Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Duplicate Processes Running... Please Help!!! Duplicate Processes Running... Please Help!!!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 12-29-2007, 09:39 AM   #1 (permalink)
Custom User Title
 
ssj4Gogeta's Avatar
 
Join Date: Dec 2007
Location: India
Posts: 1,341
OS: Windows XP SP2, Vista, Ubuntu Intrepid Ibex, Leopard (Kalyway)

My System

Cry Duplicate Processes Running... Please Help!!!
Hi
Today when I started my computer, I found that there were some extra processes running. They have the same names as the processes which usually run on my computer except that they have an extra space before ".exe". For instance, there are two googletalk processes now: one is the normal "googletalk.exe" and the other is
"googletalk .exe" (space before ".exe").
Similarly there are other duplicate processes too. Norton didn't detect any viruses. I tried system restore but all my restore points are gone! Except one which is called "Last Known Good Configuration" which also doesn't work.
Please help me.
ssj4Gogeta is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-30-2007, 11:47 PM   #2 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Duplicate Processes Running... Please Help!!!
Hi, welcome to TSF!

Please click Here to download HijackThis to your desktop.

Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.

It will be installed by default here: C:\Program Files\Trend Micro\HijackThis

A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.

You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Click on "Do a system scan and save logfile" When the log pops up in Notepad, copy and paste that file back here.
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-31-2007, 02:30 AM   #3 (permalink)
Custom User Title
 
ssj4Gogeta's Avatar
 
Join Date: Dec 2007
Location: India
Posts: 1,341
OS: Windows XP SP2, Vista, Ubuntu Intrepid Ibex, Leopard (Kalyway)

My System

Re: Duplicate Processes Running... Please Help!!!
Hi
Thanks for replying.
I've installed HijackThis and have scanned my system. But before posting the log, I would like to tell you something that I found out, which might be useful. I observed that all my original processes have been renamed with a space. For example, "xyz.exe" has been renamed to "xyz .exe" and in place of the original process, a new file has been created in the same folder with the original name ("xyz.exe" in this case). The renamed processes ("xyz .exe") do not appear in the startup list of msconfig.exe. Instead, when the startup calls "xyz.exe", the process itself calls "xyz .exe".
So, this means that when I start my computer, xyz.exe (the duplicate process) is called, which calls my renamed original process "xyz .exe".
There's also a new startup item: ddabx.exe
besides, there is also a file called ddabx.dll on my hard disk, which I cannot delete.


Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:10 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\hkcmd .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\WINDOWS\system32\ps2 .exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Talk\googletalk .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddabx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [fc94ca9b] rundll32.exe "C:\WINDOWS\system32\hlxffkaf.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{10A40F4A-8B17-43C6-995D-D601E4C2DE14}: NameServer = 192.168.1.1,218.248.255.161
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10766 bytes
ssj4Gogeta is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-31-2007, 03:02 AM   #4 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Duplicate Processes Running... Please Help!!!
Hi,

That's because of a Vundo file infector. No worries..

Download combofix.exe
  • Save it to your desktop.
  • Double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:
  • In case you already used Combofix previously, please delete the version you are having and redownload it again, because Combofix is being updated everyday.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Do not post the ComboFix-quarantined-files.txt - unless I ask you to.
  • If your Antivirus software is detecting combofix or a part of it as a virus, please choose to ignore it as Antivirus products cannot determine the good/bad use of some softwares embedded in combofix.
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-31-2007, 09:11 AM   #5 (permalink)
Custom User Title
 
ssj4Gogeta's Avatar
 
Join Date: Dec 2007
Location: India
Posts: 1,341
OS: Windows XP SP2, Vista, Ubuntu Intrepid Ibex, Leopard (Kalyway)

My System

Re: Duplicate Processes Running... Please Help!!!
Hi,
Here's my logs:

ComboFix Log

ComboFix 07-12-31.4 - Kai Hiwatari 2007-12-31 20:25:11.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.621 [GMT 5.5:30]
Running from: C:\Documents and Settings\Kai Hiwatari\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Norton Internet Security\osCheck.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Sony\SonicStage\SsAAD.exe
C:\WINDOWS\system32\byxvvtu.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddabx.exe
C:\WINDOWS\system32\ddcdcya.dll
C:\WINDOWS\system32\eklfwwuq.dll
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\jkklmnn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\quwwflke.ini
C:\WINDOWS\system32\rednaijs.dll
C:\WINDOWS\system32\winemx32.dll
C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 20:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 15:47 . 2007-12-31 15:47 348,160 --a------ C:\WINDOWS\system32\RCX41.tmp
2007-12-31 14:42 . 2007-12-31 14:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 02:02 . 2007-12-31 20:19 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-31 02:01 . 2007-12-31 20:18 114,688 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-31 02:01 . 2007-12-31 20:18 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-31 00:56 . 2007-12-31 00:56 <DIR> d-------- C:\Documents and Settings\Kai Hiwatari\Application Data\AntiSpyware
2007-12-30 16:12 . 2007-12-30 16:12 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-12-30 01:49 . 2007-12-31 14:41 1,031,439 ---hs---- C:\WINDOWS\system32\fakffxlh.ini
2007-12-29 23:12 . 2007-12-29 23:12 <DIR> d-------- C:\HJT
2007-12-29 20:46 . 2007-12-29 20:46 <DIR> d-------- C:\Program Files\Boonty
2007-12-29 20:28 . 2007-12-29 20:28 348,160 --a------ C:\WINDOWS\system32\RCX40.tmp
2007-12-29 17:44 . 2007-12-29 17:44 348,160 --a------ C:\WINDOWS\system32\RCX44.tmp
2007-12-29 17:44 . 2007-12-31 20:19 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-29 17:44 . 2007-12-31 20:18 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-29 17:44 . 2007-12-31 20:18 90,112 --a------ C:\WINDOWS\system32\ps2 .exe
2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\FPC
2007-12-22 14:41 . 2007-12-22 14:41 <DIR> d-------- C:\DJGPP
2007-12-19 15:43 . 2007-12-19 15:43 <DIR> d-------- C:\Documents and Settings\Kai Hiwatari\Application Data\Dev-Cpp
2007-12-19 15:42 . 2007-12-19 15:42 <DIR> d-------- C:\Dev-Cpp
2007-12-18 22:08 . 2007-12-18 22:09 <DIR> d-------- C:\Program Files\Sonic
2007-12-16 09:28 . 2007-12-16 09:28 <DIR> d-------- C:\Documents and Settings\Kai Hiwatari\Application Data\Sonic
2007-12-16 09:27 . 2007-12-16 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-09 19:09 . 2007-12-09 19:09 <DIR> d-------- C:\Program Files\CrossHair
2007-12-09 18:08 . 2002-02-28 23:45 142,336 --a------ C:\WINDOWS\system32\rjsodcb.ocx
2007-12-09 18:08 . 2005-01-08 13:07 56,832 --a------ C:\WINDOWS\system32\rjseos.ocx
2007-12-09 18:08 . 2002-02-26 18:25 34,816 --a------ C:\WINDOWS\system32\rjsmeta.dll
2007-12-09 18:08 . 2003-01-22 19:37 29,696 --a------ C:\WINDOWS\system32\SSubTmr.dll
2007-12-09 18:08 . 2005-03-23 23:54 21,504 --a------ C:\WINDOWS\system32\rjsfile.dll
2007-12-09 18:08 . 2001-09-30 00:05 16,896 --a------ C:\WINDOWS\system32\RJSSUB.OCX
2007-12-09 18:08 . 2004-07-16 01:01 3,142 --a------ C:\WINDOWS\system32\rjsodcb.DEP
2007-12-09 18:07 . 2007-12-09 18:07 <DIR> d-------- C:\Program Files\RJS Office
2007-12-09 18:07 . 2001-03-21 21:34 244,232 --a------ C:\WINDOWS\system32\Msflxgrd.ocx
2007-12-09 18:07 . 2003-05-11 23:10 220,672 --a------ C:\WINDOWS\system32\VBALTBAR.OCX
2007-12-09 18:07 . 2003-04-01 15:19 111,616 --a------ C:\WINDOWS\system32\CPOPMENU.OCX
2007-12-09 18:07 . 2000-04-03 18:52 94,208 --a------ C:\WINDOWS\system32\MsStkPrp.dll
2007-12-09 18:07 . 2003-04-01 07:33 83,968 --a------ C:\WINDOWS\system32\VBALIML.OCX
2007-12-09 18:07 . 2000-03-18 00:40 55,296 --a------ C:\WINDOWS\system32\VBALTAB.OCX
2007-12-09 18:07 . 2002-03-17 17:56 23,040 --a------ C:\WINDOWS\system32\RJSINET.OCX
2007-12-09 18:06 . 2007-12-09 18:07 9,616 --a------ C:\WINDOWS\SETUP.LST
2007-12-09 17:51 . 2007-12-09 17:51 <DIR> d-------- C:\Program Files\GraphPap
2007-12-05 22:36 . 2007-12-05 22:36 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-05 21:39 . 2007-12-05 21:39 <DIR> d-------- C:\Program Files\Real
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 19:24 . 2007-11-30 19:24 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-11-27 20:16 . 2007-11-27 20:16 282 --a------ C:\WINDOWS\game.ini
2007-11-25 13:30 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-11-25 13:30 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-11-25 13:30 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-11-24 00:22 . 2007-03-08 05:21 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-11-23 20:14 . 2007-11-23 20:14 <DIR> d-------- C:\Documents and Settings\Kai Hiwatari\Application Data\WinBatch
2007-11-23 19:32 . 2007-11-23 19:32 <DIR> d-------- C:\Intel
2007-11-22 19:07 . 2007-11-22 19:07 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-22 18:54 . 2007-11-22 18:54 208 --a------ C:\WINDOWS\HpBestModeUpdatePatchLog.ini
2007-11-22 17:52 . 2007-11-22 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-22 17:51 . 2007-11-22 17:51 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-22 16:49 . 2007-11-22 16:49 <DIR> d-------- C:\Documents and Settings\Kai Hiwatari\Shared
2007-11-22 16:42 . 2007-11-22 16:42 <DIR> d-------- C:\Documents and Settings\Kai Hiwatari\Incomplete
2007-11-22 16:40 . 2007-11-22 16:40 <DIR> d-------- C:\Program Files\Kundli
2007-11-22 16:40 . 1999-04-23 22:22 1,056,768 --a------ C:\WINDOWS\system32\MSJET35.DLL
2007-11-22 16:40 . 1999-04-23 22:22 430,080 --a------ C:\WINDOWS\system32\MSREPL35.DLL
2007-11-22 16:40 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\system32\VBAR332.DLL
2007-11-22 16:40 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2007-11-22 16:40 . 1998-04-24 00:00 252,176 --a------ C:\WINDOWS\system32\MSRD2X35.DLL
2007-11-22 16:40 . 1998-06-24 00:00 200,496 --a------ C:\WINDOWS\system32\DBLIST32.OCX
2007-11-22 16:40 . 1998-04-24 00:00 123,664 --a------ C:\WINDOWS\system32\MSJINT35.DLL
2007-11-22 16:40 . 1998-08-11 00:26 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-11-22 16:40 . 1998-04-24 00:00 24,848 --a------ C:\WINDOWS\system32\MSJTER35.DLL
2007-11-22 16:39 . 2007-11-22 16:39 <DIR> d-------- C:\Program Files\LimeWire
2007-11-22 16:39 . 2007-11-22 16:39 <DIR> d-------- C:\Documents and Settings\Kai Hiwatari\Application Data\LimeWire
2007-11-17 15:13 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-11-17 15:13 . 2006-07-28 09:30 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-11-17 15:11 . 2007-11-17 15:12 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-11-16 22:25 . 2007-11-16 22:25 <DIR> d-------- C:\Documents and Settings\Kai Hiwatari\Application Data\Activision
2007-11-15 01:07 . 2007-11-15 01:07 <DIR> d-------- C:\Program Files\KGB Archiver
2007-11-12 01:04 . 2007-11-12 01:04 <DIR> d-------- C:\Program Files\RichVideoCodec
2007-11-12 00:57 . 2007-11-12 00:57 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-12 00:55 . 2007-11-12 00:55 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-11-12 00:55 . 2004-08-17 06:10 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2007-11-12 00:43 . 2007-11-12 00:43 <DIR> d-------- C:\Documents and Settings\Kai Hiwatari\Application Data\AntsSoft
2007-11-12 00:42 . 2007-11-12 00:42 <DIR> d-------- C:\Program Files\SWFText
2007-11-07 12:41 . 2007-11-07 12:41 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-06 23:30 . 2004-08-18 10:44 442,368 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-11-06 22:43 . 2007-11-06 22:43 <DIR> dr-h----- C:\Documents and Settings\Kai Hiwatari\Application Data\SecuROM
2007-11-06 22:43 . 2007-11-06 22:43 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 14:23 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-30 14:23 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-05 10:22 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 10:22 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 10:22 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 10:22 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-30 13:54 1,386,496 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-11-22 13:24 180,315 ----a-w C:\WINDOWS\system32\hpzsnt12.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 14:25 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-30 14:25 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 14:25 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 14:25 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 14:25 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 14:25 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-30 14:25 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 14:25 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 14:25 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 13:54 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 13:54 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-30 09:47 --------- d-----w C:\Program Files\Microsoft Student
2007-10-30 09:47 --------- d-----w C:\Program Files\Learning Essentials
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 21:41 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-28 21:39 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 16:09 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-10-15 12:50 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
.
Code:
----a-w            77,824 2007-12-31 14:48:52  C:\WINDOWS\system32\hkcmd .exe
----a-w            94,208 2007-12-31 14:48:50  C:\WINDOWS\system32\igfxtray .exe
----a-w           114,688 2007-12-31 14:48:52  C:\WINDOWS\system32\igfxpers .exe
----a-w            15,360 2007-12-31 14:49:22  C:\WINDOWS\system32\ctfmon .exe
----a-w            90,112 2007-12-31 14:48:58  C:\WINDOWS\system32\ps2 .exe
----a-w           155,648 2007-12-31 14:49:00  C:\WINDOWS\system32\NeroCheck .exe
----a-w           455,168 2007-12-31 14:48:50  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
----a-w           208,952 2007-12-31 14:48:50  C:\WINDOWS\ime\IMJP8_1\IMJPMIG .EXE
----a-w           158,208 2007-12-30 20:32:08  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           115,816 2007-12-31 14:49:06  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           583,048 2007-12-29 15:08:52  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w           185,632 2007-12-31 14:49:10  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w         1,694,208 2007-12-31 14:49:22  C:\Program Files\Messenger\msmsgs .exe
----a-w            49,152 2007-12-31 14:48:54  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w            81,920 2007-12-31 14:48:58  C:\Program Files\Sony\SonicStage\SsAAD .exe
----a-w            40,048 2007-12-31 14:49:04  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w         3,739,648 2007-12-31 14:49:20  C:\Program Files\Google\Google Talk\googletalk .exe
----a-w           222,208 2007-12-31 14:49:04  C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication .exe
----a-w           487,424 2007-12-31 14:49:04  C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
----a-w           771,704 2007-12-29 15:08:40  C:\Program Files\Norton Internet Security\osCheck .exe
----a-w            61,440 2007-12-31 14:48:58  C:\HP\KBD\KBD .EXE

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-30 19:53 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 17:02 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 17:02 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 17:02 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [ ]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [ ]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-05-03 18:43 90112 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-04 10:01 2805248 C:\WINDOWS\alcwzrd.exe]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\Kai Hiwatari\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-11 00:10:05]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-11 00:10:05]

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-11-09 20:37]
S3 2bf53d6f-a04a-476c-b19a-ac023665fadd;2bf53d6f-a04a-476c-b19a-ac023665fadd;G:\Player\cds300.dll []
S3 c221440b-26a7-40b8-bbb9-a67f47043425;c221440b-26a7-40b8-bbb9-a67f47043425;F:\Player\cds300.dll []
S3 USB_RNDIS_51;USB Remote NDIS Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-03 17:34]
S3 UTS2pl;Motorola Serial port driver;C:\WINDOWS\system32\DRIVERS\UTS2pl.sys [2004-05-25 14:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5a5e816-490f-11dc-9f8a-0013d390e04f}]
\Shell\AutoRun\command - G:\AUTORUN.EXE

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-24 15:24:10 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Kai Hiwatari.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2007-12-30 16:46:02 C:\WINDOWS\Tasks\WebReg psc 1400 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
"2007-12-30 19:26:34 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.ex
- C:\Program Files\AntiSpywareApp
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 20:34:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 20:36:07 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 1506
.
2007-12-31 10:12:20 --- E O F ---

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:28 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{10A40F4A-8B17-43C6-995D-D601E4C2DE14}: NameServer = 192.168.1.1,218.248.255.161
O17 - HKLM\System\CCS\Services\Tcpip\..\{F905C99E-3F93-4FB4-B808-DBD1B4D5377A}: NameServer = 218.248.240.46 218.248.255.146
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10309 bytes


ComboFix deleted all the infected files. But now some apps (including Norton) are not working (because of that space...). Is there a way to automatically rename those files?

Thank you and wish you a very happy new year.
ssj4Gogeta is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-31-2007, 09:16 AM   #6 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Duplicate Processes Running... Please Help!!!
Yup. There's a way to rename those back. But wait for my instructions before doing anything.

We're currently celebrating the new year with some fireworks so I'll have to get back to you tomorrow morning.

Happy new year too
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-31-2007, 09:44 AM   #7 (permalink)
Custom User Title
 
ssj4Gogeta's Avatar
 
Join Date: Dec 2007
Location: India
Posts: 1,341
OS: Windows XP SP2, Vista, Ubuntu Intrepid Ibex, Leopard (Kalyway)

My System

Re: Duplicate Processes Running... Please Help!!!
Fine.
There's still a coupla hours for the new year in my part of the world...
Anyway, enjoy!
ssj4Gogeta is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-31-2007, 07:00 PM   #8 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Duplicate Processes Running... Please Help!!!
Hi,

Can you please attach C:\Combofix.txt to your next post?

The forum software strips some spaces in the logs so it will be more accurate if I take a look at the original log.
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-31-2007, 09:52 PM   #9 (permalink)
Custom User Title
 
ssj4Gogeta's Avatar
 
Join Date: Dec 2007
Location: India
Posts: 1,341
OS: Windows XP SP2, Vista, Ubuntu Intrepid Ibex, Leopard (Kalyway)

My System

Re: Duplicate Processes Running... Please Help!!!
Hi,
I've attached the log.
Attached Files
File Type: txt ComboFix.txt (20.8 KB, 2 views)
ssj4Gogeta is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-01-2008, 03:37 AM   #10 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Duplicate Processes Running... Please Help!!!
Hi,

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
______

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

AntispywareApp
Please uninstall that program since it is considered as a Rogue Antispyware application as listed HERE.

*An optional that I would recommend be uninstalled.

LimeWire
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

*Delete the following folders if you uninstalled LimeWire:

C:\Program Files\LimeWire
C:\Documents and Settings\Kai Hiwatari\Application Data\LimeWire
C:\Documents and Settings\Kai Hiwatari\Shared
C:\Documents and Settings\Kai Hiwatari\Incomplete


*If you noticed, I listed the Boonty folder for deletion. Please read this:

http://www.castleco