|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-07-2008, 03:30 PM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Central Florida
Posts: 10
OS: XP SP3
|
Computer controlled!
Running windows XP SP3. Was not running any protection other than microsoft's and got bit. IE gets redirected and infected message bubble appears. Windows showed protection off and several messages. I disconnected from the internet and removed my external backup drive. Amazingly I had shut off sync to the backup drive before I got infected. I am posting from an old laptop and also used this to download ad-aware, spybot, AVG free 8.0 and Malwarebytes' anti-malware. From AVG attempted to run vcleaner before installing AVG. It completed and installed AVG. Unable to get definition updates. Ran then froze. Ad-Aware found and removed some. Ran ATF-cleaner. RegCleaner would not run. Malware's found and removed some more. unable to start in safe-mode. Was able to start in safe-mode with msconfig. Ran Malware's again a few times. Restarted in normal and used gmer and rsit. Logs to follow:
Logfile of random's system information tool 1.04 (written by random/random) Run by Administrator at 2008-11-07 17:04:40 Microsoft Windows XP Professional Service Pack 3 System drive C: has 342 GB (72%) free of 477 GB Total RAM: 2047 MB (61% free) HijackThis download failed ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\nphzhsmw.job C:\WINDOWS\tasks\xzlxwwpn.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2008-10-05 5759816] {A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-11-07 2055960] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "AudioDrvEmulator"=C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [2005-06-16 49152] "{3e-e9-91-1f-dw}"=C:\windows\system32\dwwnw64r.exe DWmmm01 [] "Zune Launcher"=c:\Program Files\Zune\ZuneLauncher.exe [2008-01-11 166304] "xsjfn83jkemfofght"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogin.exe [2008-11-06 15000] "VolPanel"=C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe [2005-07-11 122880] "UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784] "rs32net"=C:\WINDOWS\System32\rs32net.exe [] "RCSystem"=C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [2005-06-16 49152] "QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696] "prunnet"=C:\WINDOWS\system32\prun.exe [2008-11-06 34816] "nwiz"=nwiz.exe /install [] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-12-05 81920] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-12-05 8523776] "NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136] "mxomssmenu"=C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe [2008-07-21 169312] "Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304] "Launch LGDCore"=C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe [2007-12-13 2095640] "Launch LCDMon"=C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe [2007-12-13 2051096] "LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-05-18 49152] "kernel and hardware abstraction layer"=C:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304] "iupd721"=C:\Documents and Settings\Administrator\Application Data\NI.GSCNS\IUpd721.exe [2008-11-06 403968] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576] "hpqsrmon"=C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [2008-03-13 81920] "HPHmon03"=C:\WINDOWS\system32\hphmon03.exe [] "HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe [2006-01-13 196608] "hp software update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-10-14 49152] "exploreupdsched"=C:\WINDOWS\system32\lcntstdl.exe DWmmm01 [] "ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512] "e4b3e9b0"=C:\WINDOWS\system32\tcukvwrd.dll [] "CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-08-17 18944] "CTHelper"=C:\WINDOWS\CTHELPER.EXE [2006-08-17 17920] "CTDVDDET"=C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE [2003-06-18 45056] "brastk"=brastk.exe [] "avg8_tray"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-07 1234712] "applesyncnotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936] "AlienFXController"=c:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe [2006-09-13 311296] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288] "updateMgr"=c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472] "RoboForm"=C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2008-10-05 160592] "MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232] "LDM"=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-08-15 32768] "H/PC Connection Agent"=D:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360] "Creative Detector"=C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe [2004-12-02 102400] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872] "xsjfn83jkemfofght"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogin.exe [2008-11-06 15000] "prunnet"=C:\WINDOWS\system32\prun.exe [2008-11-06 34816] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Network Monitor"=2 "cmdService"=2 C:\Documents and Settings\All Users\Start Menu\Programs\Startup Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe Logitech Harmony Remote V5.lnk - C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Documents and Settings\Administrator\Start Menu\Programs\Startup Deewoo.lnk - C:\WINDOWS\system32\lcntstdl.exe DW_Start.lnk - C:\WINDOWS\system32\dwwnw64r.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="karna.dat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn] c:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB] C:\Program Files\AlienGUIse\fastload.dll [2001-12-20 24576] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1yfxx.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati1yfxx.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 "NoFolderOptions"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "D:\Program Files\Microsoft ActiveSync\rapimgr.exe"="D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger" "C:\Program Files\Logitech\Harmony Remote\HarmonyClient"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software V5" "C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe"="C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper" "E:\setup\HPZnui01.exe"="E:\setup\HPZnui01.exe:*:Enabled:hpznui01.exe" "C:\Documents and Settings\Administrator\Local Settings\Temp\7zS5F.tmp\setup\HPZnui01.exe"="C:\Documents and Settings\Administrator\Local Settings\Temp\7zS5F.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe" "C:\Documents and Settings\Administrator\Local Settings\Temp\7zSF.tmp\setup\HPZnui01.exe"="C:\Documents and Settings\Administrator\Local Settings\Temp\7zSF.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe" "C:\Documents and Settings\Administrator\Local Settings\Temp\7zS4F.tmp\setup\HPZnui01.exe"="C:\Documents and Settings\Administrator\Local Settings\Temp\7zS4F.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe" "C:\Documents and Settings\Administrator\Local Settings\Temp\7zS3.tmp\setup\HPZnui01.exe"="C:\Documents and Settings\Administrator\Local Settings\Temp\7zS3.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe" "C:\Documents and Settings\Administrator\Local Settings\Temp\7zS4.tmp\setup\HPZnui01.exe"="C:\Documents and Settings\Administrator\Local Settings\Temp\7zS4.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe" "C:\Documents and Settings\Administrator\Local Settings\Temp\7zS2.tmp\setup\HPZnui01.exe"="C:\Documents and Settings\Administrator\Local Settings\Temp\7zS2.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe" "C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe" "C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe" "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe" "C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe" "C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe" "C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe"="C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4" "C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe"="C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords" "C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe"="C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss" "C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe"="C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe:*:Enabled:Nero ProductSetup" "C:\Documents and Settings\Administrator\Local Settings\Temp\Nero Web\SetupXu.exe"="C:\Documents and Settings\Administrator\Local Settings\Temp\Nero Web\SetupXu.exe:*:Enabled:Nero ProductSetup" "C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"="C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" "C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent" "C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "D:\Program Files\Microsoft ActiveSync\rapimgr.exe"="D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger" "C:\Program Files\Logitech\Harmony Remote\HarmonyClient"="C:\Program Files\Logitech\Harmony Remote\HarmonyClient:*:Enabled:Logitech Harmony Remote Software V5" "C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe"="C:\Program Files\Logitech\Harmony Remote\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper" "C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"="C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83fd7505-4b81-11dc-82e9-00155838d8cc}] shell\autorun\command - H:\PortableRoboForm.exe shell\roboform2go\command - H:\PortableRoboForm.exe ======List of files/folders created in the last 1 months====== 2008-11-07 17:04:41 ----D---- C:\Program Files\trend micro 2008-11-07 17:04:40 ----D---- C:\rsit 2008-11-07 16:43:56 ----A---- C:\WINDOWS\gmer.ini 2008-11-07 16:43:54 ----A---- C:\WINDOWS\gmer_uninstall.cmd 2008-11-07 16:43:54 ----A---- C:\WINDOWS\gmer.exe 2008-11-07 16:43:54 ----A---- C:\WINDOWS\gmer.dll 2008-11-07 16:35:12 ----HD---- C:\$AVG8.VAULT$ 2008-11-07 04:08:27 ----A---- C:\WINDOWS\system32\wini108023.exe 2008-11-07 03:11:57 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-11-07 03:11:49 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2008-11-07 03:11:49 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-11-07 02:10:58 ----D---- C:\Program Files\Lavasoft 2008-11-07 02:10:57 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-11-07 02:09:40 ----D---- C:\Program Files\Common Files\Wise Installation Wizard 2008-11-07 01:55:36 ----A---- C:\WINDOWS\system32\avgrsstx.dll 2008-11-07 01:55:29 ----D---- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR 2008-11-07 01:55:17 ----D---- C:\Program Files\AVG 2008-11-07 01:55:17 ----D---- C:\Documents and Settings\All Users\Application Data\avg8 2008-11-06 23:10:31 ----D---- C:\Documents and Settings\All Users\Application Data\HP Product Assistant 2008-11-06 22:59:03 ----A---- C:\WINDOWS\system32\tgdgdk.dll 2008-11-06 22:59:02 ----A---- C:\WINDOWS\system32\bbmdiyaa.dll 2008-11-06 22:58:36 ----A---- C:\WINDOWS\system32\ef902dce-.txt 2008-11-06 22:57:42 ----D---- C:\Documents and Settings\Administrator\Application Data\IUpd721 2008-11-06 22:52:46 ----A---- C:\WINDOWS\system32\sn.txt 2008-11-06 22:52:46 ----A---- C:\WINDOWS\search.yahoo.com-error.html 2008-11-06 22:52:43 ----A---- C:\WINDOWS\system32\g46.exe 2008-11-06 22:51:05 ----A---- C:\WINDOWS\system32\rjwnw64o.exe 2008-11-06 22:49:35 ----A---- C:\oxii.exe 2008-11-06 22:49:20 ----A---- C:\ulakr.exe 2008-11-06 22:49:18 ----D---- C:\Documents and Settings\Administrator\Application Data\gadcom 2008-11-06 22:49:15 ----A---- C:\depwvtw.exe 2008-11-06 22:49:14 ----D---- C:\Documents and Settings\Administrator\Application Data\NI.GSCNS 2008-11-06 22:49:12 ----SHD---- C:\WINDOWS\IA 2008-11-06 22:49:06 ----D---- C:\WINDOWS\system32\uvb 2008-11-06 22:49:06 ----D---- C:\WINDOWS\system32\T2 2008-11-06 22:49:06 ----D---- C:\WINDOWS\system32\NPX 2008-11-06 22:49:06 ----D---- C:\WINDOWS\system32\im 2008-11-06 22:49:04 ----D---- C:\WINDOWS\system32\QI19 2008-11-06 22:49:00 ----A---- C:\WINDOWS\system32\prun.exe 2008-11-06 21:26:57 ----A---- C:\WINDOWS\system32\ShellManager10E2D762.dll 2008-10-31 13:45:53 ----D---- C:\Program Files\DOSBox-0.72 2008-10-28 17:36:00 ----A---- C:\WINDOWS\system32\divx_xx0c.dll 2008-10-28 17:36:00 ----A---- C:\WINDOWS\system32\divx_xx07.dll 2008-10-28 17:35:58 ----A---- C:\WINDOWS\system32\divx_xx11.dll 2008-10-28 17:35:58 ----A---- C:\WINDOWS\system32\divx_xx0a.dll 2008-10-28 17:35:56 ----A---- C:\WINDOWS\system32\DivX.dll 2008-10-28 14:54:36 ----D---- C:\Program Files\DayDawn 2008-10-24 04:00:38 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$ 2008-10-21 04:22:23 ----D---- C:\Program Files\AviSynth 2.5 2008-10-21 04:22:23 ----A---- C:\WINDOWS\x2.64.exe 2008-10-21 04:22:23 ----A---- C:\WINDOWS\system32\yv12vfw.dll 2008-10-21 04:22:23 ----A---- C:\WINDOWS\system32\x.264.exe 2008-10-21 04:22:23 ----A---- C:\WINDOWS\system32\i420vfw.dll 2008-10-21 04:22:23 ----A---- C:\WINDOWS\system32\devil.dll 2008-10-21 04:22:23 ----A---- C:\WINDOWS\system32\AVSredirect.dll 2008-10-21 04:22:23 ----A---- C:\WINDOWS\system32\avisynth.dll 2008-10-21 04:22:23 ----A---- C:\WINDOWS\MOTA113.exe 2008-10-21 04:22:23 ----A---- C:\WINDOWS\meta4.exe 2008-10-21 04:21:44 ----RSH---- C:\WINDOWS\system32\nbDX.dll 2008-10-21 04:21:44 ----RSH---- C:\WINDOWS\system32\msfDX.dll 2008-10-21 04:21:44 ----RSH---- C:\WINDOWS\system32\flvDX.dll 2008-10-21 04:21:41 ----D---- C:\Program Files\eRightSoft 2008-10-15 04:03:19 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$ 2008-10-15 04:03:15 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$ 2008-10-15 04:03:12 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$ 2008-10-15 04:02:17 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$ 2008-10-15 04:02:10 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$ ======List of files/folders modified in the last 1 months====== 2008-11-07 17:04:41 ----RD---- C:\Program Files 2008-11-07 17:04:40 ----D---- C:\WINDOWS\Temp 2008-11-07 16:44:53 ----D---- C:\WINDOWS\Prefetch 2008-11-07 16:43:56 ----D---- C:\WINDOWS 2008-11-07 16:43:54 ----D---- C:\WINDOWS\system32\drivers 2008-11-07 16:41:31 ----D---- C:\WINDOWS\system32 2008-11-07 16:41:23 ----D---- C:\WINDOWS\Registration 2008-11-07 16:38:31 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-11-07 16:35:06 ----SHD---- C:\System Volume Information 2008-11-07 16:35:06 ----D---- C:\WINDOWS\system32\Restore 2008-11-07 16:32:00 ----RASH---- C:\boot.ini 2008-11-07 16:32:00 ----A---- C:\WINDOWS\win.ini 2008-11-07 16:32:00 ----A---- C:\WINDOWS\system.ini 2008-11-07 14:40:10 ----RSHDC---- C:\WINDOWS\system32\dllcache 2008-11-07 14:37:11 ----D---- C:\WINDOWS\system32\CatRoot2 2008-11-07 13:15:25 ----SHD---- C:\WINDOWS\CSC 2008-11-07 02:11:25 ----HD---- C:\Config.Msi 2008-11-07 02:11:06 ----SHD---- C:\WINDOWS\Installer 2008-11-07 02:09:40 ----D---- C:\Program Files\Common Files 2008-11-06 22:51:01 ----SD---- C:\WINDOWS\Tasks 2008-11-06 22:49:20 ----A---- C:\WINDOWS\system32\user32.DLL 2008-11-06 22:49:19 ----D---- C:\temp 2008-11-06 21:47:23 ----D---- C:\WINDOWS\system32\ReinstallBackups 2008-11-06 21:47:08 ----HD---- C:\Program Files\InstallShield Installation Information 2008-11-06 21:46:41 ----D---- C:\Program Files\Maxtor 2008-11-06 21:43:03 ----D---- C:\WINDOWS\Downloaded Installations 2008-11-04 22:55:14 ----D---- C:\Program Files\DivX 2008-11-02 22:47:05 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2008-10-30 22:58:20 ----A---- C:\WINDOWS\NeroDigital.ini 2008-10-30 13:27:15 ----D---- C:\Program Files\SuperchipsUpdate 2008-10-24 05:08:42 ----D---- C:\Program Files\Microsoft Silverlight 2008-10-24 04:00:44 ----HD---- C:\WINDOWS\inf 2008-10-24 04:00:30 ----HD---- C:\WINDOWS\$hf_mig$ 2008-10-21 04:19:55 ----D---- C:\Documents and Settings\Administrator\Application Data\Tunebite 2008-10-21 04:19:55 ----A---- C:\Log.txt 2008-10-21 02:24:06 ----D---- C:\Documents and Settings\Administrator\Application Data\Free Download Manager 2008-10-20 21:01:50 ----D---- C:\WINDOWS\system32\Macromed 2008-10-20 16:35:54 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll 2008-10-15 05:13:17 ----D---- C:\WINDOWS\system32\wbem 2008-10-15 04:10:35 ----D---- C:\Program Files\Internet Explorer 2008-10-15 04:03:21 ----A---- C:\WINDOWS\imsins.BAK ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864] R1 avgldx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-11-07 97928] R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-11-07 26824] R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592] R1 PStrip;PStrip; C:\WINDOWS\system32\drivers\pstrip.sys [2004-11-09 21968] R1 TeksKernel;TeksKernel; C:\WINDOWS\System32\Drivers\TeksKernel.sys [2004-07-08 9060] R2 aksfridge;aksfridge; \??\C:\WINDOWS\system32\drivers\aksfridge.sys [] R2 Hardlock;Hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys [] R2 Haspnt;Haspnt; \??\C:\WINDOWS\system32\drivers\Haspnt.sys [] R2 zumbus;Zune Bus Enumerator Driver; C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 40832] R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800] R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2006-08-17 502272] R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2006-08-17 500480] R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2006-08-17 7168] R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2006-08-17 143872] R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2006-08-17 78336] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464] R3 ha20x2k;Creative 20X HAL Driver; C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 1110528] R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-02-29 35344] R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-02-29 36880] R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160] R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-12-05 7435392] R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-22 52736] R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-22 18944] R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2006-08-17 116224] R3 tbhsd;Tunebite High-Speed Dubbing; C:\WINDOWS\system32\drivers\tbhsd.sys [2008-02-20 27936] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152] R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000] S2 HidCom;USB-HID -> COM Driver Service; C:\WINDOWS\system32\DRIVERS\HidCom.sys [2004-08-10 21016] S3 akshasp;Aladdin HASP Key; C:\WINDOWS\system32\DRIVERS\akshasp.sys [2006-11-22 327168] S3 aksusb;Aladdin USB Key; C:\WINDOWS\system32\DRIVERS\aksusb.sys [2006-11-22 100096] S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2006-08-17 340176] S3 FTD2XX;Flashpaq FTD2XX.SYS FT8U2XX device driver; C:\WINDOWS\System32\Drivers\FTD2XX.sys [2005-12-15 34639] S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-07 85969] S3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384] S3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\System32\Drivers\L8042Kbd.sys [2005-07-22 13440] S3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver; C:\WINDOWS\System32\Drivers\L8042mou.sys [2005-07-22 55040] S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2005-07-22 26112] S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\System32\Drivers\LMouKE.sys [2005-07-22 68864] S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008] S3 MXOPSWD;Maxtor OneTouch Security Driver; C:\WINDOWS\system32\DRIVERS\mxopswd.sys [2007-05-03 22152] S3 SNTNLUSB;SafeNet USB SuperPro/UltraPro/HardwareKey; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2008-03-05 33504] S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784] S3 uisp;Motorola USB ICP driver; C:\WINDOWS\System32\Drivers\usbicp.sys [] S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800] S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000] S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032] S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856] S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104] S3 vncdrv;vncdrv; C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2002-11-20 2218] S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672] S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S3 XMUNIVERSAL;xmuni.sys driver; C:\WINDOWS\System32\Drivers\xmuni.sys [2006-12-02 49408] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664] R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040] R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-11-07 231704] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888] R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-13 44032] R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568] R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912] R2 hasplms;HASP License Manager; C:\WINDOWS\system32\hasplms.exe [2007-03-15 535807] R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336] R2 HPSLPSVC;HP Network Devices Support; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336] R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-06-20 49152] R2 Maxtor Sync Service;Maxtor Service; C:\Program Files\Maxtor\Sync\SyncServices.exe [2008-07-21 193888] R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328] R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-12-05 155716] R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336] R2 ProductivITService;ProductivIT Service; C:\Program Files\AlienAutopsy\TEKS_Service.exe [2004-07-08 77824] R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2005-08-08 167936] R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336] R2 ZuneBusEnum;Zune Bus Enumerator; c:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 61856] R2 ZuneNetworkSvc;Zune Network Sharing Service; c:\Program Files\Zune\ZuneNss.exe [2008-01-11 2138528] R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632] S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360] S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336] S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-06-29 800040] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service; c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 245664] S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848] -----------------EOF----------------- |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-10-2008, 05:23 AM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Computer controlled!
Hello and welcome to TSF
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please DO NOT Attach logs to your posts unless you are advised to do so. ========== Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Place combofix.exe on your Desktop [*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. [*]Double click on combofix.exe & follow the prompts. [*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.  The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed.  Click on Yes, to continue scanning for malware. [*]Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. [*] When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. ========== Please download HijackThis to your desktop Alternate link This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. ========== Logs Required C:\Combofix.txt Hijackthis Log If there is no response to this post within 72hrs, this thread will be closed. Last edited by TheBruce1; 11-10-2008 at 05:26 AM. |
|
|
|
|
11-10-2008, 11:32 AM
|
#3 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Central Florida
Posts: 10
OS: XP SP3
|
Re: Computer controlled!
When I started the PC it went into chkdsk:
Delete corrupt file segment 97996 Deleting an index entry from index $0 of file 25 Deleting index entry 15 in index $I30 of file 97957 recovering lost files. I was in selective startup and deleted the combofix and hijackthis installers and ran ATFCleaner to remove them. I then set start up mode back to normal. Once restarted I got an error message: Error Loading C:\WINDOWS\system32\tcukvwrd.dll the specified module could not be found. I am using an old WindowsME laptop to get the programs you listed and transfer them with a thumb drive. When I double click on combofix I get an error message: error some installation files are corrupt. Please download a fresh copy and retry the installation. I then have to ctrl-alt-del and stop the combofix exe process. I have attempted all three links and I get the same error each time. I have to get back to work. |
|
|
|
|
11-10-2008, 11:45 AM
|
#4 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Computer controlled!
Quote:
Quote:
|
||
|
|
|
|
11-10-2008, 06:07 PM
|
#5 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Central Florida
Posts: 10
OS: XP SP3
|
Re: Computer controlled!
Thank you for all your help. I was rushed this afternoon and felt I was rude. I was supposed to be at work and of course my boss called me and I had to run.
I used a friends laptop and downloaded both files again and this time they worked. Good catch. I still saw the rundll error when combofix restarted the PC. I had to stop BugSolver process as it was eating all the resources. I have had issues with this before. Is this normal? Is this something we can fix? Here are the logs requested: ComboFix 08-11-09.04 - Administrator 2008-11-10 19:36:39.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1356 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Application Data\gadcom c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk c:\documents and settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\temp\1cb c:\temp\1cb\syscheck.log c:\temp\tn3 c:\windows\Downloaded Program Files\setup.inf c:\windows\IA c:\windows\system32\AutoRun.inf c:\windows\system32\bbmdiyaa.dll c:\windows\system32\drivers\8d034592.sys c:\windows\system32\drivers\ati1yfxx.sys c:\windows\system32\MSINET.oca c:\windows\system32\sn.txt c:\windows\system32\T2 c:\windows\system32\tgdgdk.dll c:\windows\Tasks\nphzhsmw.job c:\windows\Tasks\xzlxwwpn.job H:\AutoRun.inf ----- BITS: Possible infected sites ----- hxxp://77.74.48.101 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ati1yfxx -------\Legacy_tdssserv.sys -------\Service_ati1yfxx -------\Service_restore -------\Service_tdssserv.sys ((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 ))))))))))))))))))))))))))))))) . 2008-11-10 12:52 . 2008-11-10 12:52 <DIR> d--hs---- C:\found.001 2008-11-07 17:04 . 2008-11-07 17:04 <DIR> d-------- C:\rsit 2008-11-07 17:04 . 2008-11-07 17:04 <DIR> d-------- c:\program files\trend micro 2008-11-07 16:43 . 2008-11-07 16:43 250 --a------ c:\windows\gmer.ini 2008-11-07 16:35 . 2008-11-08 04:31 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-11-07 03:11 . 2008-11-07 03:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-07 03:11 . 2008-11-07 03:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-07 03:11 . 2008-11-07 03:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-11-07 03:11 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-07 03:11 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-07 02:10 . 2008-11-07 02:10 <DIR> d-------- c:\program files\Lavasoft 2008-11-07 02:10 . 2008-11-07 02:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-07 02:09 . 2008-11-07 02:09 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-07 02:00 . 2008-11-07 02:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR 2008-11-07 01:55 . 2008-11-07 17:45 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-11-07 01:55 . 2008-11-07 01:55 <DIR> d-------- c:\program files\AVG 2008-11-07 01:55 . 2008-11-07 01:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-11-07 01:55 . 2008-11-07 01:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR 2008-11-07 01:55 . 2008-11-07 01:55 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-11-07 01:55 . 2008-11-07 01:55 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-11-06 23:10 . 2008-11-06 23:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant 2008-11-06 22:57 . 2008-11-06 22:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\IUpd721 2008-11-06 22:52 . 2008-11-06 22:52 1,997 --a------ c:\windows\search.yahoo.com-error.html 2008-11-06 22:49 . 2008-11-06 22:49 <DIR> d-------- c:\windows\system32\uvb 2008-11-06 22:49 . 2008-11-07 19:57 <DIR> d-------- c:\windows\system32\QI19 2008-11-06 22:49 . 2008-11-07 19:56 <DIR> d-------- c:\windows\system32\NPX 2008-11-06 22:49 . 2008-11-07 03:06 <DIR> d-------- c:\windows\system32\im 2008-11-06 22:49 . 2008-11-06 22:49 <DIR> d-------- c:\temp\NT32 2008-11-06 22:49 . 2008-11-08 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\NI.GSCNS 2008-11-06 22:49 . 2008-11-06 22:49 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2008-11-06 22:49 . 2008-11-06 22:49 63,488 --a------ c:\windows\system32\rgv.xl 2008-11-06 22:49 . 2008-11-06 22:49 32,768 --a------ c:\windows\system32\fes.ra 2008-11-06 22:49 . 2008-11-06 22:49 32,768 --a------ c:\windows\system32\fe.sp 2008-11-06 22:49 . 2008-11-06 22:49 28,672 --a------ c:\windows\system32\def.help 2008-11-06 22:49 . 2008-11-06 22:49 28,672 --a------ c:\windows\system32\ceg.sdr 2008-11-06 22:49 . 2008-11-07 04:08 527 --a------ c:\windows\system32\TDSSmtvd.dat 2008-11-06 22:49 . 2008-11-06 22:49 2 --a------ C:\-457971425 2008-11-06 21:26 . 2007-07-02 14:02 996,648 --a------ c:\windows\system32\ShellManager10E2D762.dll 2008-11-06 21:26 . 2007-07-02 13:19 638,976 --a------ c:\windows\system32\NEROINSTAEC43759.DB 2008-10-31 13:45 . 2008-11-05 20:32 <DIR> d-------- c:\program files\DOSBox-0.72 2008-10-28 17:36 . 2008-10-28 17:36 823,296 --a------ c:\windows\system32\divx_xx0c.dll 2008-10-28 17:36 . 2008-10-28 17:36 823,296 --a------ c:\windows\system32\divx_xx07.dll 2008-10-28 17:35 . 2008-10-28 17:35 815,104 --a------ c:\windows\system32\divx_xx0a.dll 2008-10-28 17:35 . 2008-10-28 17:35 802,816 --a------ c:\windows\system32\divx_xx11.dll 2008-10-28 17:35 . 2008-10-28 17:35 684,032 --a------ c:\windows\system32\DivX.dll 2008-10-28 14:54 . 2008-10-29 01:58 <DIR> d-------- c:\program files\DayDawn 2008-10-23 23:46 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-21 04:22 . 2008-10-21 04:22 <DIR> d-------- c:\program files\AviSynth 2.5 2008-10-21 04:22 . 2004-02-22 09:11 719,872 --a------ c:\windows\system32\devil.dll 2008-10-21 04:22 . 2006-10-07 16:43 502,784 --a------ c:\windows\x2.64.exe 2008-10-21 04:22 . 2007-05-17 16:30 318,976 --a------ c:\windows\system32\avisynth.dll 2008-10-21 04:22 . 2005-02-28 12:16 240,128 --a------ c:\windows\system32\x.264.exe 2008-10-21 04:22 . 2006-04-12 08:47 217,073 --a------ c:\windows\meta4.exe 2008-10-21 04:22 . 2004-01-24 23:00 70,656 --a------ c:\windows\system32\yv12vfw.dll 2008-10-21 04:22 . 2004-01-24 23:00 70,656 --a------ c:\windows\system32\i420vfw.dll 2008-10-21 04:22 . 2006-04-05 07:09 66,560 --a------ c:\windows\MOTA113.exe 2008-10-21 04:22 . 2005-07-14 11:31 27,648 --a------ c:\windows\system32\AVSredirect.dll 2008-10-21 04:21 . 2008-10-21 04:21 <DIR> d-------- c:\program files\eRightSoft 2008-10-14 18:30 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-10-14 18:26 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-14 18:25 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-14 18:25 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-14 18:25 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-14 18:25 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-07 02:47 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-07 02:46 --------- d-----w c:\program files\Maxtor 2008-11-05 03:55 --------- d-----w c:\program files\DivX 2008-11-05 03:51 364 ----a-w C:\drmHeader.bin 2008-10-30 18:27 --------- d-----w c:\program files\SuperchipsUpdate 2008-10-24 10:08 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-21 09:19 --------- d-----w c:\documents and settings\Administrator\Application Data\Tunebite 2008-10-21 07:24 --------- d-----w c:\documents and settings\Administrator\Application Data\Free Download Manager 2008-10-08 00:11 --------- d-----w c:\program files\iTunes 2008-10-08 00:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-08 00:10 --------- d-----w c:\program files\iPod 2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys 2008-09-26 22:42 --------- d-----w c:\program files\NOS 2008-09-26 22:42 --------- d-----w c:\documents and settings\All Users\Application Data\NOS 2008-09-25 22:00 --------- d-----w c:\program files\Common Files\Adobe AIR 2008-09-17 00:01 --------- d-----w c:\program files\QuickTime 2008-09-17 00:00 --------- d-----w c:\program files\Common Files\Apple 2008-09-16 23:56 --------- d-----w c:\program files\Bonjour 2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll 2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll . file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 578560 bytes ) Infected c:\windows\system32\user32.dll hex repaired ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "wmpnscfg"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "updatemgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "roboform"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-10-05 160592] "msmsgs"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ldm"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-08-15 32768] "h/pc connection agent"="d:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "creative detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] "bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152] "avg8_tray"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-07 1234712] "zune launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-01-11 166304] "volpanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880] "updreg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "sunjavaupdatesched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "rcsystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152] "quicktime task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "nvmediacenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "nvcpldaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "nerofiltercheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312] "launch lgdcore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640] "launch lcdmon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096] "languageshortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152] "ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "hpqsrmon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920] "hpdj taskbar utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608] "hp software update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "ehtray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "ctdvddet"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "alienfxcontroller"="c:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe" [2006-09-13 311296] "nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe] "logitech hardware abstraction layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] "kernel and hardware abstraction layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] "ctxfihlp"="CTXFIHLP.EXE" [2006-08-17 c:\windows\system32\CTXFIHLP.EXE] "cthelper"="CTHELPER.EXE" [2006-08-17 c:\windows\CTHELPER.EXE] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-15 450560] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= c:\windows\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] 2001-12-20 22:34 24576 c:\program files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Network Monitor"=2 (0x2) "cmdService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\program files\Microsoft ActiveSync\rapimgr.exe"= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "d:\program files\Microsoft ActiveSync\wcescomm.exe"= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "d:\program files\Microsoft ActiveSync\WCESMgr.exe"= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "1947:TCP"= 1947:TCP:HASP SRM "1947:UDP"= 1947:UDP:HASP SRM R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-07 97928] R1 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2004-11-09 21968] R1 TeksKernel;TeksKernel;c:\windows\system32\Drivers\TeksKernel.sys [2004-07-08 9060] R2 aksfridge;aksfridge;c:\windows\system32\drivers\aksfridge.sys [2007-03-12 351744] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-07 231704] R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run [ ] R2 Maxtor Sync Service;Maxtor Service;c:\program files\Maxtor\Sync\SyncServices.exe [2008-07-21 193888] R2 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [2004-07-08 77824] R2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [2008-01-11 40832] R2 ZuneBusEnum;Zune Bus Enumerator;c:\windows\system32\ZuneBusEnum.exe [2008-01-11 61856] R3 ha20x2k;Creative 20X HAL Driver;c:\windows\system32\drivers\ha20x2k.sys [2006-08-17 1110528] S0 ccxh;ccxh;c:\windows\system32\drivers\hbjtfitt.sys [ ] S0 epoj;epoj;c:\windows\system32\drivers\cqcbvf.sys [ ] S1 8d034592;8d034592;c:\windows\system32\drivers\8d034592.sys [ ] S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\DRIVERS\HidCom.sys [2004-08-10 21016] S3 FTD2XX;Flashpaq FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\Drivers\FTD2XX.sys [2005-12-15 34639] S3 uisp;Motorola USB ICP driver;c:\windows\system32\Drivers\usbicp.sys [ ] S3 XMUNIVERSAL;xmuni.sys driver;c:\windows\system32\Drivers\xmuni.sys [2006-12-02 49408] S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\windows\system32\ZuneWlanCfgSvc.exe [2008-01-11 245664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}] c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . - - - - ORPHANS REMOVED - - - - HKLM-Run-{3e-e9-91-1f-dw} - c:\windows\system32\dwwnw64r.exe HKLM-Run-prunnet - c:\windows\system32\prun.exe HKLM-Run-hphmon03 - c:\windows\system32\hphmon03.exe HKLM-Run-e4b3e9b0 - c:\windows\system32\tcukvwrd.dll . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.com R0 -: HKLM-Main,Start Page = hxxp://www.google.com R1 -: HKCU-Internet Settings,ProxyOverride = *.local O8 -: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 -: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 -: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 -: Download all with Free Download Manager - file://d:\program files\Free Download Manager\dlall.htm O8 -: Download selected with Free Download Manager - file://d:\program files\Free Download Manager\dlselected.htm O8 -: Download video with Free Download Manager - file://d:\program files\Free Download Manager\dlfvideo.htm O8 -: Download with Free Download Manager - file://d:\program files\Free Download Manager\dllink.htm O8 -: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 -: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 -: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM O8 -: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM O8 -: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 -: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-10 19:41:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: c:\windows\explorer.exe -> c:\program files\alienware\alienware alienfx\AlienwareAlienFXHK.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\windows\system32\hasplms.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\windows\system32\nvsvc32.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Zune\ZuneNss.exe c:\windows\system32\CTXFISPI.EXE c:\windows\system32\rundll32.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe c:\program files\Creative\ShareDLL\CADI\NotiMan.exe d:\progra~1\MICROS~2\rapimgr.exe c:\program files\Logitech\SetPoint\SetPoint.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe d:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe c:\windows\ehome\ehmsas.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe . ************************************************************************** . Completion time: 2008-11-10 19:53:22 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-11 00:53:04 Pre-Run: 358,413,291,520 bytes free Post-Run: 358,543,278,080 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer 349 --- E O F --- 2008-10-24 09:00:44 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:57:33 PM, on 11/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\hasplms.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AlienAutopsy\TEKS_Service.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe D:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [avg8_tray] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [zune launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [volpanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [updreg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [sunjavaupdatesched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [rcsystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [nvmediacenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nvcpldaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nerofiltercheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" O4 - HKLM\..\Run: [logitech hardware abstraction layer] KHALMNPR.EXE O4 - HKLM\..\Run: [launch lgdcore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [launch lcdmon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" O4 - HKLM\..\Run: [languageshortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [kernel and hardware abstraction layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [hpqsrmon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [hpdj taskbar utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [hp software update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ehtray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ctxfihlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [cthelper] CTHELPER.EXE O4 - HKLM\..\Run: [ctdvddet] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [applesyncnotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [alienfxcontroller] c:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [wmpnscfg] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [updatemgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [roboform] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [msmsgs] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ldm] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [h/pc connection agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [creative detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Download all with Free Download Manager - file://d:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://d:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://d:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://d:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Cu...ataManager.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187219165890 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187219160937 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: bw+0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: offline-8876480 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe -- End of file - 26691 bytes |
|
|
|
|
11-11-2008, 04:39 AM
|
#6 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Central Florida
Posts: 10
OS: XP SP3
|
Re: Computer controlled!
Good morning. I am sure you you haven't had the time to review the logs but I wanted to let you know I won't be able to leave work today.
I hope I didn't jump the gun but since running combofix the system was more stable and followed the instructions here: hxxp://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html I downloaded and installed jetico and spywareguard, spywareblaster, superantispyware, and spybot. I then realized this might conflict with your instructions, sorry my hands work faster than my mind sometimes. I decided to leave everything alone and will not do anything else unless you tell me to. From here on out I will wait for your responses. It is rough being 5 hours behind you. Again apologies for my impatience. |
|
|
|
|
11-11-2008, 07:00 AM
|
#7 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Computer controlled!
Hello again
Please do not install anything unless you are advised to do so, it can be counter productive. ======= Download ATF-Cleaner by Atribune to your desktop. Do not run just yet, we will shortly ======= Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Advertisement Service ======== Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ======== JAVA OUTDATED Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
======== Double-click ATF Cleaner.exe to open it Under Main choose: Windows Temp Current User Temp All Users Temp Cookies Temporary Internet Files Prefetch Java Cache *The other boxes are optional* Then click the Empty Selected button. If you have Firefox installed: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. If you have Opera installed: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. ========== Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Click Accept, when prompted to download and install the program files and database of malware definitions.
This animation will guide you through the process:  To optimize scanning time and produce a more sensible report for review:
========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========= Logs Required C:\Combofix.txt Kaspersky Scan Report Hijackthis Log How is your system running now. |
|
|
|
|
|
11-12-2008, 04:48 AM
|
#8 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Central Florida
Posts: 10
OS: XP SP3
|
Re: Computer controlled!
When I started the PC I received a NirCmd.cfexe-Application Error: The instruction "0x7c910a53" referenced memory at "0x003e531a" The memory could not be "written" click ok to terminate the program.
Ran Combofix and came back with "update for Combofix failed no network connection" ran current version. Log at end. AVG was not disabled during the combofix run. Kaspersky hung at 3 1/2 hours and waited an additional 1 hour at 44%, mouse barely moved and unable to close, alt-ctrl-del did not work. Manually power cycled. Chkdsk ran and" Deleted corrupt attribute listen try with type code128 in file 10823 Deleting corrupt file record segment 182844 Deleting index entry 958.thm in index $I30 of file 171746 Other messages to fast to record. Kaspersky hung again at 8hours 41mins and had to manually power cycle again Chkdsk ran again: Deleting corrupt segment 140860 Deleting corrupt segment 215868 Deleting index entry from index $0 of file 25 Deleting index entry from index $0 of file 25 Correcting error in index $I30 for file 113174 Correcting error in index $I30 for file 113174 Many more statements that scrolled to fast to record. Windows update downloaded and installed an update with auto shutdown after I posted this. Hope you have a good day. I again will be unable to leave work during the day. Logs: ComboFix 08-11-10.01 - Administrator 2008-11-11 16:37:27.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt * Created a new restore point FILE :: C:\-457971425 c:\windows\system32\ceg.sdr c:\windows\system32\def.help c:\windows\system32\fe.sp c:\windows\system32\fes.ra c:\windows\system32\rgv.xl c:\windows\system32\TDSSmtvd.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\-457971425 c:\documents and settings\Administrator\Application Data\NI.GSCNS c:\documents and settings\Administrator\Application Data\NI.GSCNS\dl.ini c:\documents and settings\Administrator\Application Data\NI.GSCNS\settings.ini c:\windows\system32\ceg.sdr c:\windows\system32\def.help c:\windows\system32\fe.sp c:\windows\system32\fes.ra c:\windows\system32\rgv.xl c:\windows\system32\TDSSmtvd.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_8d034592 -------\Service_ccxh -------\Service_epoj ((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 ))))))))))))))))))))))))))))))) . 2008-11-11 16:32 . 2008-11-11 16:32 <DIR> d-------- c:\windows\LastGood.Tmp 2008-11-10 22:05 . 2008-11-11 06:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-10 22:05 . 2008-11-11 06:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-10 21:30 . 2008-11-10 21:30 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-11-10 21:30 . 2008-11-10 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-11-10 21:30 . 2008-11-10 21:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-11-10 21:11 . 2008-11-10 21:11 221,184 --a------ c:\windows\SnoopFreeUI.exe 2008-11-10 21:11 . 2008-11-10 21:11 90,112 --a------ c:\windows\system32\SnoopFreeSvc.exe 2008-11-10 21:11 . 2008-11-10 21:11 45,056 --a------ c:\windows\SnoopFreeDll.dll 2008-11-10 21:11 . 2008-11-10 21:11 9,472 --a------ c:\windows\system32\drivers\SnopFree.sys 2008-11-10 21:07 . 2008-11-10 21:38 <DIR> d-------- c:\program files\SpywareGuard 2008-11-10 21:04 . 2008-11-10 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP 2008-11-10 21:03 . 2008-11-10 21:06 <DIR> d-------- c:\program files\SpywareBlaster 2008-11-10 20:41 . 2008-11-10 20:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jetico Personal Firewall 2008-11-10 20:36 . 2008-11-10 20:36 <DIR> d-------- c:\program files\Jetico 2008-11-10 12:52 . 2008-11-10 12:52 <DIR> d--hs---- C:\found.001 2008-11-07 17:04 . 2008-11-07 17:04 <DIR> d-------- C:\rsit 2008-11-07 17:04 . 2008-11-07 17:04 <DIR> d-------- c:\program files\trend micro 2008-11-07 16:43 . 2008-11-07 16:43 250 --a------ c:\windows\gmer.ini 2008-11-07 16:35 . 2008-11-10 23:30 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-11-07 03:11 . 2008-11-07 03:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-07 03:11 . 2008-11-07 03:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-07 03:11 . 2008-11-07 03:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-11-07 03:11 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-07 03:11 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-07 02:10 . 2008-11-07 02:10 <DIR> d-------- c:\program files\Lavasoft 2008-11-07 02:10 . 2008-11-07 02:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-07 02:09 . 2008-11-10 21:29 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-07 02:00 . 2008-11-07 02:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR 2008-11-07 01:55 . 2008-11-07 17:45 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-11-07 01:55 . 2008-11-07 01:55 <DIR> d-------- c:\program files\AVG 2008-11-07 01:55 . 2008-11-07 01:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-11-07 01:55 . 2008-11-07 01:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR 2008-11-07 01:55 . 2008-11-07 01:55 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-11-07 01:55 . 2008-11-07 01:55 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-11-06 23:10 . 2008-11-06 23:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant 2008-11-06 22:57 . 2008-11-06 22:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\IUpd721 2008-11-06 22:52 . 2008-11-06 22:52 1,997 --a------ c:\windows\search.yahoo.com-error.html 2008-11-06 22:49 . 2008-11-06 22:49 <DIR> d-------- c:\windows\system32\uvb 2008-11-06 22:49 . 2008-11-07 19:57 <DIR> d-------- c:\windows\system32\QI19 2008-11-06 22:49 . 2008-11-07 19:56 <DIR> d-------- c:\windows\system32\NPX 2008-11-06 22:49 . 2008-11-07 03:06 <DIR> d-------- c:\windows\system32\im 2008-11-06 22:49 . 2008-11-06 22:49 <DIR> d-------- c:\temp\NT32 2008-11-06 22:49 . 2008-11-06 22:49 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2008-11-06 21:26 . 2007-07-02 14:02 996,648 --a------ c:\windows\system32\ShellManager10E2D762.dll 2008-11-06 21:26 . 2007-07-02 13:19 638,976 --a------ c:\windows\system32\NEROINSTAEC43759.DB 2008-10-31 13:45 . 2008-11-05 20:32 <DIR> d-------- c:\program files\DOSBox-0.72 2008-10-28 17:36 . 2008-10-28 17:36 823,296 --a------ c:\windows\system32\divx_xx0c.dll 2008-10-28 17:36 . 2008-10-28 17:36 823,296 --a------ c:\windows\system32\divx_xx07.dll 2008-10-28 17:35 . 2008-10-28 17:35 815,104 --a------ c:\windows\system32\divx_xx0a.dll 2008-10-28 17:35 . 2008-10-28 17:35 802,816 --a------ c:\windows\system32\divx_xx11.dll 2008-10-28 17:35 . 2008-10-28 17:35 684,032 --a------ c:\windows\system32\DivX.dll 2008-10-28 14:54 . 2008-10-29 01:58 <DIR> d-------- c:\program files\DayDawn 2008-10-23 23:46 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-21 04:22 . 2008-10-21 04:22 <DIR> d-------- c:\program files\AviSynth 2.5 2008-10-21 04:22 . 2004-02-22 09:11 719,872 --a------ c:\windows\system32\devil.dll 2008-10-21 04:22 . 2006-10-07 16:43 502,784 --a------ c:\windows\x2.64.exe 2008-10-21 04:22 . 2007-05-17 16:30 318,976 --a------ c:\windows\system32\avisynth.dll 2008-10-21 04:22 . 2005-02-28 12:16 240,128 --a------ c:\windows\system32\x.264.exe 2008-10-21 04:22 . 2006-04-12 08:47 217,073 --a------ c:\windows\meta4.exe 2008-10-21 04:22 . 2004-01-24 23:00 70,656 --a------ c:\windows\system32\yv12vfw.dll 2008-10-21 04:22 . 2004-01-24 23:00 70,656 --a------ c:\windows\system32\i420vfw.dll 2008-10-21 04:22 . 2006-04-05 07:09 66,560 --a------ c:\windows\MOTA113.exe 2008-10-21 04:22 . 2005-07-14 11:31 27,648 --a------ c:\windows\system32\AVSredirect.dll 2008-10-21 04:21 . 2008-10-21 04:21 <DIR> d-------- c:\program files\eRightSoft 2008-10-14 18:30 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-10-14 18:26 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-14 18:25 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-14 18:25 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-14 18:25 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-14 18:25 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-07 02:47 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-07 02:46 --------- d-----w c:\program files\Maxtor 2008-11-05 03:55 --------- d-----w c:\program files\DivX 2008-11-05 03:51 364 ----a-w C:\drmHeader.bin 2008-10-30 18:27 --------- d-----w c:\program files\SuperchipsUpdate 2008-10-24 10:08 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-21 09:19 --------- d-----w c:\documents and settings\Administrator\Application Data\Tunebite 2008-10-21 07:24 --------- d-----w c:\documents and settings\Administrator\Application Data\Free Download Manager 2008-10-08 00:11 --------- d-----w c:\program files\iTunes 2008-10-08 00:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-08 00:10 --------- d-----w c:\program files\iPod 2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys 2008-09-26 22:42 --------- d-----w c:\program files\NOS 2008-09-26 22:42 --------- d-----w c:\documents and settings\All Users\Application Data\NOS 2008-09-25 22:00 --------- d-----w c:\program files\Common Files\Adobe AIR 2008-09-17 00:01 --------- d-----w c:\program files\QuickTime 2008-09-17 00:00 --------- d-----w c:\program files\Common Files\Apple 2008-09-16 23:56 --------- d-----w c:\program files\Bonjour 2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll 2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\temp\NT32 ---- 2008-11-06 22:49 1858 --a------ c:\temp\NT32\zBV.log ---- Directory of c:\windows\system32\im ---- ---- Directory of c:\windows\system32\NPX ---- ---- Directory of c:\windows\system32\QI19 ---- ---- Directory of c:\windows\system32\uvb ---- ((((((((((((((((((((((((((((( snapshot@2008-11-10_19.52.45.76 ))))))))))))))))))))))))))))))))))))))))) . + 2005-02-21 15:44:00 163,840 ----a-w c:\windows\BCUnInstall.exe + 2008-11-11 02:30:40 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe + 2008-11-11 02:30:40 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe + 2005-06-23 10:19:30 16,640 ----a-w c:\windows\system32\drivers\bc_filter.sys + 2005-02-18 05:50:34 17,536 ----a-w c:\windows\system32\drivers\bc_ip_f.sys + 2005-02-18 05:50:36 8,960 ----a-w c:\windows\system32\drivers\bc_ngn.sys + 2005-02-18 05:50:35 4,928 ----a-w c:\windows\system32\drivers\bc_pat_f.sys + 2005-02-18 05:50:35 4,576 ----a-w c:\windows\system32\drivers\bc_prt_f.sys + 2005-02-18 05:50:34 13,344 ----a-w c:\windows\system32\drivers\bc_tdi_f.sys + 2005-05-18 07:09:18 45,739 ----a-w c:\windows\system32\drivers\bcftdi.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "wmpnscfg"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "updatemgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "roboform"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-10-05 160592] "msmsgs"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ldm"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-08-15 32768] "h/pc connection agent"="d:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "creative detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] "bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152] "avg8_tray"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-07 1234712] "zune launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-01-11 166304] "volpanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880] "updreg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "sunjavaupdatesched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "rcsystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152] "quicktime task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "nvmediacenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "nvcpldaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "nerofiltercheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312] "launch lgdcore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640] "launch lcdmon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096] "languageshortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152] "ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "hpqsrmon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920] "hpdj taskbar utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608] "hp software update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152] "ehtray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "ctdvddet"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "alienfxcontroller"="c:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe" [2006-09-13 311296] "JeticoPFStartup"="c:\program files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-19 118784] "nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe] "logitech hardware abstraction layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] "kernel and hardware abstraction layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] "ctxfihlp"="CTXFIHLP.EXE" [2006-08-17 c:\windows\system32\CTXFIHLP.EXE] "cthelper"="CTHELPER.EXE" [2006-08-17 c:\windows\CTHELPER.EXE] "SnoopFreeUI"="SnoopFreeUI.exe" [2008-11-10 c:\windows\SnoopFreeUI.exe] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-15 450560] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= c:\windows\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] 2001-12-20 22:34 24576 c:\program files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Network Monitor"=2 (0x2) "cmdService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\program files\Microsoft ActiveSync\rapimgr.exe"= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "d:\program files\Microsoft ActiveSync\wcescomm.exe"= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "d:\program files\Microsoft ActiveSync\WCESMgr.exe"= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "1947:TCP"= 1947:TCP:HASP SRM "1947:UDP"= 1947:UDP:HASP SRM R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-07 97928] R1 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2004-11-09 21968] R1 TeksKernel;TeksKernel;c:\windows\system32\Drivers\TeksKernel.sys [2004-07-08 9060] R2 aksfridge;aksfridge;c:\windows\system32\drivers\aksfridge.sys [2007-03-12 351744] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-07 231704] R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run [ ] R2 Maxtor Sync Service;Maxtor Service;c:\program files\Maxtor\Sync\SyncServices.exe [2008-07-21 193888] R2 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [2004-07-08 77824] R2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [2008-01-11 40832] R2 ZuneBusEnum;Zune Bus Enumerator;c:\windows\system32\ZuneBusEnum.exe [2008-01-11 61856] R3 ha20x2k;Creative 20X HAL Driver;c:\windows\system32\drivers\ha20x2k.sys [2006-08-17 1110528] S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\DRIVERS\HidCom.sys [2004-08-10 21016] S3 FTD2XX;Flashpaq FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\Drivers\FTD2XX.sys [2005-12-15 34639] S3 uisp;Motorola USB ICP driver;c:\windows\system32\Drivers\usbicp.sys [ ] S3 XMUNIVERSAL;xmuni.sys driver;c:\windows\system32\Drivers\xmuni.sys [2006-12-02 49408] S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\windows\system32\ZuneWlanCfgSvc.exe [2008-01-11 245664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}] c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-11 16:43:47 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\windows\system32\hasplms.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\rundll32.exe c:\windows\system32\nvsvc32.exe c:\program files\CyberLink\Shared files\RichVideo.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\windows\system32\SnoopFreeSvc.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe c:\windows\system32\CTXFISPI.EXE c:\program files\Creative\ShareDLL\CADI\NotiMan.exe d:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE d:\progra~1\MICROS~2\rapimgr.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Zune\ZuneNss.exe c:\program files\Logitech\SetPoint\SetPoint.exe c:\program files\SpywareGuard\sgbhp.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\windows\system32\dllhost.exe c:\program files\iPod\bin\iPodService.exe c:\windows\ehome\ehmsas.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe c:\program files\Java\jre1.6.0_05\bin\jucheck.exe . ************************************************************************** . Completion time: 2008-11-11 16:54:39 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-11 21:54:31 ComboFix2.txt 2008-11-11 00:53:23 Pre-Run: 358,233,722,880 bytes free Post-Run: 358,264,754,176 bytes free 342 --- E O F --- 2008-10-24 09:00:44 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:37:34 AM, on 11/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe C:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe C:\WINDOWS\SnoopFreeUI.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\SpywareGuard\sgmain.exe C:\WINDOWS\system32\CTsvcCDA.EXE D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\hasplms.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AlienAutopsy\TEKS_Service.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\System32\SnoopFreeSvc.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Documents and Settings\Administrator\Desktop\HijackThis.exe C:\WINDOWS\system32\MsiExec.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [avg8_tray] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [zune launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [volpanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [updreg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [rcsystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [nvmediacenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nvcpldaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nerofiltercheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" O4 - HKLM\..\Run: [logitech hardware abstraction layer] KHALMNPR.EXE O4 - HKLM\..\Run: [launch lgdcore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [launch lcdmon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" O4 - HKLM\..\Run: [languageshortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [kernel and hardware abstraction layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [hpqsrmon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [hpdj taskbar utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [hp software update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ehtray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ctxfihlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [cthelper] CTHELPER.EXE O4 - HKLM\..\Run: [ctdvddet] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [applesyncnotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [alienfxcontroller] c:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe" O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [wmpnscfg] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [updatemgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [roboform] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [msmsgs] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ldm] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [h/pc connection agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [creative detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Download all with Free Download Manager - file://d:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://d:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://d:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://d:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Cu...ataManager.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187219165890 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187219160937 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: bw+0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: offline-8876480 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe -- End of file - 28055 bytes Last edited by FireWalker42; 11-12-2008 at 04:57 AM. Reason: added windows update message |
|
|
|
|
11-12-2008, 08:18 AM
|
#9 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Computer controlled!
Hello again
Open notepad and copy/paste the text in the box below into it: Code:
@echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( c:\temp\NT32 c:\windows\system32\im c:\windows\system32\NPX c:\windows\system32\QI19 c:\windows\system32\uvb ) do ( rd /s/q %%g >nul 2>&1 if exist %%g echo.%%~g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! pause It should look like this:  Double click on Delete.bat & allow it to run Let me know if it was successful. ========= Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local Keep the first one and delete the rest O18 - Protocol: bw+0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: offline-8876480 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll Please remember to close all other windows, including browsers then click Fix checked. ========= Try this scanner instead: ESET Online Scanner
========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========== Logs Required Eset scan report Hijackthis Log Last edited by TheBruce1; 11-12-2008 at 08:23 AM. |
|
|
|
|
11-12-2008, 10:42 AM
|
#10 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Central Florida
Posts: 10
OS: XP SP3
|
Re: Computer controlled!
Delete.bat completed successfully.
ran and fixed all listed above with HJT. I skipped the R1 line the first time, saw the "Keep the first one and delete the rest" in red and read right over it. I did a second scan and checked that line and fixed. Hope that was ok. ESET is running now and I am going to go back to work as I think this will take quite some time. Will post the logs when I get home later. |
|
|
|
|
11-13-2008, 04:01 AM
|
#12 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Central Florida
Posts: 10
OS: XP SP3
|
Re: Computer controlled!
I noticed the ESET scanner still incrementing in time but the PC clock had stopped at around 3hours into the scan. Manually power cycled PC. Chkdsk ran again. Once started and I went to open IE again I got a BSOD and the PC restarted, unable to get message. Ran ESET again with the same results. Manually restarted PC and Chkdsk ran again.
I work again today but am off tomorrow. Only able to get the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:56:32 AM, on 11/13/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\SnoopFreeUI.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\hasplms.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AlienAutopsy\TEKS_Service.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\System32\SnoopFreeSvc.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe D:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [avg8_tray] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [zune launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [volpanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [updreg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [rcsystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [nvmediacenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nvcpldaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nerofiltercheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" O4 - HKLM\..\Run: [logitech hardware abstraction layer] KHALMNPR.EXE O4 - HKLM\..\Run: [launch lgdcore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [launch lcdmon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" O4 - HKLM\..\Run: [languageshortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [kernel and hardware abstraction layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [hpqsrmon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [hpdj taskbar utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [hp software update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ehtray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ctxfihlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [cthelper] CTHELPER.EXE O4 - HKLM\..\Run: [ctdvddet] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [applesyncnotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [alienfxcontroller] c:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe" O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [wmpnscfg] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [updatemgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [roboform] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [msmsgs] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ldm] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [h/pc connection agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [creative detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Download all with Free Download Manager - file://d:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://d:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://d:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://d:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Cu...ataManager.CAB O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187219165890 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187219160937 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: bw+0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe -- End of file - 16013 bytes |
|
|
|
|
11-13-2008, 05:47 AM
|
#13 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Computer controlled!
Update Malwarebytes' Anti-Malware and run a full system scan. When finished it shall produce a log, post that in your reply along with a new hijackthis log.
|
|
|
|
|
11-13-2008, 02:19 PM
|
#14 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Central Florida
Posts: 10
OS: XP SP3
|
Re: Computer controlled!
Malwarebytes' Anti-Malware 1.30
Database version: 1395 Windows 5.1.2600 Service Pack 3 11/13/2008 4:13:00 PM mbam-log-2008-11-13 (16-12-54).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 245871 Time elapsed: 2 hour(s), 1 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9e91ef7b-6846-45c3-a8ab-67cf7c900783} (Trojan.Vundo) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\system32\bbmdiyaa.dll.vir (Trojan.Vundo) -> No action taken. C:\Qoobox\Quarantine\C\WINDOWS\system32\tgdgdk.dll.vir (Trojan.Vundo) -> No action taken. C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\8d034592.sys.vir (Rootkit.Agent) -> No action taken. C:\System Volume Information\_restore{14FF3587-4068-4AC6-8308-C0B700969E96}\RP2\A0001026.sys (Rootkit.Agent) -> No action taken. C:\System Volume Information\_restore{14FF3587-4068-4AC6-8308-C0B700969E96}\RP2\A0001035.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{14FF3587-4068-4AC6-8308-C0B700969E96}\RP2\A0001036.sys (Rootkit.Agent) -> No action taken. C:\System Volume Information\_restore{14FF3587-4068-4AC6-8308-C0B700969E96}\RP2\A0001037.dll (Trojan.Vundo) -> No action taken. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:14:40 PM, on 11/13/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe C:\WINDOWS\SnoopFreeUI.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe D:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\hasplms.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AlienAutopsy\TEKS_Service.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\System32\SnoopFreeSvc.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [avg8_tray] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [zune launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [volpanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [updreg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [rcsystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [nvmediacenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nvcpldaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nerofiltercheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" O4 - HKLM\..\Run: [logitech hardware abstraction layer] KHALMNPR.EXE O4 - HKLM\..\Run: [launch lgdcore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [launch lcdmon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" O4 - HKLM\..\Run: [languageshortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [kernel and hardware abstraction layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [hpqsrmon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [hpdj taskbar utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [hp software update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ehtray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ctxfihlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [cthelper] CTHELPER.EXE O4 - HKLM\..\Run: [ctdvddet] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [applesyncnotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [alienfxcontroller] c:\program files\alienware\alienware alienfx\alienwarealienfxcontroller.exe O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe" O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [wmpnscfg] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [updatemgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [roboform] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [msmsgs] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ldm] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [h/pc connection agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [creative detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech Harmony Remote V5.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Download all with Free Download Manager - file://d:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://d:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://d:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://d:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Cu...ataManager.CAB O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187219165890 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187219160937 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: bw+0 - {647EAA95-7EBA-4EC2-ADD5-88F0855EBCED} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe -- End of file - 16239 bytes There is an alert from AVG: Threat detected File name: C:\System Volume Infomation\_restore{14FF3587-4068-4AC6-8308-C0B700969E86}\RP2\A0001026.sys Threat name: Trojan horse Rootkit-Agent.AV |
|
|
|
|
11-13-2008, 04:18 PM
|
#15 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: Computer controlled!
Hello again
Quote:
========= If there are no further issues, continue below. ========== Delete RSIT from your desktop, also delete this folder c:\rsit. Uninstall Hijackthis via add/remove, you can keep ATF-Cleaner if you wish. Click Start>Run and type or copy/paste the following command then hit enter to uninstall gmer. %systemroot%\gmer_uninstall.cmd ============ Well done, your logs are clean. Click start>run>type(or copy/paste command into run box): ComboFix /u Click ok. ============== Clear IE7 cookies *On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab. *On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too]. *Click OK, and then click OK again. Clear Firefox cookies/cache • Select "Tools" • Select "Options". • Select "Privacy". • In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want. • Click OK. • In Private area click "Clear Now". ------------------------------------------------------------------------------------------- MICROSOFT UPDATES 1.Click Start,Run, type sysdm.cpl, and then press OK. 2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended). Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday". ------------------------------------------------------------------------------------------ Useful Information and Programs to keep you safe. TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages: * Content category * Phishing scam detection * Site reputation * Page reputation WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites. WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites. Note:Only compatible with Firefox 1.5 and higher. -------------------------------------------------------------------------------------- Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Avant Firefox Opera K-Meleon ------------------------------------------------------------------------------------------ Free Antispyware Products SuperAntiSpyware Malwarebytes ' Anti-Malware SpywareBlaster to help prevent spyware from installing in the first place.
------------------------------------------------------------------ IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List. Download and installation instructions for IE-Spyad™ Here ----------------------------------------- The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. If your having trouble downloading & extracting,see link below for guidance: http://www.mvps.org/winhelp2002/hosts2.htm Once you have extracted the host file,double click on it and a new window will open. Double-click on mvps.batand follow the prompts --------------------------------------------------------------- Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ---------------------------------------- SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. ============================================== Also, please take a look at this well written article: PC Safety and Security--What Do I Need? **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Please reply to this thread once more, as we may mark this as resolved, thanks. |
|
|
|
|
|
11-14-2008, 02:01 AM
|
#16 (permalink) |
|
Registered User
Join Date: Nov 2008
Location: Central Florida
Posts: 10
OS: XP SP3
|
Re: Computer controlled!
I completed all the deletions, uninstalls, clearing, updating. I think I have added everything you have suggested as well as what was suggested in the General Computer Security Forum. I am using Firefox now.
When did we flush the system volume information? As far as I can tell everything is working fine. I really appreciate your assistance in resolving this. As you can see I have made a donation. Just your assistance alone is worth the donation but now I can spend time in the other sections trying to educate myself. |
|
|
|
| Thread Tools | |
|
|
