,482,944 bytes free
Post-Run: 8,457,781,248 bytes free
243 --- E O F --- 2008-09-08 10:53:53
This is the HijackThis log after running combofix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:07 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRAM FILES\FRAPS\FRAPS.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RaY YaN\Desktop\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Logitech SetPoint] C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
--
End of file - 6964 bytes
Thanks for your help, pc is running fine.
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
2 product reviews
|
8. September 2008 @ 07:40 |
Link to this message
|
I recently got a new laptop, and installed similar programs on it.
I became worried that it may have been infected, and after scanning with malwarebytes anti-malware, it was confirmed that I had been infected by Vundo
Is it okay is I post a HijackThis log for my laptop here as well.
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
This message has been edited since posting. Last time this message was edited on 8. September 2008 @ 08:34
|
Senior Member
2 product reviews
|
8. September 2008 @ 07:45 |
Link to this message
|
Here is the combo fix log:
ComboFix 08-09-05.02 - RaY YaN 2008-09-08 14:30:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT 3:00]
Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\RaY YaN\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\System32\cheeto.exe
C:\Windows\System32\mpt.exe
C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.
2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-07_15.37.02.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-07 12:35:34 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-09-08 11:32:17 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
"Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autorun.exe
\Shell\Demo\command - JSDemo.exe
\Shell\help\command - kahelp.exe
\Shell\Setup\command - L:\setup.exe
\Shell\website\command - L:\website.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 14:32:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2008-09-08 14:34:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 11:34:02
ComboFix2.txt 2008-09-07 12:37:22
Pre-Run: 8,470,482,944 bytes free
Post-Run: 8,457,781,248 bytes free
243 --- E O F --- 2008-09-08 10:53:53
This is the HijackThis log after running combofix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:07 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRAM FILES\FRAPS\FRAPS.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RaY YaN\Desktop\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Logitech SetPoint] C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
--
End of file - 6964 bytes
Thanks for your help, pc is running fine.
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
|
8. September 2008 @ 07:47 |
Link to this message
|
|
Hey Ray92
You look clean. Enjoy!
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
Senior Member
2 product reviews
|
8. September 2008 @ 07:49 |
Link to this message
|
Here is the combo fix log:
ComboFix 08-09-05.02 - RaY YaN 2008-09-08 14:30:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT 3:00]
Running from: C:\Documents and Settings\RaY YaN\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\RaY YaN\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\System32\cheeto.exe
C:\Windows\System32\mpt.exe
C:\Documents and Settings\RaY YaN\Application Data\inst.exe . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.
2008-09-04 15:55 . 2008-09-04 15:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-04 15:55 . 2008-09-05 18:47 <DIR> d-------- C:\Program Files\RivaTuner v2.10
2008-09-03 20:01 . 2008-09-03 20:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-03 20:01 . 2008-09-03 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 17:40 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 17:40 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-03 17:39 . 2008-09-03 17:39 <DIR> d-------- C:\Program Files\iPod
2008-09-03 15:56 . 2008-09-03 17:15 <DIR> d-------- C:\Documents and Settings\RaY YaN\Contacts
2008-09-03 15:56 . 2008-09-03 15:57 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViStart
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Program Files\ViOrb
2008-09-03 01:02 . 2008-09-03 01:02 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ViStart
2008-09-02 01:31 . 2008-09-02 01:31 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-09-02 01:31 . 2008-09-02 04:56 43,602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2008-09-02 01:30 . 2008-09-02 01:30 <DIR> d-------- C:\Program Files\Gabest
2008-09-02 01:28 . 2008-09-02 04:56 <DIR> d-------- C:\Program Files\AutoGK
2008-08-30 16:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-30 16:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-30 16:17 . 2008-08-30 16:17 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-08-29 18:06 . 2008-08-29 18:06 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\IObit
2008-08-26 15:06 . 2008-09-03 17:14 <DIR> d-------- C:\Program Files\Windows Live
2008-08-24 20:54 . 2008-08-24 20:54 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SystemRequirementsLab
2008-08-24 20:53 . 2008-08-24 20:53 <DIR> d-------- C:\WINDOWS\Sun
2008-08-24 19:05 . 2008-08-24 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
2008-08-24 19:04 . 2008-08-24 19:04 <DIR> d-------- C:\Program Files\OpenAL
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1FA.tmp
2008-08-24 19:04 . 2008-04-28 16:53 805,400 -ra------ C:\WINDOWS\system32\tmp1F9.tmp
2008-08-24 19:04 . 2008-08-24 19:04 444,952 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-08-24 19:04 . 2008-08-24 19:04 109,080 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-08-24 13:07 . 2008-08-24 21:50 181 --a------ C:\WINDOWS\system32\sam.ini
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-08-24 13:06 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-08-24 13:05 . 2008-08-27 10:58 <DIR> d-------- C:\Program Files\Game Elements
2008-08-24 13:05 . 2006-02-16 09:54 487,424 --a------ C:\WINDOWS\system32\FDRpage.dll
2008-08-24 13:05 . 2005-12-09 12:24 192,512 --a------ C:\WINDOWS\system32\CreateDir.exe
2008-08-24 13:05 . 2006-01-04 16:39 77,824 --a------ C:\WINDOWS\system32\FDRdriver.dll
2008-08-24 12:37 . 2008-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-24 12:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-23 01:42 . 2008-08-23 01:43 <DIR> dr------- C:\Program Files\TypingMaster
2008-08-23 01:42 . 2008-08-23 01:44 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\TypingMaster7
2008-08-22 19:15 . 2008-08-23 14:14 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\SPORE Creature Creator
2008-08-22 14:07 . 2008-08-25 02:06 <DIR> d-------- C:\Program Files\bobyte
2008-08-20 21:03 . 2008-08-20 21:03 <DIR> d-------- C:\Program Files\Comical
2008-08-20 14:27 . 2008-08-30 12:52 97 --a------ C:\WINDOWS\WirelessFTP.INI
2008-08-19 21:34 . 2008-08-24 01:33 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\LimeWire
2008-08-19 15:00 . 2008-08-19 15:08 <DIR> d-------- C:\UnrealSpecial
2008-08-19 14:58 . 1998-01-23 12:22 304,128 --a------ C:\WINDOWS\IsUninst.exe
2008-08-16 14:23 . 2008-08-16 14:23 <DIR> d-------- C:\Program Files\X-Projects
2008-08-16 13:45 . 2008-08-16 13:45 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Xbins
2008-08-15 16:02 . 2008-08-15 16:02 <DIR> d-------- C:\KA
2008-08-15 14:43 . 2008-08-15 14:43 <DIR> d-------- C:\Program Files\Disney Interactive
2008-08-15 14:43 . 2008-08-15 14:43 462 --a------ C:\WINDOWS\Disney.ini
2008-08-15 14:30 . 2008-08-15 14:37 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\ImgBurn
2008-08-15 14:25 . 1994-09-21 03:30 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-08-15 14:25 . 2008-08-15 16:03 170 --a------ C:\WINDOWS\KA.INI
2008-08-15 14:24 . 1995-10-12 09:00 282,112 --a------ C:\WINDOWS\uninst.exe
2008-08-15 14:22 . 2008-08-15 14:22 <DIR> d-------- C:\Documents and Settings\RaY YaN\WINDOWS
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2008-08-15 02:05 . 2001-08-17 22:36 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
2008-08-14 14:10 . 2008-09-01 19:44 26 --a------ C:\WINDOWS\popcinfo.dat
2008-08-14 02:18 . 2008-08-14 02:18 <DIR> dr-h----- C:\Documents and Settings\RaY YaN\Application Data\SecuROM
2008-08-14 02:18 . 2008-09-02 19:35 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\Bioshock
2008-08-14 02:18 . 2008-08-22 19:15 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-14 01:43 . 2008-08-14 01:43 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\InstallShield
2008-08-14 00:41 . 2008-08-14 00:45 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-13 22:49 . 2008-08-13 22:49 <DIR> d-------- C:\Program Files\id Software
2008-08-13 21:52 . 2001-08-23 17:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-13 21:51 . 2001-08-23 17:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-13 21:50 . 2008-08-13 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-13 21:48 . 2001-08-23 17:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2008-08-13 21:42 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2008-08-13 21:42 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2008-08-13 21:42 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-08-13 21:40 . 2004-08-04 00:56 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
2008-08-13 21:40 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-08-13 21:16 . 2008-08-13 21:16 <DIR> d-------- C:\Program Files\SigmaTel
2008-08-13 21:16 . 2006-05-26 17:58 4,886,528 --a------ C:\WINDOWS\system32\stacgui.cpl
2008-08-13 21:16 . 2006-05-26 17:59 1,177,032 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2008-08-13 21:16 . 2006-05-09 00:21 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
2008-08-13 21:16 . 2006-05-26 17:58 282,624 --a------ C:\WINDOWS\sttray.exe
2008-08-13 21:16 . 2006-05-26 17:58 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
2008-08-13 21:16 . 2006-05-26 17:58 117,248 --a------ C:\WINDOWS\system32\staco.dll
2008-08-13 21:16 . 2006-05-26 17:58 86,016 --a------ C:\WINDOWS\system32\stacsv.exe
2008-08-13 21:05 . 2008-08-13 21:05 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-08-13 21:03 . 2001-08-23 17:00 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2008-08-13 21:02 . 2004-08-04 03:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-13 21:01 . 2008-08-13 21:05 <DIR> d-------- C:\Inetpub
2008-08-13 21:00 . 2008-08-13 21:17 4,980 --a------ C:\WINDOWS\setupapi.old
2008-08-13 20:58 . 2008-09-04 16:33 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-13 00:34 . 2008-08-13 00:34 <DIR> d-------- C:\Program Files\uTorrent
2008-08-13 00:34 . 2008-09-07 02:03 <DIR> d-------- C:\Documents and Settings\RaY YaN\Application Data\uTorrent
2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\filehippo.com
2008-08-12 23:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-12 23:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-08-12 23:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-12 15:19 . 2004-11-12 14:19 204,800 --a------ C:\WINDOWS\system32\Ffpage.dll
2008-08-12 15:19 . 2003-12-17 15:20 69,632 --a------ C:\WINDOWS\system32\Ffdriver.dll
2008-08-12 13:34 . 2008-08-12 13:34 <DIR> d-------- C:\Program Files\Zuma deluxe
2008-08-12 13:31 . 2008-08-12 13:31 <DIR> d-------- C:\Program Files\Alawar
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\WINDOWS\Lost in the City
2008-08-12 13:30 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\Lost in the City
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\WINDOWS\Deep Voyage
2008-08-12 13:29 . 2008-08-12 13:30 <DIR> d-------- C:\Program Files\The Mystery of the Crystal Portal
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Moonlight Sonatas
2008-08-12 13:29 . 2008-08-12 13:29 <DIR> d-------- C:\Program Files\Deep Voyage
2008-08-12 12:53 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-12 12:53 . 1998-09-02 11:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-08-12 12:53 . 1998-08-20 14:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-08-12 12:53 . 1998-09-02 11:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-08-12 12:53 . 1998-09-02 11:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-08-12 12:53 . 1998-08-17 12:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-08-12 12:53 . 1998-08-17 12:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-08-12 12:53 . 1998-08-17 12:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-08-12 12:53 . 2008-08-12 12:53 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 09:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-07_15.37.02.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-07 12:35:34 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-09-08 11:32:17 217,219 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-08-10 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 69632]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 208896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"TClock Light"="D:\Program Files\T-Clock\tclock.exe" [2004-09-07 44544]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Logitech SetPoint"="C:\Program Files\Logitech\SetPoint\KEM.exe" [2004-05-14 573440]
"Fraps"="C:\PROGRAM FILES\FRAPS\FRAPS.EXE" [2008-01-14 3182248]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 C:\WINDOWS\sttray.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-02 292152]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;I:\NTGLM7X.sys [ ]
S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-10 307968]
S4 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autorun.exe
\Shell\Demo\command - JSDemo.exe
\Shell\help\command - kahelp.exe
\Shell\Setup\command - L:\setup.exe
\Shell\website\command - L:\website.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 14:32:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2008-09-08 14:34:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 11:34:02
ComboFix2.txt 2008-09-07 12:37:22
Pre-Run: 8,470,482,944 bytes free
Post-Run: 8,457,781,248 bytes free
243 --- E O F --- 2008-09-08 10:53:53
This is the HijackThis log after running combofix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:07 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRAM FILES\FRAPS\FRAPS.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RaY YaN\Desktop\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
O4 - HKCU\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKCU\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKCU\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKCU\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKCU\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe
O4 - HKCU\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [TClock Light] D:\Program Files\T-Clock\tclock.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Logitech SetPoint] C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
--
End of file - 6964 bytes
Thanks for your help, pc is running fine.
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
|
8. September 2008 @ 08:39 |
Link to this message
|
Originally posted by Ray92:
Is it okay is I post a HijackThis log for my laptop here as well.
No problem. Just give me the HijackThis log and I'll look at it. And what is up with all these combofix and hijackthis logs? There must be a thousand around here!
And stop using keygens!!!!! All cracks are potential malware which prey on people, and they are illegal as well. If you like a software so much that you will risk infection for it, you might as well buy it.
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
This message has been edited since posting. Last time this message was edited on 8. September 2008 @ 08:40
|
Senior Member
2 product reviews
|
8. September 2008 @ 09:40 |
Link to this message
|
Originally posted by cdavfrew:
And stop using keygens!!!!! All cracks are potential malware which prey on people, and they are illegal as well. If you like a software so much that you will risk infection for it, you might as well buy it.
I stopped some time ago, this was the only left. It too has gone now :P
Everything else I have is now freeware :D
EDITED :P
Thanks for your help
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
This message has been edited since posting. Last time this message was edited on 9. September 2008 @ 15:17
|
Senior Member
|
8. September 2008 @ 09:51 |
Link to this message
|
Hey Ray92
Now, please download Combofix.
With Combofix, at the download window, please rename it to Combo-fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
? Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
? Wait for the scan to be completed.
? If it requires a reboot, please do it.
? After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the Comobofix window, as it may cause it to stall.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
Senior Member
2 product reviews
|
8. September 2008 @ 10:16 |
Link to this message
|
|
Here is the comboFIX log:
ComboFix 08-09-05.02 -
EDITED :P
274
It didn't require a reboot
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
This message has been edited since posting. Last time this message was edited on 9. September 2008 @ 15:15
|
Senior Member
|
8. September 2008 @ 10:31 |
Link to this message
|
Hey Ray92
Firstly, open Notepad. Copy/paste the contents below, and then save it as fix.bat.
@echo off
sc stop UJQBOBBM
sc delete UJQBOBBM
exit
Run fix.bat.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
Open Notepad and copy/paste the text in the code box below into it:
File::
C:\Windows\System32\cheeto.exe
C:\Windows\System32\mpt.exe
C:\Windows\System32\mpxa.exe
C:\Users\RaYYaN\AppData\Local\Temp\UJQBOBBM.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
Save this as CFScript.txt in the same folder as Combofix.
Then drag the CFScript.txt into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).
Do not click on the ComoboFix window, as it may cause it to stall.
If you didn't reboot before, do it now, and then post the Combofix log and a new HijackThis log here.
Best Regards :D
PS: BioShock is an awesomely cool but weird game. :P
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
This message has been edited since posting. Last time this message was edited on 8. September 2008 @ 10:33
|
Senior Member
2 product reviews
|
8. September 2008 @ 12:00 |
Link to this message
|
Originally posted by cdavfrew:
PS: BioShock is an awesomely cool but weird game. :P
I know, I've finished it :P
This is the COMBOFIX log:
EDITED :P
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
This message has been edited since posting. Last time this message was edited on 9. September 2008 @ 15:13
|
|
Advertisement
|
|
|
Senior Member
2 product reviews
|
8. September 2008 @ 12:03 |
Link to this message
|
Originally posted by cdavfrew:
PS: BioShock is an awesomely cool but weird game. :P
I know, I've finished it :P
This is the COMBOFIX log:
EDITED :P
Thanks
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
This message has been edited since posting. Last time this message was edited on 9. September 2008 @ 15:11
|
|
